Updated Jan, 4 2021

The Ponemon Institute published the Cost of a Data Breach Report in 2020 which highlighed data breach trends, costs and an overview of data breach root cause analyses. The report was based on the in-depth analysis of data breaches that occurred in 2020, 80% of which incidents resulted in the exposure of customers’ personally identifiable information (PII) – which was also the costliest breaches to these businesses.

According to the report, the global average cost of a data breach in 2020 was $3.86 million although this average for the US increased to $8.64 million.

Key Findings:

• Smart Technology Slashes Breach Costs in Half: Companies who had security automation technologies in place (including AI, analytics and automated orchestration to identify and respond to security events) experienced less than half the data breach costs compared to those who didn’t have these tools in place. This is a difference of $2.45 million vcompared to $6.03 million on average.
• Paying a Premium for Compromised Credentials: In incidents where attackers accessed corporate networks through the use of stolen or compromised credentials, businesses saw nearly $1 million higher data breach costs compared to the global average – reaching $4.77 million per data breach. Exploiting third-party vulnerabilities was the second costliest root cause of malicious breaches ($4.5 million) for this group.
• Mega breach costs soar by the millions: Breaches where over 50 million records were compromised saw costs jump to $392 million from $388 million the previous year. Breaches where 40 to 50 million records were exposed cost companies $364 million on average, a cost increase of $19 million compared to the 2019 report.

Common types of attack

Nation State Attacks – The Most Damaging Breaches. State-sponsored threat actors only represent 13% of malicious breaches – they were the most damaging type of adversary in the report. This suggests that financially motivated attacks do not lead to higher financial losses for companies. State-sponsored attacks averaged $4.43 million in data breach costs.

Stolen/compromised credentials and cloud misconfigurations were the most common causes of malicious breaches for companies in 2020 – this represents almost 40% of malicious incidents.

Findings from the report suggest that breached companies seem to struggle with security complexity – a top breach cost factor. The lack of security complexity is likely the contributing factor to cloud misconfigurations becoming a growing security challenge. Attackers used cloud misconfigurations to breach networks almost 20% of the time, increasing breach costs by more than half a million dollars.

Customer PII drives costs more than other record types. Customer personally identifiable information (PII) was the most expensive type of record. It cost an average $150 per lost or stolen record, compared to the per record cost of intellectual property ($147), anonymized customer records ($143) or employee PII ($141). Customer PII was the most frequently compromised type of data, present in 80% of the breaches analyzed.

Effectiveness of Incident Response

Organisations that showed an Incident response (IR) team/plan in place and tested regularly faired better. Average breach costs of $3.29 million to $5.29 million for those with neither an IR team or plan in place.

New Insights, Remote Working and Vulnerability Testing

To keep up with changing business needs, new technologies and new threats, the 2020 report explores previously unexamined factors including various types of threats, organizational factors and security measures.

Last year, the research added analysis of the cost impact of vulnerability testing which uses an adversarial approach to penetration testing. Compared to the average total cost of $3.86 million, organizations that conducted red team testing said their average costs were about $243,000 lower, while organizations with vulnerability testing said they experienced costs that were on average about $173,000 less than the global average.

And for the first time, the research explores the cost impact of remote work and the security skills shortage, both of which were found to have a cost amplifying effect. Organizations with remote work arrangements cited costs that were nearly $137,000 higher than the global average of $3.86 million. While organizations estimated that the security skill shortage increased costs by an average of $257,000 compared to the global average.

Further Findings and Analysis

• Remote Work Risk Will Have a Cost. Hybrid work models created less controlled environments. 70% of companies studied that adopted telework amid the pandemic expect it will exacerbate data breach costs.
• Healthcare sector highest average cost of data breach. Because of Covid the healthcare sector had the highest average cost of data breaches at $7.13 million. When hospitals shifted their focus and resources to their primary role and the demand of managing the extraordinary emergency, placed them in a very vulnerable situation.
• CISOs Faulted for Breaches, Despite Limited Decision-Making Power. 46% of respondents said the CISO/CSO is ultimately held responsible for the breach. Despite only 27% stating the CISO/CSO is the security policy and technology decision-maker. The report found that appointing a CISO was associated with $145,000 cost savings versus the average cost of a breach.
• Majority of Cyber Insured Businesses Use Claims for Third Party Fees. The report found that breaches at studied organizations with cyber insurance cost on average nearly $200,000 less than the global average of $3.86 million. In fact 51% applied it to cover third-party consulting fees and legal services. While 36% of organizations used it for victim restitution costs.

The Cost of a Data Breach Report 2020 contains more information and insights than ever before. To make the report more accessible and interactive, IBM Security offers some help. An interactive calculator, a global map and other tools for exploring the data for insights and recommendations. 

Summary

New cyber security challenges continue to rise every year. 2020 will be remembered for the uncertainty and rapid change it brought for the infosec space. Cybercrime is still a highly lucrative business. It is estimated that it will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015. Particularly, with Ransomware attacks on the rise, they are now estimated to cost global organisations $20 billion in 2021. Cybercrime communities are getting stronger. Criminals are exchanging information and tools that allow them to launch better, bigger and more lucrative attacks.

So what is the landscape for cybersecurity and the evolution of threats in 2021? Below Smarttech247 list the top cybersecurity trends that security professionals should be aware of.

Image Credit: https://anyip.io/