Data breach costs have reached a new record high of $4.24 million per incident, representing a 10% increase from the year prior — the largest single year cost increase in the last seven years.
IBM and the Ponemon Institute have been analyzing the cost of data breaches for more than a decade, and the past year saw dollar amounts substantially increase as organizations pivoted to remote work and accelerated their transition to the cloud amid the global COVID-19 pandemic. