When all is said and done - after the incident response, after the forensic analysis, after the victims have been notified – how much does a data breach truly cost in in 2021?
If the numbers in IBM's annual Cost of a Data Breach Report are to be believed, the figure went up over the last 12 months, an increase that's largely being attributed to the COVID-19 pandemic's effect on organizations and their ability to respond to data breaches.
This year's final total - $4.24 million per incident on average - is actually the highest figure since the report, which is carried out annually by the Ponemon Institute and sponsored by IBM, originated 14 years ago. The number is a 10 percent increase over last year’s total, $3.86 million per incident on average.
One of the report’s clearest takeaways is that COVID-19 and the shift by many companies worldwide to a distributed workforce had a direct effect on the cost of a data breach. The report looked at breaches at 537 organizations from May 2020 to March 2021 and found that those that acknowledged that remote work was a factor in their breach suffered a higher loss ($4.96 million) compared to those who didn't ($3.89 million) – a 15 percent difference.
Of course that $4.24 million figure is an average; the actual figure for companies depended on a series of variables. Were there compliance failure? Was ransomware the culprit? Where was the company located? What industry did the company operate in?
For many of these questions, the story remains the same.
Healthcare organizations continued to be the costliest industry to recover from a data breach. $9.23 million on average, more than double the cost on average of a data breach this past year. The total is a more than $2 million costlier than a healthcare data breach last year suggesting things have gotten worse at hospitals and healthcare facilities, many which were hit by ransomware, especially last fall.
Speaking of ransomware, it should not be a huge surprise that ransomware breaches again were more expensive than other types of breaches. Those types of attacks cost businesses between $4.62 and $4.69 million on average, with much of the sum likely attributed to downtime, lost business, and the costs accrued by having to rebuild systems from backups if not from scratch entirely.
Lost business, according to the report, accounts for 38 percent of a data breach's total cost, roughly $1.59 million. Detecting the breach in the first place runs companies around $1.24 million while responding to the breach after its happen costs around $1.14 million.
Like last year, most breaches (44%) involved sensitive customer personally identifiable information, or PII. What's notable is that this figure is actually a big drop from last year in which a whopping 80% of breaches included customer PII. Anonymized customer data and intellectual property were the second and third most common type of record breached last year.
Like years past, its seemingly taking longer than ever for organizations to identify and contain a data breach, 287 days, more than three quarters of a year. According to the report, it's taking 212 days to identify and 75 to contain a breach, that’s longer than any period over the last five years. For comparison, last year it took on average 207 days to identify and 75 days to contain.
Companies that embraced modern security solutions, like a hybrid cloud setup, in which some resources are overseen in-house and some via cloud-based services, saved money for the most part.
According to the report, companies that experienced a cloud-based data breach that had a hybrid cloud lost $3.61 million on average while those that had a public cloud or private cloud lost between $4.80 and $4.55 million on average. Organizations with a zero trust strategy in place, encryption, some form of security analytics, or employed artificial intelligence incurred lesser data breach costs too. While the amount jumps around, the solutions saved companies - at least those consulted for the report - between $1.25 million and $1.49 million.
For those curious, the report breaks down a number of additional vectors - how much breaches cost companies with an incident response team in place vs. no incident response team, the average cost of a data breach based on the size of an organization, and how much it cost companies who experienced what IBM and Ponemon call "high level compliance failures."
For those interested, it's worth digging into the report in its entirety to get the full scope.
