The latest edition of IBM's annual cost-of-a data-breach study shows that security system complexity and incident response testing are two factors that have the biggest impact on the total cost of a breach.
The 2020 IBM study — conducted by the Ponemon Institute — is based on data gathered from executives at 524 organizations around the world that experienced a data breach between August 2019 and April 2020. For purposes of the study, Ponemon only considered data breaches that involved between 3,400 and 99,730 compromised records.
To calculate how much a breach might have ended costing a company, the research considered the costs associated with four process-related activities: the costs involved in detecting a breach, including investigation and forensics activities, assessment and audit; notification costs; lost business from system downtime and disruption and; legal fees and costs related to activities like providing help desk services, credit monitoring, and ID protection for victims.
The analysis showed that globally, a data breach cost companies $3.86 million per incident during the nine-month period of the study. The average breach cost in the US as usual was more than twice that, at $8.64 million on average. Healthcare organizations globally once again shelled out more on average for a data breach — $7.13 million — than organizations in any other sector.
Even though breach-related costs increased for many organizations, the global average of $3.86 million itself was marginally lower than the $3.92 million reported last year. That was because there were more organizations in the 2020 study with mature security practices, and therefore substantially lower breach costs, compared to 2019.
The IBM/Ponemon study showed that total data breach costs for organizations that reported having a complex security system environment was nearly $292,000 higher on average than companies that did not have the same issue. Other factors that substantially amplified the average cost of a breach included cloud migration ($267,469), security skills shortages ($257,429), and compliance failures ($255,626).
At the same time the study highlighted several other factors that can help mitigate breach costs for organizations. For instance, organizations that regularly tested their incident response plans ended up spending some $295,000 less than the global average on breach-related costs while those with a business continuity plan spent about $279,000 less. Other cost mitigating factors included red-team testing ($243,185), AI-enabled response ($259,354), and employee training ($238,019).
Charles DeBeck, strategic cyber threat analyst at IBM's X-Force IRIS incident response team, says one notable data point from the report is the difference in breach costs between those organizations that have automated their threat response capabilities, and those that have not.
Growing Cost Divide
"The main takeaway I see is this growing cost divide," DeBeck says. "Businesses that are investing in advanced technologies and practicing preparedness of their incident response experience significantly lower costs, while those that didn't prepare see their costs rising year over year."
In fact, average breach costs for an organization with an IR team that conducted regular tests including tabletop exercises was $3.29 million while those that did not have either spent $5.29 million.
The IBM/Ponemon study showed that the attack vector, the type of data compromised, and the length of time it took for an organization to detect a breach, all had a substantial bearing on the final breach cost.
For instance, the average breach cost was almost $1 million higher in incidents involving the use of stolen or compromised credentials to access an organization's network. One reason could be that credentials give attackers a way to remain undetected for a longer period of time, DeBeck says. "As a result, the compromise may be more extensive, which would impact costs."
Attacks involving nation-state actors, which accounted for 13% of the breaches in the IBM study, were also expensive, at $4.4 million per incident.
Similarly, data breaches involving personally identifiable information cost organizations more last year than breaches involving employee data and other kinds of sensitive data. Not only was PII the most commonly breached data, it was also the most expensive, at around $150 per breached record globally and $175 per record in the US.
"One likely reason is that PII often is lost in bulk," DeBeck says. "Often PII is stored together, so if a threat actor breaches an organization and grabs PII, this can lead to all of the PII being lost, which can have a very high cost."
The time an organization takes to detect a breach has an impact on breach costs as well. Organizations in the IBM/Ponemon study took an average of 280 days to detect and contain a breach. When a victim was able to detect and shut down a breach in less than 200 days, total breach costs went down some $1.1 million on average.
"The biggest thing we see impacting breach costs is an organization's ability to respond quickly to an attack, and a lot of this comes down to planning and preparation," Debeck says. Technology, particularly that which enables automation, can also play big role speeding response and lowering overall breach costs, he says.
Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.