- While cybersecurity attacks and other data security incidents are on the rise, the actual costs of these types of scenarios are far less than previously reported, according to research from the Journal of Cybersecurity.
Researchers examined over 12,000 cyber events recorded from 2004 to 2015, including data breaches, security incidents, privacy violations, and phishing crimes. They also examined the costs and composition of these events, by industry, and over time.
The study showed that the cost of a typical cyber incident is less than $200,000, which is also about the same as the firm’s annual IT security budget. That amount represents only 0.4 percent of the analyzed companies’ estimated annual revenues.
“Given these relatively low costs (i.e. again, not every breach is a “Target”), it may be the case that firms are, indeed, engaging in a privately optimal level of security – that they are properly and efficiently managing cyber risks as they do with other forms of corporate risk,” the report’s authors wrote. “And that for most firms, because their expected losses are relatively low, they subsequently are investing in only a modest amount of data protection.”
Overall, the study estimates the total costs from cyber events at approximately $8.5 billion annually. The healthcare industry is also not the sector associated with the most risk. Instead, the retail, information, manufacturing, and finance and insurance industries consistently posted the greatest risk.
The study showed that healthcare had the second highest rate of total number of cyber incidents by industry. However, when it came to incident rate, healthcare had extremely low incident rates of around 0.3 percent or less.
Even so, the research also found that the number of cyber events that involve medical information has sharply increased. The report’s authors acknowledged that this is particularly concerning as medical data is impossible to change, and “individuals suffering a compromise of these data are arguably more at risk of financial, medical, and other forms of fraud and identity theft.”
In terms of litigation rates though, healthcare healthcare companies had lower rates than other sectors. Healthcare averaged around 10 percent litigation rate. Comparatively, the mining and oil and gas industry suffers the highest litigation rate of all other industries, with more than 30 percent of all cyber events litigated.
“While the potential for greater harm and losses appears to be increasing in time, evidence suggests that the actual financial impact to firms is considerably lower than expected,” researchers concluded. “And so, if consumers are indeed mostly satisfied with firm responses from data breaches, and the costs from these events are relatively small, then firms may indeed lack a strong incentive to increase their investment in data security and privacy protection.”
This could also mean that voluntarily adopting the NIST Cybersecurity Framework will be difficult, and may require more motivation for organizations.
These results are in fairly stark contrast to previous reports about the costs of data breaches, and more specifically, healthcare data breaches.
The Ponemon 2016 Cost of Data Breach report found that the average cost per stolen record in the healthcare industry was $355, which is over twice the average global cost of a stolen record of $158.
Furthermore, Ponemon stated that the longer it takes to detect and then contain a data breach, the more costly it is to resolve the incident. For example, breaches identified in less than 100 days cost companies an average of $3.23 million, while breaches that were found after that time cost on average $4.38 million.
The Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data also found that the average cost of a data breach for a healthcare provider is around $2.2 million and $1 million for a business associate. Overall, healthcare data breaches have cost the industry about $6.2 billion.
“In the last six years of conducting this study, it's clear that efforts to safeguard patient data are not improving. More healthcare organizations are experiencing data breaches now than six years ago,” said Ponemon Institute Chairman and Founder Larry Ponemon, PhD. “Negligence—sloppy employee mistakes and unsecured devices—was a noted problem in the first years of this research and it continues. New cyber threats, such as ransomware, are exacerbating the problem.”
Image Credit: Journal of Cybersecurity