The annual IBM/Ponemon “Cost of a Data Breach” has been one of the key pieces of information in setting an anticipated price tag on an organizational data breach for 17 years now. This year’s edition does not bring good news. The average cost of data breaches has hit an all-time high, up almost 10% from last year to $4.24 million. That average cost increases greatly when remote workers are involved (to $4.96 million), and the more remote workers there are the longer incident response containment can be expected to take.
Annual cost of data breach study: Rise in expenses driven by compromised credentials & mega breaches
The cost of data breach increase was anticipated by survey respondents last year, but perhaps not to this extent. Respondents correctly predicted that the pandemic-prompted rise in remote work would be a driver of costs; this year, organizations that had greater than 50% remote work adoption saw the time needed to identify and contain a breach rise from 287 to 316 days. Costs also substantially increase as breach containment drags on, with savings of nearly 30% seen when breaches are fully addressed within 200 days.
Though the cost of data breaches has increased, there are some signs that organizations are adapting to a general increase in both attacks and potential vulnerabilities. More organizations have implemented automation, up from 59% last year to 65% this year. And when fully deployed, security AI and automation are demonstrating cost savings. There is a 79.3% savings when these technologies are in place; an average cost of $6.71 million for organizations without automation versus $2.90 million for those that have fully implemented it. Zero trust approaches are also a cost saver at a 42% average reduction in expense ($5.04 million without versus $3.28 million with).
In addition to the massive shift to remote work, a rapid transition to new cloud services was also expected to drive incidents and costs upward (a move made by 60% of respondents). The report indicates that cloud modernization actually appears to be helping decrease breach response times. The key is maturity, however; fully mature organizations contained breaches 77 days faster than their counterparts, but those hit in the middle of a cloud migration saw higher-than-average costs (18.8%).
There were definite disparities in cost of data breaches by industry. The health care sector was hit particularly hard at a $2 million increase over the average cost of the previous year. That brought its average breach cost to $9.23 million, nearly double the average cost across all industries. In general, industries that had to undergo major changes to their fundamental operations during the pandemic requiring more online operations than is normal for them (such as restaurants, the financial sector and retail) saw their cost of data breaches go up the most. There is also strong variance by country, with the United States seeing the most expensive cost of data breaches (a $9.05 million average) and the majority of developed nations staying at an average of under $5 million.
Compromised credentials were the most common cause of data breaches across all industries, but phishing and cloud misconfigurations were not far behind (each representing about 19% to 25% of breaches). Among all of these breach types, the most common outcome was a theft of customer personal data (44% of all incidents). This varied in composition by breach, but generally included at least basic contact details (such as email and physical addresses) that could be used to add legitimacy to future fraud attempts. Compromised credentials also create a feedback loop in that, given the continuing commonality of shared passwords between different accounts (in spite of years of warnings from the cybersecurity community), these credentials are then used to perpetrate more data breaches.
Cost of data breach most expensive for loss of customer personal data
The loss of customer personal information is also the most expensive type of breach to remediate ($180 per record versus a $161 average) and breaches originating from compromised credentials take longer to contain (250 days versus a 212 day average).
Javvad Malik, security awareness advocate at KnowBe4, notes that this essentially reinforces what has been common knowledge (and the consistent public message) for security professionals for years: “While stolen credentials are reported as the leading root cause, social engineering, business email compromise, malicious insiders and phishing cause the most financial impact. It highlights that human error, whether that be deliberate or through lack of awareness / laziness or being tricked has the biggest impact on organizations. And although technologies exist to minimize the risk of some of these breaches occurring such as multi factor authentication, password managers, or email gateways and the like. These alone are not enough and so having an engaged and educated workforce forms a critical part of an organizations defensive strategy.”
“Mega breaches,” those that involve the loss of at least 50 million records, are also an increasing problem. These are naturally the most expensive breach types to remediate, but the cost of data breaches of this scale is eye-popping: about 100 times the bill for breaches that involve no more than 100,000 records, at an average cost of about $401 million for full remediation. 2020 saw a string of massive data breaches that involved hundreds of millions of stolen records including attacks on Microsoft, WattPad, VoIP vendor Broadvoice, Estée Lauder, the “secret sharing” app Whisper, and adult streaming site CAM4.