How Much Does a Data Breach Cost?
For the past 16 years, IBM has published research by the Ponemon Institute in the annual “Cost of a Data Breach Report.” Its 17th report was published at the end of July this year, and perhaps the biggest finding was that 2020 had the highest average cost for a data breach in 17 years. The cost rose from an average of $3.86 million to $4.24 million.
The report also found that remote working, due to COVID-19, increased the average cost by $1.07 million. The average cost was much higher in breaches where remote working was a factor in causing the breach, compared to those where remote working was not a factor ($4.96 compared to $3.89 million), which is nearly 15% more than the average breach.
Data breaches in the U.S. were the most expensive, costing $9.05 million per incident. The next two most expensive regions were the Middle East, costing $6.93 million, then Canada with $5.4 million.
In terms of how organizations were breached, the most common way was through using compromised credentials. The survey found that stolen user credentials were used in 20% of breaches, and at those sites, the average cost of the breach was $4.37 million. The other big issue with breaches using compromised credentials was that they took longer to detect. On average, they took 250 days compared to the survey average of 212 days. And they also took longer to contain.
The cost of a breach in the healthcare sector was the highest. In fact, all industries that faced operational changes because of the pandemic were impacted negatively—so as well as healthcare, that’s retail, hospitality and consumer manufacturing/distribution. Healthcare breaches rose to a staggering $9.23 million per incident, which is around $2 million more than the 2020 report figure. Data breaches in the financial sector cost on average $5.72 million, with pharmaceutical companies costing $5.04 million. The cost of a breach also increased this year for industries in retail, media, hospitality and the public sector.
The report also found that personal data about customers (e.g. name, email and password) was the type of data most frequently accessed, with 44% of data breaches exposing this information. The loss of customer personal identifiable information (PII) was also the most expensive compared to other types of data loss. The figures were $180 per lost or stolen record compared to $161 for overall per record average.
Of course, userids and passwords stolen from one attack could, potentially, be used in a future data breach by hackers. What makes this more likely is a survey finding that 82% of the people they surveyed admitted reusing passwords across multiple accounts.
Containing a Data Breach
The survey found that the average time to detect and contain a data breach was 287 days. It took (as mentioned above) an average of 212 days to detect a breach and 75 days to contain it. The overall time is one week longer than in the 2020 report.
For breaches between 50 million and 65 million records (what they call mega breaches), the average cost was $401 million. This is nearly 100x more expensive than the majority of breaches studied in the report (which were between 1,000-100,000 records).
In terms of cloud, organizations further along in their cloud modernization strategy (“mature” stage) contained the breach on average 77 days faster than those in the early stage of their modernization journey. For cloud-based data breaches studied, organizations that had implemented a hybrid cloud approach had lower data breach costs ($3.61 million) than those who had a primarily public cloud ($4.80 million) or primarily private cloud approach ($4.55 million). Companies that experienced a breach during a cloud migration project had an 18.8% higher cost than average.
Mitigate Data Breach Risks
What can organizations do to mitigate the risk of a data breach? The survey found that automation and security artificial intelligence (AI), when fully deployed, provided the biggest impact, with breaches costing up to $3.81 million less than organizations without it.
Secondly, a zero-trust approach helped reduce cost. The average cost of a breach was $1.76 million less at organizations with a mature zero-trust approach, compared to organizations without zero trust, which makes the average cost $3.28 million. Around 65% of companies surveyed reported they were partially or fully deploying automation within their security environments, compared to 52% two years ago.
Those organizations with a “fully deployed” security automation strategy had an average breach cost of $2.90 million—whereas those with no automation experienced more than double that cost at $6.71 million. Using AI, security analytics and encryption could save companies between $1.25 million and $1.49 million compared to organizations that did not have significant usage of these tools.
Lastly, organizations should think seriously about having an incident response team and planned responses. Companies with an incident response team that also tested their incident response plan had an average breach cost of $3.25 million, while those that had neither in place experienced an average cost of $5.71 million (that’s a 54.9% difference).
Clearly, there are plenty of lessons in the report that mainframe sites can learn from in order to reduce their risk of experiencing a breach and in order to reduce the number of days it takes to identify a breach. One thing not mentioned in the report is the acknowledged benefits of using file integrity monitoring software on a mainframe to help identify when files and backups are under attack and not only stop the attack in its tracks, but also replace the corrupted data with correct data.
The “Cost of a Data Breach Report” offers insights from 537 real data breaches. A copy can be downloaded here.