The majority of companies — 63% — have suffered at least one breach in the past 12 months. The global average breach cost $2.4 million — a price tag that increases to $3.0 million for companies unprepared to respond to compromises.
The new data from Forrester Research, released on April 8 in a report titled "The 2021 State Of Enterprise Breaches," found that the number of breaches and the cost of breaches varied widely depending on the geographic location of the business and to what degree the organization is prepared to respond to breaches. Companies in North America had the largest disparity between the haves and have-nots: While the average organization required 38 days to find, eradicate, and recover from a breach, companies that failed to adequately prepare for security challenges took 62 days.
The difference in response resulted in a large difference in cost as well, with the average North American company paying $3.0 million to recover from a breach, a bill that rises to $4.0 million if the company suffered from a lack of incident-response preparation.
"The misalignment between the expectation and the reality of breaches has become very important," says Allie Mellen, an analyst with Forrester's Security and Risk group. "On a global scale, there is a big disparity of about $600,000 between those who are prepared to respond to a breach and those who are not."
Overall, however, North American firms saw a slightly lower rate of compromise than other regions, with 59% of firms responding to a breach in the last 12 months compared to the global average of 63%.
Organizations in Europe and in the Asia-Pacific region saw a much smaller difference between those prepared for breaches and lacking any breach preparation, likely because widespread regulations made the differences less stark. However, even in those regions, companies whose largest challenge was the lack of adequate incident and crisis response preparation had higher costs in responding to a breach, the Forrester report stated.
"Organizations that lacked incident and crisis response preparation took longer to recover from breaches and found them more costly," the Forrester report stated. "Having defined steps written down, known, and tested prior to an incident, along with an incident response retainer, speeds response time and improves completeness of response. Preparedness is crucial in this effort, especially when recovery is measured in days."
Threats Are Not Just External Hackers
Companies also overwhelmingly focused on external attackers as their main source of threat, even though actual attacks were spread out over four different categories: external attacks, internal incidents, third-party and supply-chain attacks, and lost or stolen assets.
Globally, almost half of companies (47%) consider external attacks to be their top threat, but in reality, only a third of incidents (34%) come from external actors. Nearly a quarter of incidents (24%) are traced back to an internal event, while 23% consisted of lost or stolen assets and 21% involved a third-party partner.
"Typically, what we are see is that concern [over external attackers] fuels a lot of decisions, but it's not the case that a breach that comes through a third party is going to cost you any less," Mellen says. "We get that companies are worried about external attacks, but there are other aspects of this that they should be dedicating [their] time to."
While European organizations also had an outsized concern for external incidents (37%) compared to the reality (20%), enterprises in all regions lacked concern for lost and stolen assets, with 5% or less of those surveyed considering that type of breach to be most concerning.
Companies should focus on measuring their incident response and management capabilities and use metrics to improve over time, says Forrester's Mellen. "Following the metrics is really important if you want to improve your strategies," she says. "The right metrics can help you identify your own biases and push beyond them."
In addition, multinational companies need to understand that their response to security incidents should be adapted to each region to account for the differences in regulations, incident costs, and threat landscapes.