The annual IBM/Ponemon “Cost of a data breachhas been one of the key pieces of information to put an early price on an organizational data breach for 17 years now. This year’s edition does not bring good news. The average cost of data breaches hit an all-time high, up nearly 10% from a year ago to $4.24 million. This average cost increases dramatically when remote workers are involved (up to $4.96 million), and the more remote workers there are, the longer the incident response containment can take to predict.
Annual Cost of Data Breaches Study: Increased Expenses Due to Compromised Credentials and Mega Breaches
The increase in the cost of the data breach was anticipated by survey respondents last year, but perhaps not to this extent. Respondents correctly predicted that the increase in remote work caused by the pandemic would be a cost driver; this year, organizations that had adopted more than 50% remote working saw the time to identify and contain a breach drop from 287 to 316 days. Costs also increase dramatically as vulnerability containment drags on, with savings of nearly 30% seen when vulnerabilities are fully addressed within 200 days.
Although the cost of data breaches has increased, there are signs that organizations are adapting to a general increase in attacks and potential vulnerabilities. More organizations have implemented automation, rising from 59% last year to 65% this year. And when fully deployed, security AI and automation save money. There is a saving of 79.3% when these technologies are in place; an average cost of $6.71 million for organizations without automation versus $2.90 million for those that have fully implemented it. Zero Trust approaches also deliver cost savings with an average reduction in spend of 42% ($5.04 million without versus $3.28 million with).
In addition to the massive shift to remote work, a rapid transition to new cloud services is also expected to lead to increased incidents and costs (a decision taken by 60% of respondents). The report says that cloud modernization actually appears to be helping reduce breach response times. The key is maturity, however; fully mature organizations contained breaches 77 days faster than their peers, but those impacted in the middle of a cloud migration experienced higher than average costs (18.8%).
There were clear disparities in the cost of data breaches by industry. The health care sector was particularly affected by an increase of $2 million compared to the average cost of the previous year. This brought its average breach cost to $9.23 million, nearly double the average cost across all industries. In general, industries that have had to undergo major changes in their fundamental operations during the pandemic requiring more online operations than is normal for them (such as restaurants, the financial sector and retail) have seen their cost of data breaches increase the most. There is also a high variation by country, with the United States recording the highest cost of data breaches (an average of $9.05 million) and the majority of developed countries remaining at an average below $5 million. .
Compromised credentials were the most common cause of data breaches across all industries, but phishing and cloud misconfigurations weren’t far behind (each accounting for around 19% to 25% of breaches). Of all these types of breaches, the most common outcome was the theft of personal customer data (44% of all incidents). This varied in composition depending on the breach, but generally included at least basic contact information (such as email and physical addresses) that could be used to bolster the legitimacy of future fraud attempts. Compromised credentials also create a feedback loop in that, given the continued community of shared passwords between different accounts (despite years of warnings from the cybersecurity community), these credentials are then used to perpetrate more data breaches.
Cost of data breach is highest for loss of personal customer data
Loss of personal customer information is also the most expensive type of breach to fix ($180 per record vs $161 average) and breaches from compromised credentials take longer to contain ($250 days against 212 days on average).
Javvad Malik, Security Awareness Advocate at KnowBe4, notes that this essentially reinforces what has been common knowledge (and consistent public message) for security professionals for years: financial impact. It highlights that human error, whether deliberate or through lack of awareness/laziness or cunning, has the greatest impact on organizations. And while technologies exist to minimize the risk of some of these breaches occurring, such as multi-factor authentication, password managers or email gateways, etc. These alone are not enough and therefore having an engaged and educated workforce is an essential part of an organization’s defensive strategy.
“Mega breaches,” those that result in the loss of at least 50 million records, are also a growing problem. These are naturally the most expensive types of breaches to fix, but the cost of data breaches of this magnitude is staggering: around 100 times the bill for breaches that involve no more than 100,000 records, at an average cost of approximately $401 million for remediation. 2020 has seen a series of massive data breaches involving hundreds of millions of stolen records, including attacks on Microsoft, WattPad, VoIP provider Broadvoice, Estée Lauder, “secret sharing” app Whisper, and the adult streaming site CAM4.