Methodology Behind Annual Data Breach Cost Report
Key Points
- The “Cost of a Data Breach” report uses a rigorous, 18‑year methodology conducted by the Ponemon Institute on behalf of IBM, surveying over 3,000 individuals from 533 organizations to ensure real‑world relevance.
- To produce realistic averages, extreme outliers (both very low‑cost and ultra‑high‑cost breaches) are excluded, focusing the analysis on the “normative” case.
- The latest findings show an average global breach cost of about $4.4–$5 million, while U.S. breaches average $10.43 million, with the healthcare sector incurring the highest expenses of any industry.
- The report concludes with actionable recommendations aimed at reducing both the financial impact and the recovery time of data breaches.
Sections
- Methodology Behind Data Breach Cost Report - The speaker outlines how IBM partnered with the Ponemon Institute to interview over 3,000 individuals from 533 organizations across 18 years, generating the annual “Cost of a Data Breach” findings and actionable recommendations.
- Phishing, Credential Breaches Top Risks - The speaker highlights phishing and credential compromise as the costliest, most frequent attacks and notes the dismal 277‑day average combined detection and containment time unchanged for a decade.
- AI Automation Cuts Costs, Speeds Resolution - The speaker highlights how extensive AI and automation usage lowered operational expenses from $5.36 M to $3.6 M and reduced resolution times by 108 days, and then adds attack surface management as an additional security recommendation.
- Standard YouTube Call-to-Action - The speaker urges viewers to like, subscribe, and click the notification bell to stay updated on future videos.
Full Transcript
# Methodology Behind Annual Data Breach Cost Report **Source:** [https://www.youtube.com/watch?v=yWJjjZqgifg](https://www.youtube.com/watch?v=yWJjjZqgifg) **Duration:** 00:09:41 ## Summary - The “Cost of a Data Breach” report uses a rigorous, 18‑year methodology conducted by the Ponemon Institute on behalf of IBM, surveying over 3,000 individuals from 533 organizations to ensure real‑world relevance. - To produce realistic averages, extreme outliers (both very low‑cost and ultra‑high‑cost breaches) are excluded, focusing the analysis on the “normative” case. - The latest findings show an average global breach cost of about $4.4–$5 million, while U.S. breaches average $10.43 million, with the healthcare sector incurring the highest expenses of any industry. - The report concludes with actionable recommendations aimed at reducing both the financial impact and the recovery time of data breaches. ## Sections - [00:00:00](https://www.youtube.com/watch?v=yWJjjZqgifg&t=0s) **Methodology Behind Data Breach Cost Report** - The speaker outlines how IBM partnered with the Ponemon Institute to interview over 3,000 individuals from 533 organizations across 18 years, generating the annual “Cost of a Data Breach” findings and actionable recommendations. - [00:03:09](https://www.youtube.com/watch?v=yWJjjZqgifg&t=189s) **Phishing, Credential Breaches Top Risks** - The speaker highlights phishing and credential compromise as the costliest, most frequent attacks and notes the dismal 277‑day average combined detection and containment time unchanged for a decade. - [00:06:16](https://www.youtube.com/watch?v=yWJjjZqgifg&t=376s) **AI Automation Cuts Costs, Speeds Resolution** - The speaker highlights how extensive AI and automation usage lowered operational expenses from $5.36 M to $3.6 M and reduced resolution times by 108 days, and then adds attack surface management as an additional security recommendation. - [00:09:34](https://www.youtube.com/watch?v=yWJjjZqgifg&t=574s) **Standard YouTube Call-to-Action** - The speaker urges viewers to like, subscribe, and click the notification bell to stay updated on future videos. ## Full Transcript
Boom. The bad guy just broke into your system and you are hemorrhaging data. You have had a
data breach. How much is it going to cost you? How long is it going to take you to
get everything back up and operational again? Well, we answer those questions in the annual
cost of a data breach report. And what I want to share with you today are the methodology
that we use in order to get these numbers.What some of the key findings from the report
are and then ultimately some recommendations that you can use in order to cut the cost of a
data breach and reduce the amount of time it takes to recover. So let's start off with methodology.
What did we do in order to get the information that we have so that you can have confidence
that the numbers I'm about to share with you mean anything in the real world?
Well, we started off by contracing with an organization called the Ponemon Institute,
and they do this work on behalf of IBM. So the clients who are answering these questions
are not answering directly to us. They feel like they can be candid in their responses.
And we've run this now for 18 years. So I'm going to suggest to you, some of you haven't
learned the lessons of the previous 17.So pay close attention to this one, please.
The clients that we interviewed, we talked to more than 3000 individual clients,
Ponemon Institute did on our behalf. And those people represented 533 different
organizations. So the point here being is there was a large number of people contributing their
information. We didn't just go out and ask three people and find out what they thought.
This is a large empirical base of data that we're basing all of this on. And another interesting
part of the methodology is the outliers were excluded. And what that means is if you think
about the cost of a data breach, some people will have very minimal cost, They'll have a very small
breach and some people will have really huge ones. This one will be a gazillion dollars, This one
will be $0.25, I guess. And the point is we're excluding the ones on either extreme because
those would skew the numbers and they would make the averages not look very realistic. So we take
those out, the very small, the very large, and we focus in just on the normative case so that we can
have some lessons that we can apply elsewhere.Now, let's take a look at some of the key
findings that came out of this. First of all, 4.4 or $5 million is the cost of a data breach
worldwide. That's the average cost. Some are more, some are less. The ones that are more.
