Cost of a Data Breach Hits Record High During Pandemic
IBM Security released the results of a global study which found that data breaches now cost surveyed companies $4.24 million per incident on average. It is the highest cost in the 17-year history of the report.
Based on in-depth analysis of real-world data breaches experienced by over 500 organizations, the study suggests that security incidents became more costly and harder to contain due to drastic operational shifts during the pandemic, with costs rising 10% compared to the prior year. Businesses were forced to quickly adapt their technology approaches last year, with many companies encouraging or requiring employees to work from home, and 60% of organizations moving further into cloud-based activities during the pandemic. The new findings suggest that security may have lagged behind these rapid IT changes, hindering organizations' ability to respond to data breaches.
The rapid shift to remote operations during the pandemic appears to have led to more expensive data breaches. Breaches cost over $1 million more on average when remote work was indicated as a factor in the event, compared to those in this group without this factor ($4.96 vs. $3.89 million.) Industries that faced huge operational changes during the pandemic (healthcare, retail, hospitality, and consumer manufacturing/distribution) also experienced a substantial increase in data breach costs year over year. Healthcare breaches cost the most by far, at $9.23 million per incident, a $2 million increase over the previous year.
Stolen user credentials were the most common root cause of breaches in the study. At the same time, customer personal data (such as name, email, password) was the most common type of information exposed in data breaches with 44% of breaches including this type of data. The combination of these factors could cause a spiral effect, with breaches of username/passwords providing attackers with leverage for additional future data breaches. The adoption of AI, security analytics, and encryption were the top three mitigating factors shown to reduce the cost of a breach, saving companies between $1.25 million and $1.49 million compared to those who did not have significant usage of these tools. For cloud-based data breaches studied, organizations that had implemented a hybrid cloud approach had lower data breach costs ($3.61m) than those who had a primarily public cloud ($4.80m) or primarily private cloud approach ($4.55m).
With society leaning more heavily on digital interactions during the pandemic, companies embraced remote work and cloud as they shifted to accommodate this increasingly online world. The report found that these factors had a significant impact on data breach response. Nearly 20% of organizations studied reported that remote work was a factor in the data breach, and these breaches ended up costing companies $4.96 million (nearly 15% more than the average breach).
Companies in the study that experienced a breach during a cloud migration project had 18.8% higher cost than average. However, the study also found that those who were further along in their overall cloud modernization strategy ("mature" stage) were able to detect and respond to incidents more effectively – 77 days faster on average than those who were in early-stage adoption. Additionally, for cloud-based data breaches studied, companies that had implemented a hybrid cloud approach had lower data breach costs ($3.61m) than those who had a primarily public cloud ($4.80m) or primarily private cloud approach ($4.55m).
While certain IT shifts during the pandemic increased data breach costs, organizations who said they did not implement any digital transformation projects in order to modernize their business operations during the pandemic actually incurred higher data breach costs. The cost of a breach was $750,000 higher than average at organizations that had not undergone any digital transformation due to COVID-19 (16.6% higher than the average).
Companies studied that adopted a zero trust security approach were better positioned to deal with data breaches. The report also found that more companies were deploying security automation compared to prior years, leading to significant cost savings. Investments in incident response teams and plans also reduced data breach costs amongst those studied.