Data Breaches Now Cost $4 Million on Average
Data breaches are more than a headache for businesses—they’re costly too.
On average, the cost of a breach has risen to $4 million per incident—up 29% since 2013—according to research sponsored by IBM’s (IBM) security division released on Wednesday. Last year, a similar study found the average cost per breach to be $3.79 million.
Get Data Sheet, Fortune’s technology newsletter.
“We’re now in a mode where these attacks are going to happen even to people that are well prepared,” Caleb Barlow, a vice president at IBM Security, told Fortune on a call. “It’s about being able to respond when the inevitable happens.”
In addition to rising total cost, the average cost per stolen record—personally identifiable, payment, or health information about an individual contained in a company’s database, for example—is increasing, the study said. On average, the cost per lost record has grown to $158 from $154 last year.
The cost of a compromised record varies widely by industry type, according to the findings. Healthcare, a highly-regulated industry that trades in some of the most intimate personal information—which can include patient names, medical histories, credit card data, and Social Security numbers—has the highest cost per stolen record at $355.
The public sector, on the other hand, had the lowest cost per stolen record at $80, the study said.
Here’s a breakdown by industry:
There are a few takeaways that companies can use to protect themselves as well as their bottom lines. Having an incident response team in place lowers the cost per stolen record by $16 a pop—more than any other single defensive measure, according to the study. Use of encryption ($13 saved per stolen record), employee training ($9), threat sharing ($9), and appointing a chief information security officer ($7) also help lessen the costs per stolen record.
Detecting breaches early also leads to cost savings. When companies discover and contain breaches within a month’s time, they spend about a million dollars less on average than companies that learn of their data exposure later on, according to the study. (The average discovery takes about 201 days.)
Notably, hackers and cybercriminals caused most of the breaches, by the study’s reckoning. About half the data exposures were caused by malicious attacks; the rest were categorized as glitches and mistakes.
For more on cybersecurity, watch:
Researchers at the Ponemon Institute, a cybersecurity research firm, conducted the study on behalf of IBM between January 2015 and March of this year. They surveyed 383 companies in a dozen countries that had suffered breaches ranging from 3,000 to roughly 101,500 records lost.
The researchers excluded mega-breaches, like the ransacking of Sony (SNE) Pictures in 2014, as exceptional, outlier cases that would have skewed the data. (The cutoff is roughly anything involving more than 100,000 records lost.)
By necessity, a bit of alchemy goes into the making data breach cost estimates. Ponemon, for instance, includes indirect costs—like brand damage and customer loss—which can be hard to pin down precisely. These expenses come on top of direct costs: hiring forensics and incident response help, paying legal and regulatory fees, and offering free credit monitoring subscriptions for victims.
The breakdown of the $4 million total cost per breach figure in the report is roughly 59% in direct costs, and 41% in indirect ones, an IBM spokesperson told Fortune, though the estimate varies by country. Regardless of the split, there’s a simple lesson for businesses: Don’t be caught off guard when the next data breach affecting your firm comes to light.
“Be prepared,” Barlow said. “Like the Boy Scout model.”