$10.43 million in the US. If you're a health care organization, that was the
highest of all the industries that we looked at. So if you're working in health care, I would say
pay special attention to this because that number is not going to be sustainable to expensive.
Now, what were the things that were contributing to this? There's a lot of different ways that
data can be breached, a lot of different ways bad guys get in. So if we look at cost
of different types of attacks and frequency of those, then you put those two together.
The things that are highest cost and highest frequency are the ones that are contributing
most to those numbers. So what were they? Well, the top two, it turns out the top one
was phishing attacks. And just behind it were attacks to deal with credential compromise. So
these are some things that if we want to reduce those numbers, we really need to
focus on these kinds of attacks scenarios. Now, what else did we learn from this? Some
other numbers that I think are important, maybe one of the most depressing numbers,
even more depressing than those numbers are these numbers. I've talked about this in previous videos
that the basic timeline of an attack. So a bad guy comes in and does initially this
reconnaissance phase where he's looking and trying to figure out what's going to happen.
Then there's an attack. That's the boom. Then we have a mean time to identify. That's how
long it takes for us to figure out that, in fact, we've been breached. And then we
have a mean time to contain. That's how long it takes for us to resolve whatever the issue is.
And the thing that's really depressing here, these two numbers taken together,
277 days, that's a really long time for the bad guy to be in your system using your data.
And then for you, once you realize it, to come up and figure out how to fix this. The depressing
part about this is not only is that a long time, but it's been essentially the same number for
almost the last ten years. In other words, we keep trying new technologies, new processes,
procedures. We promise we're going to do better.We're all going to try harder. But this number
remains. So clearly, we've got a lot of lessons to learn if we're going to get ahead on this and
reduce costs and reduce the amount of time that it takes to contain, to identify and contain.
All right. Let's move on to recommendations. That's the bad news. There's some good
news in the report as well. And some of that good news is
that I'm going to share with you the top three things that made a difference in reducing the
cost of a data breach and those top three in order reverse order. So number three,
1.49 million a reduction came from good incident, response, planning, tools, procedures, processes,
training, all of that kind of stuff. If you've got good instant response,
you're doing things in this side and you're doing the containment much better, and the quicker you
contain, the less it's going to cost the next one 1.68 million. This this savings
from a good deployment of Devsecops. Devsecops is basically breaking down the walls between
development and operations and inserting security throughout the process as part of a systemic view.
So we've got no longer throwing stuff over the wall. We've got development,
security and operations all working together through a continuous process of improvement.
Number one, to improve the cost of a data breach, in other words, reduce the cost.
This was the use of AI and automation, and that makes a lot of sense. We want to work smarter.
We want to work faster, more efficiently, in a more repeatable way. And that's what I and
automation allow us to do respectively. And if you take those numbers that and
look at just the A.I. and automation and see what difference did that in fact make. Well,
that's what these numbers here are. So for organizations that really had no A.I. to any real
extent, really were not taking advantage of it.This was the cost for them, 5.36 million. The
ones who had done limited use of A.I.. Well, you notice a significant savings here down to about 4
million. And then for those who had an extensive use of A.I., it was down to 3.6 million. And one
of the other side benefits is that it was 108 days reduction in the amount of time to resolve.
So the AI and automation not only reduced cost, it also reduced the response time and resolution
time. This is clearly a big winner. That's why you see the three stars and I'm going to
throw in a bonus. No extra charge. A bonus recommendation that will also make a big
difference. And that's attack surface management. Attack surface management is basically trying to
look and see all the different things that you look like to an attacker and reducing that.
Plugging the holes. And in some cases, fortifying your defenses. So attack surface management really
begins with awareness of what your attack surface looks like. And then putting the
controls in place in order to make those not part of the attack surface anymore
and attack surface management organizations. According to the to the survey they did the
best with this reduced their time to contain.So that mean time to contain 83 days. That was
a significant number. If you can do something like this, you're going to reduce the response.
You're going to reduce the cost. And if you do all of these kinds of things, you're going
to make a huge difference in your data breach numbers. So it turns out I'm going to give you
also a bonus finding that we got from the report.That's kind of a good news, bad news story here.
And that is of the organizations, 51% said they would increase their spending in I.T. security
in cybersecurity. Good. They realized that we need to do something here and tools and better training
and things like that. They cost money, but they make us money by saving us in these areas.
But I do have a question for the other 49%. Did you not just read all of this?
Did you not hear? Please take a look at the report because once you see it,
you're going to see the things that are going to make a big difference and you're going to be able
to make a better impact for your organization.And that will impact the bottom line. So in the
end, I'm going to recommend that you take a look at the report, the cost of a data breach report.
It's for free. So you can go to the following link and take a look, read through the results
and figure out what it is you need to do. What's going to make the biggest difference in improving
the cost of the data breach for your organization?
Hey, before you go. Remember to hit like subscribe and click the bell
so that you're notified whenever we come out with more videos.