How Much Could A Data Breach Cost You?
The Ponemon Institute has recently published this year’s Cost of a Data Breach Report which highlights data breach trends, costs and an overview of data breach root cause analyses. The report is based on the in-depth analysis of data breaches that have occurred over the past year, 80% of which incidents resulted in the exposure of customers’ personally identifiable information (PII) – which was also the costliest breaches to these businesses.
According to the report, the global average cost of a data breach in 2020 is $3.86 million although this average for the US increases to $8.64 million.
- Smart Technology Slashes Breach Costs in Half: Companies who had security automation technologies in place (including AI, analytics and automated orchestration to identify and respond to security events) experienced less than half the data breach costs compared to those who didn’t have these tools in place. This is a difference of $2.45 million vcompared to $6.03 million on average.
- Paying a Premium for Compromised Credentials: In incidents where attackers accessed corporate networks through the use of stolen or compromised credentials, businesses saw nearly $1 million higher data breach costs compared to the global average – reaching $4.77 million per data breach. Exploiting third-party vulnerabilities was the second costliest root cause of malicious breaches ($4.5 million) for this group.
- Mega breach costs soar by the millions: Breaches where over 50 million records were compromised saw costs jump to $392 million from $388 million the previous year. Breaches where 40 to 50 million records were exposed cost companies $364 million on average, a cost increase of $19 million compared to the 2019 report.
Common types of attack
Nation State Attacks – The Most Damaging Breaches: Even though state-sponsored threat actors only represent 13% of malicious breaches – they were the most damaging type of adversary in the 2020 report. This suggests that financially motivated attacks do not lead to higher financial losses for companies. State-sponsored attacks averaged $4.43 million in data breach costs.
Stolen/compromised credentials and cloud misconfigurations were the most common causes of malicious breaches for companies in 2020 – this represents almost 40% of malicious incidents.
Findings from the report suggest that breached companies seem to struggle with security complexity – a top breach cost factor. The lack of security complexity is likely the contributing factor to cloud misconfigurations becoming a growing security challenge. Attackers used cloud misconfigurations to breach networks almost 20% of the time, increasing breach costs by more than half a million dollars.
Customer PII drives costs more than other record types: Customer personally identifiable information (PII) was the most expensive type of record, costing an average $150 per lost or stolen record, compared to the per record cost of intellectual property ($147), anonymized customer records ($143) or employee PII ($141). Customer PII was the most frequently compromised type of data, present in 80% of the breaches analyzed.
Effectiveness of Incident Response
Organisations that showed an Incident response (IR) team/plan in place and tested regularly, averaged breach costs of $3.29 million compared to $5.29 million for those with neither an IR team or plan in place.
New Insights, Remote Working and Vulnerability Testing
To keep up with changing business needs, new technologies and new threats, the 2020 report explores previously unexamined factors including various types of threats, organizational factors and security measures.
This year, the research added analysis of the cost impact of vulnerability testing which uses an adversarial approach to penetration testing. Compared to the average total cost of $3.86 million, organizations that conducted red team testing said their average costs were about $243,000 lower, while organizations with vulnerability testing said they experienced costs that were on average about $173,000 less than the global average.
And for the first time, the research explores the cost impact of remote work and the security skills shortage, both of which were found to have a cost amplifying effect. Organizations with remote work arrangements cited costs that were nearly $137,000 higher than the global average of $3.86 million, while organizations estimated that the security skill shortage increased costs by an average of $257,000 compared to the global average.
Further Findings and Analysis
- Remote Work Risk Will Have a Cost: With hybrid work models creating less controlled environments, the report found that 70% of companies studied that adopted telework amid the pandemic expect it will exacerbate data breach costs.
- Healthcare sector highest average cost of data breach: With the onset of the COVID-19 pandemic, it is no surprise that the healthcare sector had the highet average cost of data breaches at $7.13 million. When hospitals shifted their focus and resources to their primary role and the demand of managing the extraordinary emergency, placed them in a very vulnerable situation.
- CISOs Faulted for Breaches, Despite Limited Decision-Making Power: 46% of respondents said the CISO/CSO is ultimately held responsible for the breach, despite only 27% stating the CISO/CSO is the security policy and technology decision-maker. The report found that appointing a CISO was associated with $145,000 cost savings versus the average cost of a breach.
- Majority of Cyber Insured Businesses Use Claims for Third Party Fees: The report found that breaches at studied organizations with cyber insurance cost on average nearly $200,000 less than the global average of $3.86 million. In fact, of these organizations that used their cyber insurance, 51% applied it to cover third-party consulting fees and legal services, while 36% of organizations used it for victim restitution costs.
The Cost of a Data Breach Report contains more information and insights this year than ever before. To make the report more accessible and interactive, IBM Security offers an interactive calculator, a global map and other tools for exploring the data for insights and recommendations.
At Smarttech247, our security teams are working to protect our customers and provide you with the relevant information you need to stay secure. For additional information and best practices for staying secure please contact our experts.