Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:45 PM
Connect Directly

Average Cost of a Data Breach: $3.86 Million

New IBM study shows that security system complexity and cloud migration can amplify breach costs.

The latest edition of IBM's annual cost-of-a data-breach study shows that security system complexity and incident response testing are two factors that have the biggest impact on the total cost of a breach.

The 2020 IBM study — conducted by the Ponemon Institute — is based on data gathered from executives at 524 organizations around the world that experienced a data breach between August 2019 and April 2020. For purposes of the study, Ponemon only considered data breaches that involved between 3,400 and 99,730 compromised records.

To calculate how much a breach might have ended costing a company, the research considered the costs associated with four process-related activities: the costs involved in detecting a breach, including investigation and forensics activities, assessment and audit; notification costs; lost business from system downtime and disruption and; legal fees and costs related to activities like providing help desk services, credit monitoring, and ID protection for victims.

The analysis showed that globally, a data breach cost companies $3.86 million per incident during the nine-month period of the study. The average breach cost in the US as usual was more than twice that, at $8.64 million on average. Healthcare organizations globally once again shelled out more on average for a data breach — $7.13 million — than organizations in any other sector.

Even though breach-related costs increased for many organizations, the global average of $3.86 million itself was marginally lower than the $3.92 million reported last year. That was because there were more organizations in the 2020 study with mature security practices, and therefore substantially lower breach costs, compared to 2019.

The IBM/Ponemon study showed that total data breach costs for organizations that reported having a complex security system environment was nearly $292,000 higher on average than companies that did not have the same issue. Other factors that substantially amplified the average cost of a breach included cloud migration ($267,469), security skills shortages ($257,429), and compliance failures ($255,626).

At the same time the study highlighted several other factors that can help mitigate breach costs for organizations. For instance, organizations that regularly tested their incident response plans ended up spending some $295,000 less than the global average on breach-related costs while those with a business continuity plan spent about $279,000 less. Other cost mitigating factors included red-team testing ($243,185), AI-enabled response ($259,354), and employee training ($238,019).

Charles DeBeck, strategic cyber threat analyst at IBM's X-Force IRIS incident response team, says one notable data point from the report is the difference in breach costs between those organizations that have automated their threat response capabilities, and those that have not.

Growing Cost Divide

"The main takeaway I see is this growing cost divide," DeBeck says. "Businesses that are investing in advanced technologies and practicing preparedness of their incident response experience significantly lower costs, while those that didn't prepare see their costs rising year over year."

In fact, average breach costs for an organization with an IR team that conducted regular tests including tabletop exercises was $3.29 million while those that did not have either spent $5.29 million.

The IBM/Ponemon study showed that the attack vector, the type of data compromised, and the length of time it took for an organization to detect a breach, all had a substantial bearing on the final breach cost.

For instance, the average breach cost was almost $1 million higher in incidents involving the use of stolen or compromised credentials to access an organization's network. One reason could be that credentials give attackers a way to remain undetected for a longer period of time, DeBeck says. "As a result, the compromise may be more extensive, which would impact costs."

Attacks involving nation-state actors, which accounted for 13% of the breaches in the IBM study, were also expensive, at $4.4 million per incident.

Similarly, data breaches involving personally identifiable information cost organizations more last year than breaches involving employee data and other kinds of sensitive data. Not only was PII the most commonly breached data, it was also the most expensive, at around $150 per breached record globally and $175 per record in the US.

"One likely reason is that PII often is lost in bulk," DeBeck says. "Often PII is stored together, so if a threat actor breaches an organization and grabs PII, this can lead to all of the PII being lost, which can have a very high cost."

The time an organization takes to detect a breach has an impact on breach costs as well. Organizations in the IBM/Ponemon study took an average of 280 days to detect and contain a breach. When a victim was able to detect and shut down a breach in less than 200 days, total breach costs went down some $1.1 million on average.

"The biggest thing we see impacting breach costs is an organization's ability to respond quickly to an attack, and a lot of this comes down to planning and preparation," Debeck says. Technology, particularly that which enables automation, can also play big role speeding response and lowering overall breach costs, he says.

Related Content:

Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
7/30/2020 | 10:23:03 AM
So it seems that this year we are on the decline globally if only at a nominal degree. In comparison with previous years when the rising cost was humbling.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.