IBM Security Report: Data Breach Costs Hit Record High
Breaches cost over $1 million more on average when remote work is a factor.
Data breaches now cost companies $4.24 million on average per incident, according to an IBM Security report.
That’s the highest cost in the 17-year history of the IBM Security report. It’s based on analysis of real-world data breaches experienced by over 500 organizations.
The report suggests security incidents became more costly and harder to contain due to drastic operational shifts during the pandemic. Costs rose 10% compared to the prior year.
Ponemon Institute conducted the annual Cost of a Data Breach Report. IBM Security sponsored and analyzed it.
Remote Work Adds to Data Breach Costs
Limor Kessem is executive security adviser at IBM Security.
IBM’s Limor Kessem
She said breach costs in the pandemic year saw a significant rise because of a few factors.
“We know that extensive remote working became a requirement that not everyone was ready for when the pandemic forced it to happen,” she said. “As companies rushed to move employees and workloads to clouds and remote work tools, security played catch up with digital transformation. Nearly 20% of the organizations studied reported that remote work was a factor in the data breach.”
Breaches cost over $1 million more on average when remote work was indicated as a factor in the event. That’s $4.96 million versus $3.89 million for those without this factor.
“Moreover, organizations that had implemented remote work at greater than a 50% level experienced a longer than average time to identify and contain a data breach,” Kessem said. “That sort of delay adds up to the overall costs. That said, the cost of a breach was 16.6% higher than average at organizations that had not undergone a digital transformation due to COVID-19.”
Health Care Breach Coasts Soar
Health care breach costs surged over the past year. Industries that faced huge operational changes during the pandemic like health care, retail, hospitality and consumer manufacturing/distribution, also experienced a substantial increase in data breach costs year over year. Health care breaches cost the most by far, at $9.23 million per incident. That’s a $2 million increase over the previous year.
Stolen user credentials were the most common root cause of breaches in the study. At the same time, customer personal data, such as name, email and password, was the most common type of information exposed in data breaches. Forty-four percent of breaches include this type of data. The combination of these factors could cause a spiral effect, with breaches of username/passwords providing attackers with leverage for additional future data breaches.
“There is a longtail effect of data breaches that impacts companies and their reputation for years after the initial event,” Kessem said. “For the most part, it’s about costs that accumulate over time. Especially for mega breaches, companies can see regulatory fines and lawsuits down the line. There’s also loss of customer good faith, leading to customer churn and lost business over time.”
Additional findings from the 2021 report include:
The average time to detect and contain a data breach was 287 days (212 to detect, 75 to contain). That’s one week longer than the prior year report;
Average cost of a mega breach was $401 million for breaches between 50 million and 65 million records. This is nearly 100 times more expensive than the majority of breaches studied in the report. Those ranged from 1,000-100,000 records; and
The United States had the most expensive data breaches at $9.05 million per incident. That’s followed by the Middle East at $6.93 million and Canada at $5.4 million.
Mitigating Factors
The adoption of artificial intelligence (AI), security analytics and encryption were the top three mitigating factors shown to reduce the cost of a breach. This saved companies between $1.25 million and $1.49 million compared to those who didn’t have significant usage of these tools.
For cloud-based data breaches studied, organizations that had implemented a hybrid cloud approach had lower data breach costs ($3.61 million) than those who had a primarily public cloud ($4.8 million) or primarily private cloud approach ($4.55 million).
“What can often surprise me is to find out how well things went,” Kessem said. “In the security industry, it’s easy to be in the trenches and feel that we deal with a lot of challenges that aren’t getting better. Seeing that things are moving in the right direction each year in terms of the security approaches that companies are using in this report is very invigorating. For example, companies that have been implementing security automation went up from 59% in the previous report to 65% in this one, saving on breach costs and making security easier. More companies have matured their cloud journeys, more companies matured their zero trust approaches and implementations. And those companies reaped the rewards in breach costs.”
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author
You May Also Like