Data breaches now cost surveyed companies $4.24 million per incident on average – the highest cost in the 17-year history of the report, according to the annual Cost of a Data Breach Report, conducted by Ponemon Institute and sponsored and analyzed by IBM Security.
Based on in-depth analysis of real-world data breaches experienced by over 500 organizations, the study suggests that security incidents became more costly and harder to contain due to drastic operational shifts during the pandemic, with costs rising 10% compared to the prior year.
“Higher data breach costs are yet another added expense for businesses in the wake of rapid technology shifts during the pandemic,” said Chris McCurdy, Vice President and General Manager, IBM Security. “While data breach costs reached a record high over the past year, the report also showed positive signs about the impact of modern security tactics, such as AI, automation and the adoption of a zero trust approach – which may pay off in reducing the cost of these incidents further down the line.”
Prashant Bhatkal, Security Software Sales Leader, IBM Technology Sales, India/South Asia, says, “The rapid shift to remote work witnessed a tremendous disruption of security programs. Organizations were focused on getting online and security became an afterthought. India witnessed a record high in Data Breach during the Pandemic leading to many organizations evaluating their security posture.”
The annual Cost of a Data Breach Report identified the following trends amongst the organizations studied:
1. Compromised Credentials a Growing Risk
The report also shed light on a growing problem in which consumer data (including credentials) is being compromised in data breaches, which can then be used to propagate further attacks.
• Personal Data Exposed: Nearly half (44%) of the breaches analyzed exposed customer personal data, such as name, email, password, or even healthcare data – representing the most common type of breached record in the report.
• Customer PII Most Costly: The loss of customer personal identifiable information (PII) was also the most expensive compared to other types of data.
• Most Common Attack Method: Compromised user credentials were the most common method used as an entry point by attackers, representing 20% of breaches studied.
2. Healthcare breach costs surged:
Industries that faced huge operational changes during the pandemic (healthcare, retail, hospitality, and consumer manufacturing/distribution) also experienced a substantial increase in data breach costs year over year. Healthcare breaches cost the most by far, at $9.23 million per incident – a $2 million increase over the previous year.
3. Modern approaches reduced costs: The adoption of AI, security analytics, and encryption were the top three mitigating factors shown to reduce the cost of a breach, saving companies between $1.25 million and $1.49 million compared to those who did not have significant usage of these tools. For cloud-based data breaches studied, organizations that had implemented a hybrid cloud approach had lower data breach costs ($3.61m) than those who had a primarily public cloud ($4.80m) or primarily private cloud approach ($4.55m). Additional findings of the survey
Companies studied that had a mature zero-trust security approach were better positioned to deal with data breaches, with an average cost of $3.28 million – which was $1.76 million lower than those who had not deployed this approach at all.
Companies with an incident response team that also tested their incident response plan had an average breach cost of $3.25 million, while those that had neither in place experienced an average cost of $5.71 million (representing a 54.9% difference.)
Other findings from the 2021 report include:
Time to respond: The average time to detect and contain a data breach was 287 days (212 to detect, 75 to contain) – which is one week longer than the prior year report.
• Mega breaches: Average cost of a mega breach was $401 million, for breaches between 50 million and 65 million records.3 This is nearly 100x more expensive than the majority of breaches studied in the report (which ranged from 1,000-100,000 records.)
The 2021 Cost of a Data Breach Report from IBM Security and Ponemon Institute takes into account hundreds of cost factors involved in data breach incidents, from legal, regulatory and technical activities to loss of brand equity, customers, and employee productivity.