2019 IBM-Ponemon Cost of a Data Breach Report: "Coles Notes"


The Cost of a Data Breach Report is conducted annually by the Ponemon institute and is sponsored by IBM; it has been published for the past 14 years. It is frequently referenced by professionals in multiple industries. If you've never heard of it before, now is a great time to get acquainted. This post dissects the most important findings and helps explain what the report's numbers mean.

In brief: the Cost of a Data Breach Report is a collection of statistics, with variables like country and industry, highlighting the costs of cyber security breaches. The authors are quick to note that the survey carried out is not scientific. It is inherently bias towards organizations with a mature cyber security program. Data was collected from 507 companies across 16 different regions.

Right out of the gate we read:

  • The average cost of a data breach was $3.93 million (USD for all dollar values hereon.)
  • The average breach size was 25,575 records.
  • The average cost per record was $150.
  • The MTTI/MTTC [1] was 279 days.
  • The USA has the highest average cost: $8.19 million.
  • The Healthcare industry had the highest average cost: $6.45 million.

Globally, there is a 1.81% increase in average data breach costs and a 3.9% increase of records breached from the 2018 report. I will focus mostly on Canadian numbers and the largest cost saving measures for organizations.

Canadian numbers:

  • The average cost of a data breach was $4.44 million ( $5.85 million in CAD.)
  • The average breach size was 23,071 records.
  • The average cost per record was ** $187**, the third highest region.
  • The MTTI/MTTC [1:1] was 241 days, the third lowest region.
  • Customer turnover [2] was 2.4%, the third lowest region.

Customer turnover is one of the largest cost factors to be considered, as it represents 36.2% of the total associated cost ( $1.42 million ).

The top cost saving factors are detailed below in a table which shows the top cost increasing factors for comparison.

Top cost saving factor Total cost per record [3] Top cost increasing factor Total cost per record [3:1]
IR team $13.66 ( $360,000) Third party breach $14.04 ( $370,000)
Use of encryption $13.59 ( $360,000) Compliance failures $13.47 ( $350,000)
IR plan testing $12.25 ( $320,000) Cloud Migration $11.39 ( $300,000)
BCM $10.56 ( $280,000) System Complexity $10.96 ( $290,000)
DevSecOps $10.55 ( $280,000) OT infrastructure $10.06 ( $260,000)
Employee training $10.31 ( $270,000) Mobile platforms $9.33 ( $240,000)
AI Platform $8.97 ( $230,000) Lost/Stolen Devices $6.75 ( $180,000)
Security analytics $7.68 ( $200,000) IoT devices $5.95 ( $160,000)

These amounts represent how much above (or below) the average breach costs, with each of these reported factors. The report gives an example where having both an incident response (IR) team and extensive IR plan testing has an additive cost reduction effect, but does not state explicitly if this is the case for all others. The cost increasing factors appear to be either possible reasons for a breach or pre-existing factors.

The next sections include definitions of what each cost saving (or increasing) factor is with a brief example. Not all of them are explicitly defined in the report, but understanding what each means may help you prioritize your cyber security defense spending.

Cost Saving Factors

Incident Response (IR) Team

Incident Response teams are made up of security professionals who respond to a breach. IR teams collect evidence, back up files, examine system logs, contain malicious programs, and restore systems. Through this process they will provide progress reports that an in-house liaison will use to communicate with both upper level management and end users.


Encoding information in such a way that only authorized parties may access it, achieved by denying intelligible content to unauthorized users. Data stored on a cloud server is encrypted during transit and storage, it is decrypted when accessed by an authorized user via a password or multi-factor authentication (MFA) system.

IR Plan Testing

Regularly conducting exercises to test your organizations responsiveness to cyber threats. This may come in the form of a tabletop exercise where appointed personnel work through the steps of a mock breach, or a war game which may identify shortcomings and other individuals that may be required during the IR process.

Business Continuity Management (BCM)

Business continuity management identifies your organizations risks and plans for worst case scenarios. This will manifest itself in parts of your IR plan and disaster recovery but should include "cyber-resilience programs" that address critical applications, networks, and other necessary digital infrastructure.


Integrating security practices within DevOps processes. DevOps is a development practice that combines software development and information technology operations with the intention of shortening system development life cycles leading to faster features, fixes, updates, etc.

Employee Training

Ensuring all end users within your organization have formal information security training. This may take the form of presentations or classroom style tutorials focusing on best password policies, phishing/whaling tactics, and more.

AI Platform

Utilizing machine learning and automation for internal system security processes. This would take the form of a stack of compatible software programs that respond to low level security events without human assistance.

Security Analytics

While not stated in the report, likely the use of a SIEM or some other security event monitoring system. These types of software ingest massive quantities of data and create alerts or tickets based on what may be perceived as aberrant behavior that an analyst can then investigate.

Cost Increasing Factors

Third-Party Breach

A breach caused by, inadvertently or not, a third-party provider. Vendors with network and data access frequently cause data breaches through password misuse/theft, human error, and malware.

Compliance Failure

Regulatory penalties for not aligning operational activities with existing legislation. Legislation varies by country, province, and state. What constitutes acceptable data processing and storage is not uniform and many regions impose stiff penalties. British Airways was hit with $230 million in fines due to GDPR and is not the only multi million dollar penalty.

Cloud migration

The process of moving applications, data, and other components to a cloud-based infrastructure. Moving workflows to Office 365 would be a common example.

System complexity

A system comprised of many components all interacting with each other. This increases attack surface thereby increasing the likelihood of experiencing a breach and increased work to overcome it.

OT infrastructure

Hardware and software associated with detecting or causing changes in physical processes through direct monitoring or control of physical devices such as vales, pumps, etc. Any sort of industrial manufacturing would represent OT infrastructure.

Mobile Platforms

Applications running on phones, tablets, smartwatches, etc. These are large applications in terms of data collection and entry points which effectively increases attack surface.

Lost/Stolen devices

Unfortunately many data breaches are caused by theft of personal computers and phones.

IoT Devices

The internet of things (IoT) includes all the WiFi and Bluetooth enabled devices that connect to our networks; from speakers to fish tank thermometers. Extensive use of IoT devices expands an organization's attack surface.

Long Tail Costs

One of the new sections in the report this year is long-tail costs. Long tail costs are incurred more than one year after an incident. On average, 33% of the cost of a breach is long tail. In industries that have higher regulatory requirements, however, the long tail costs increase to 47%. An example of compounding regulation in Canada would be: a financial institution that is already governed by the OSFI and PIPEDA, may also require GDPR compliance, should they conduct business in the European union.


The average breach cost per employee for a large organization of 25,000 employees is $204 per, while a small organization under 1000 employees sees a cost of $3533 per. An organization that is prepared for incident response, that utilizes encryption and has good BCM can see a cost reduction over $1,000,000.

The primary takeaway, as it is each year, is succinct: experiencing a data breach has a high probability to be financially devastating. Being prepared will ultimately save money.

I recommend reading the full report, and previous years reports. Provided is a link to IBM where you can download the report for free. https://www.ibm.com/security/data-breach

  1. MTTI/MTTC stand for "mean time to identify" and "mean time to contain," respectively. MTTI represents the time a breach is active before being noticed and MTTC represents the length of time security professionals take to contain the breach. ↩︎ ↩︎

  2. Customer turnover, also called abnormal churn, is the percentage of customer base lost due to a data breach. ↩︎

  3. Based on average records breached ↩︎ ↩︎