Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/29/2020
05:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail

Average Cost of a Data Breach: $3.86 Million

New IBM study shows that security system complexity and cloud migration can amplify breach costs.



The latest edition of IBM's annual cost-of-a data-breach study shows that security system complexity and incident response testing are two factors that have the biggest impact on the total cost of a breach.

The 2020 IBM study — conducted by the Ponemon Institute — is based on data gathered from executives at 524 organizations around the world that experienced a data breach between August 2019 and April 2020. For purposes of the study, Ponemon only considered data breaches that involved between 3,400 and 99,730 compromised records.

To calculate how much a breach might have ended costing a company, the research considered the costs associated with four process-related activities: the costs involved in detecting a breach, including investigation and forensics activities, assessment and audit; notification costs; lost business from system downtime and disruption and; legal fees and costs related to activities like providing help desk services, credit monitoring, and ID protection for victims.

The analysis showed that globally, a data breach cost companies $3.86 million per incident during the nine-month period of the study. The average breach cost in the US as usual was more than twice that, at $8.64 million on average. Healthcare organizations globally once again shelled out more on average for a data breach — $7.13 million — than organizations in any other sector.

Even though breach-related costs increased for many organizations, the global average of $3.86 million itself was marginally lower than the $3.92 million reported last year. That was because there were more organizations in the 2020 study with mature security practices, and therefore substantially lower breach costs, compared to 2019.

The IBM/Ponemon study showed that total data breach costs for organizations that reported having a complex security system environment was nearly $292,000 higher on average than companies that did not have the same issue. Other factors that substantially amplified the average cost of a breach included cloud migration ($267,469), security skills shortages ($257,429), and compliance failures ($255,626).

At the same time the study highlighted several other factors that can help mitigate breach costs for organizations. For instance, organizations that regularly tested their incident response plans ended up spending some $295,000 less than the global average on breach-related costs while those with a business continuity plan spent about $279,000 less. Other cost mitigating factors included red-team testing ($243,185), AI-enabled response ($259,354), and employee training ($238,019).

Charles DeBeck, strategic cyber threat analyst at IBM's X-Force IRIS incident response team, says one notable data point from the report is the difference in breach costs between those organizations that have automated their threat response capabilities, and those that have not.

Growing Cost Divide

"The main takeaway I see is this growing cost divide," DeBeck says. "Businesses that are investing in advanced technologies and practicing preparedness of their incident response experience significantly lower costs, while those that didn't prepare see their costs rising year over year."

In fact, average breach costs for an organization with an IR team that conducted regular tests including tabletop exercises was $3.29 million while those that did not have either spent $5.29 million.

The IBM/Ponemon study showed that the attack vector, the type of data compromised, and the length of time it took for an organization to detect a breach, all had a substantial bearing on the final breach cost.

For instance, the average breach cost was almost $1 million higher in incidents involving the use of stolen or compromised credentials to access an organization's network. One reason could be that credentials give attackers a way to remain undetected for a longer period of time, DeBeck says. "As a result, the compromise may be more extensive, which would impact costs."

Attacks involving nation-state actors, which accounted for 13% of the breaches in the IBM study, were also expensive, at $4.4 million per incident.

Similarly, data breaches involving personally identifiable information cost organizations more last year than breaches involving employee data and other kinds of sensitive data. Not only was PII the most commonly breached data, it was also the most expensive, at around $150 per breached record globally and $175 per record in the US.

"One likely reason is that PII often is lost in bulk," DeBeck says. "Often PII is stored together, so if a threat actor breaches an organization and grabs PII, this can lead to all of the PII being lost, which can have a very high cost."

The time an organization takes to detect a breach has an impact on breach costs as well. Organizations in the IBM/Ponemon study took an average of 280 days to detect and contain a breach. When a victim was able to detect and shut down a breach in less than 200 days, total breach costs went down some $1.1 million on average.

"The biggest thing we see impacting breach costs is an organization's ability to respond quickly to an attack, and a lot of this comes down to planning and preparation," Debeck says. Technology, particularly that which enables automation, can also play big role speeding response and lowering overall breach costs, he says.

Related Content:

Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/30/2020 | 10:23:03 AM
Stagnant
So it seems that this year we are on the decline globally if only at a nominal degree. In comparison with previous years when the rising cost was humbling.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15058
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
CVE-2020-15059
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.
CVE-2020-15060
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.
CVE-2020-15061
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to denial-of-service the device via long input values.
CVE-2020-15062
PUBLISHED: 2020-08-07
DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.