Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:45 PM
Connect Directly

Average Cost of a Data Breach: $3.86 Million

New IBM study shows that security system complexity and cloud migration can amplify breach costs.

The latest edition of IBM's annual cost-of-a data-breach study shows that security system complexity and incident response testing are two factors that have the biggest impact on the total cost of a breach.

The 2020 IBM study — conducted by the Ponemon Institute — is based on data gathered from executives at 524 organizations around the world that experienced a data breach between August 2019 and April 2020. For purposes of the study, Ponemon only considered data breaches that involved between 3,400 and 99,730 compromised records.

To calculate how much a breach might have ended costing a company, the research considered the costs associated with four process-related activities: the costs involved in detecting a breach, including investigation and forensics activities, assessment and audit; notification costs; lost business from system downtime and disruption and; legal fees and costs related to activities like providing help desk services, credit monitoring, and ID protection for victims.

The analysis showed that globally, a data breach cost companies $3.86 million per incident during the nine-month period of the study. The average breach cost in the US as usual was more than twice that, at $8.64 million on average. Healthcare organizations globally once again shelled out more on average for a data breach — $7.13 million — than organizations in any other sector.

Even though breach-related costs increased for many organizations, the global average of $3.86 million itself was marginally lower than the $3.92 million reported last year. That was because there were more organizations in the 2020 study with mature security practices, and therefore substantially lower breach costs, compared to 2019.

The IBM/Ponemon study showed that total data breach costs for organizations that reported having a complex security system environment was nearly $292,000 higher on average than companies that did not have the same issue. Other factors that substantially amplified the average cost of a breach included cloud migration ($267,469), security skills shortages ($257,429), and compliance failures ($255,626).

At the same time the study highlighted several other factors that can help mitigate breach costs for organizations. For instance, organizations that regularly tested their incident response plans ended up spending some $295,000 less than the global average on breach-related costs while those with a business continuity plan spent about $279,000 less. Other cost mitigating factors included red-team testing ($243,185), AI-enabled response ($259,354), and employee training ($238,019).

Charles DeBeck, strategic cyber threat analyst at IBM's X-Force IRIS incident response team, says one notable data point from the report is the difference in breach costs between those organizations that have automated their threat response capabilities, and those that have not.

Growing Cost Divide

"The main takeaway I see is this growing cost divide," DeBeck says. "Businesses that are investing in advanced technologies and practicing preparedness of their incident response experience significantly lower costs, while those that didn't prepare see their costs rising year over year."

In fact, average breach costs for an organization with an IR team that conducted regular tests including tabletop exercises was $3.29 million while those that did not have either spent $5.29 million.

The IBM/Ponemon study showed that the attack vector, the type of data compromised, and the length of time it took for an organization to detect a breach, all had a substantial bearing on the final breach cost.

For instance, the average breach cost was almost $1 million higher in incidents involving the use of stolen or compromised credentials to access an organization's network. One reason could be that credentials give attackers a way to remain undetected for a longer period of time, DeBeck says. "As a result, the compromise may be more extensive, which would impact costs."

Attacks involving nation-state actors, which accounted for 13% of the breaches in the IBM study, were also expensive, at $4.4 million per incident.

Similarly, data breaches involving personally identifiable information cost organizations more last year than breaches involving employee data and other kinds of sensitive data. Not only was PII the most commonly breached data, it was also the most expensive, at around $150 per breached record globally and $175 per record in the US.

"One likely reason is that PII often is lost in bulk," DeBeck says. "Often PII is stored together, so if a threat actor breaches an organization and grabs PII, this can lead to all of the PII being lost, which can have a very high cost."

The time an organization takes to detect a breach has an impact on breach costs as well. Organizations in the IBM/Ponemon study took an average of 280 days to detect and contain a breach. When a victim was able to detect and shut down a breach in less than 200 days, total breach costs went down some $1.1 million on average.

"The biggest thing we see impacting breach costs is an organization's ability to respond quickly to an attack, and a lot of this comes down to planning and preparation," Debeck says. Technology, particularly that which enables automation, can also play big role speeding response and lowering overall breach costs, he says.

Related Content:

Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
7/30/2020 | 10:23:03 AM
So it seems that this year we are on the decline globally if only at a nominal degree. In comparison with previous years when the rising cost was humbling.
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
PUBLISHED: 2021-01-15
Docker Desktop Community before on macOS mishandles certificate checking, leading to local privilege escalation.
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...