Data breaches have always proved costly for victimized organizations. But the coronavirus pandemic made a bad situation even worse. A report released Wednesday by IBM Security looks at how and why the average cost of dealing with a data breach has jumped to a new high.
To compile its “Cost of a Data Breach Report 2021” IBM Security commissioned Ponemon Institute to survey more than 500 organizations hit by data breaches. Based on its analysis of the results, IBM found that the average data breach now costs companies around $4.24 million per incident, the highest amount in the report’s 17-year history.
The COVID-19 outbreak can be blamed for much of the recent increase in these costs. As the pandemic unfolded last year, businesses had to shift to a remote work environment and rely more heavily on cloud-based services. With such an abrupt transition, security often lagged behind technology changes, impacting the ability of organizations to prevent or contain data breaches.
As a result, the average expense of a data breach rose by 10% in 2021 over the previous year. Breaches also cost $1 million more on average when remote work was revealed as a factor compared with businesses without this factor ($4.96 million vs $3.89 million). Grappling with huge pressures and stresses due to the pandemic, healthcare companies saw their cost of an average breach surge by $2 million in 2021, reaching $9.23 million per incident.
Stolen account credentials were the most common cause of data breaches found by IBM. Breaches caused by stolen credentials also took the longest to detect, averaging around 250 days compared with 212 days for other breaches. Personal user information such as names, email address and passwords, were the most common type of data compromised, exposed in 44% of all breaches.
The survey also found several positive takeaways that could help organizations better deal with the costs of a data breach.
Companies hit by a breach during a cloud migration project saw their costs rise by 19% compared with the average. However, organizations further along in their cloud projects managed to detect and respond to breaches faster and more effectively than those in the early stages. Businesses that had set up a hybrid cloud strategy also witnessed lower costs for data breaches than those who primarily relied on either a public cloud approach or a private cloud approach.
The use of artificial intelligence, security analytics and encryption were key factors in reducing the costs of a data breach. Companies that implemented such tools shaved between $1.25 million and $1.49 million off their costs over those that didn’t turn to such methods. Further, organizations that didn’t kick off any digital transformation projects to try to modernize their operations due to COVID-19 got stuck with average data breach costs $750,000 higher than those that did initiate such projects.
Companies that had a fully deployed security automation strategy also saved money when dealing with a data breach. Such businesses saw an average cost of $2.9 million, while those with no automation in place had to spend $6.71 million to respond to a breach.
Zero trust security played a role in keeping down costs. This type of strategy assumes that your network assets are vulnerable or already at risk and validates access for users, data and resources on an as-needed basis. Companies with an effective zero trust approach saw an average data breach cost of $3.28 million, $1.76 million lower than those that failed to adopt this strategy.
Finally, companies with an incident response team and response plans spent on average $3.25 million to deal with a data breach, whereas those without these measures were hit by an average cost of $5.71 million.
“Higher data breach costs are yet another added expense for businesses in the wake of rapid technology shifts during the pandemic,” Chris McCurdy, vice president and general manager for IBM Security, said in a press release. “While data breach costs reached a record high over the past year, the report also showed positive signs about the impact of modern security tactics, such as AI, automation and the adoption of a zero trust approach, which may pay off in reducing the cost of these incidents further down the line.”