Annual study by IBM Security shows financial fallout is at an all-time-high
The financial cost of a data breach is at its highest ever, due in part to the coronavirus pandemic and organizations taking significantly longer to resolve incidents.
IBM Security released its annual ‘Cost of a Data Breach Report’ today (July 28), which found that the average cost associated with a breach is now $4.2 million.
The figure, up 10% on last year’s findings, is the highest recorded in the 17-year history of the study.
The shift to remote working due to the Covid-19 is largely blamed for the rise in security incidents, with 60% of the 500 breach-hit organizations involved in the IBM study confirming that their employees had been working from home during the pandemic.
When home working was determined to be a factor in a data breach, these security incidents had an average cost of nearly $5 million per incident – almost 15% more than the average breach regardless of cause.
Added to this, the average time taken for businesses to patch previously disclosed software vulnerabilities has increased by a week since last year’s report, now taking a total of 287 days – 212 to detect and 75 to contain.
Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre, said that the widening breach detection window is the stand-out finding of the survey.
He commented: “Arguably, the Covid influenced remote work environment we saw for much of 2020 shouldn’t have a large impact on breach identification and containment, but that wasn’t the case.
“With several high-profile software supply chain attacks in the last six months, it should be deeply concerning to learn that in 2020 it took 286 days on average to identify and contain a breach that started based on an exploited software vulnerability.
“While some zero-day attacks will factor into this stat, the reality is that software patch management is automation friendly making this stat something that is resolvable.
“Since it isn’t resolved, that speaks to a blind spot in patch management – one which likely is based on an assumption that vendors push update notifications to their customers.”
Mackey added: “Cybercriminals know such a blind spot exists, but closing it is easy.”
Indeed, the adoption of AI, security analytics, and encryption were successful mitigating factors shown to reduce the cost of a breach, the report states, saving companies between $1.3 million and $1.5 million compared to those who did not have significant usage of these tools.
Chris McCurdy, vice president and general manager at IBM Security, commented: “Higher data breach costs are yet another added expense for businesses in the wake of rapid technology shifts during the pandemic.
“While data breach costs reached a record high over the past year, the report also showed positive signs about the impact of modern security tactics... which may pay off in reducing the cost of these incidents further down the line.”
Other findings of the IBM report include that nearly half (44%) of the breaches in the study exposed personal data, such as names, email addresses, passwords, or even healthcare data – representing the most common type of compromised record in the report.
An increasingly common trend, cybercriminals have also been targeting healthcare providers at an alarming rate during the coronavirus outbreak.
Indeed, of the breaches surveyed, those affecting healthcare services cost the most by far, at $9.2 million per incident – a $2 million increase over the previous year.
This was followed by the financial sector ($5.7 million) and pharmaceuticals ($5 million), while the retail, media, hospitality, and public sectors also experienced higher costs than previous years.
The report, from IBM Security and Ponemon Institute, is based on an analysis of real-world data breaches of 100,000 records or less, experienced by over 500 organizations worldwide between May 2020 and March 2021.
Included in the study were the cost factors involved in data breach incidents from legal, regulatory, and technical activities to loss of brand equity, customers, and employee productivity, IBM said.
The full report can be accessed on the IBM Security website.