The study investigated 277 organizations with actual data breach experiences in nine countries and across 16 industry sectors. It included 1,400 interviews with individuals responsible for IT, compliance and information security with knowledge of data breach costs.
"This study is not a survey," Ponemon explains. "It's field-based research. We captured both direct and indirect costs. However, the indirect costs do not include opportunity costs; they're costs that can be measured. We tried to take a relatively conservative position."
"The scale of this is just enormous," he adds. "It took us about nine and a half months of field work to capture the data."
Ponemon noted the study did not include any catastrophic data breaches, as they skew the results. Instead it focused on data breaches that ranged from 1,000 to 100,000 records.
Cost of Data Breaches Highest in Germany, Followed by U.S.
Data breaches in the U.S. and Germany are the most costly: The average cost per compromised record in the U.S. was $188 in 2012 (down from $194 in 2011), while the average cost per record in Germany rose to $199 (up from $191 in 2011). The U.S. and Germany also had the highest total cost per data breach, at $5.4 million and $4.8 million, respectively.
Companies in Brazil were the most likely to suffer a data breach due to human error, while companies in India were most likely to have a data breach caused by a system glitch or business process failure. Brazil and India also had the lowest cost per compromised record, at $58 and $42, respectively. Ponemon notes that companies in countries with more established consumer protection laws and regulations to strengthen data privacy and cyber security tend to pay a higher cost for compromised records. For instance, breaches in heavily regulated industries, including healthcare, finance and pharmaceutical incurred breach costs 70 percent higher than breaches in other industries.
Malicious Attacks Still the Most Costly Data Breaches
While malicious attacks account for only 37 percent of data breaches, they by far the most expensive data breach incidents, with a global average cost of $157 per compromised record. Each data breach caused by a malicious or criminal attacker cost U.S. companies an average of $277 per compromised record and German companies $214 per compromised record. Brazilian and Indian companies, on the other hand, had the least costly malicious data breaches, with an average cost per compromised record of $71 and $46, respectively.
"Malicious attacks are more costly, by a significant factor, in the U.S.," Hamilton says. "Typically, when you discover that you've been attacked, you throw a lot more resources at a problem. The surprise factor and the panic factor can account for the higher cost for a malicious attack."
Sign up for CIO Asia eNewsletters.