Cost of Breach Per Record At $217

The new Ponemon Institute 2015 Cost of Data Breach report was released recently.  This report looks at the costs of 2015 large enterprise class data breaches, but there are some salient pieces of information for small business owners to consider when formulating their cyber security risk management plans.

The average cost per record lost in a data breach increased from $201 in 2014 to $217 in 2015.  Different sorts of records had different costs associated to them.  For instance, more detailed records such as health records have an average cost of $398 each, but retail or credit card records cost $189 each.  There are also additional costs related to unusually high rates of customer loss after a breach, and the hardware, software, and labor costs associated with mitigation and recovery.  These costs were pegged at $74 per record.

So a small chiropractic or optical office with 1000 client records might anticipate costs approaching $400,000 in the form of fines. penalties, lost revenue, law suit judgements, and direct IT recovery costs.  A small retailer might sustain around $200,000 in costs related to a 1000 customer credit card breach.

The hopeful take-away from this report was that companies who had incident response plans and teams in place reduced their losses by a significant percentage.  Small companies can benefit from making these sorts of plans, but for the most part have not, believing that their small size somehow makes them a less desirable target.  This is unfortunately false.  Quite to the contrary, small companies are preferred targets simply because their security is so much weaker, and the chances of discovery are much lower.

We have been urging our clients to put in place a cybersecurity plan that focuses not just of prevention, but also on employee education, early detection, and planned mitigation strategies.  We believe this is the best solution currently, and partnering with a cybersecurity professional who focuses on small business solutions will make the process happen faster and ultimately be more successful.

More information:


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.