Results are in: Business continuity management is worth it
Since 2014, Ponemon Institute has studied, as part of the annual Cost of Data Breach Study, the benefits gleaned from investing time and resources into implementing a business continuity management (BCM) program. Each year, the research has shown how BCM programs can reduce the per capita cost of data breach, the mean time to identify and contain a data breach, and the likelihood of having recurring breaches.
Within the global sample, 262 companies (55 percent) have a BCM or disaster recovery (DR) team that was classified as being “somewhat to very involved” in enterprise risk and crisis management. Because of the involvement of the experts on these teams, it takes less time to identify and contain a data breach, and the resolution is more efficient and less costly.
The cost of a data breach
How much do data breaches actually cost? In the 2018 Cost of Data Breach Study: Impact of Business Continuity Management, the average per capita cost of a data breach increased from $141 to $148. The total cost of a data breach also increased from $3.62 million to $3.86 million. The average size of data breaches covered in this research increased by 2.2 percent. However, with BCM, the average cost can be as little as $139. Likewise, the average total cost of a data breach with involvement from a BCM program was $3.55 million compared to $4.24 million for companies without BCM.
Benefits of business continuity management
BCM programs can be a valuable addition to a company’s data breach incident response planning. Companies with BCM programs report that they are more efficient in responding to a data breach. As a consequence, the per day cost savings are substantial. In fact, companies can achieve an average savings of $5,703 per day — or total incremental cost savings of $467,657 — through the containment phase of a data breach response.
Efficiency in the response to a breach is key to reducing costs, so companies should consider including automation and orchestration in their disaster recovery initiatives. According to the research, companies with BCM that have a manual DR process experienced an estimated average cost of $6,546 per day. In contrast, companies with BCM deploying an automated DR process with resiliency orchestration experienced a much lower average cost of $3,100 per day. This represents a cost savings of over 50 percent per day.
New research this year
For the first time, Ponemon Institute calculated the mean time to recover (MTTR), which is a variable that includes costs incurred up to one year after data breach containment. It was created using a subsample of 56 companies that experienced a data breach within the 2016 and 2017 fiscal years. MTTR differences between the BCM and non-BCM groups were significant. Specifically, the mean time to recover for companies without BCM was 70 days compared to only 39 days for companies with BCM.
Get with the BCM program
It’s always been important to have incident response plans in place to ensure continuity of service in the event of a data breach, but this year there are even more reasons to stop delaying the progress of your BCM program. New regulations are being implemented in Canada to hold corporate leaders accountable for how well their organizations respond to data breaches. Start improving the quality of your incident response and disaster recovery programs now so you are prepared when similar legislation is enacted in your country.
Be sure to use this study to better understand the cost savings that can be realized from BCM programs.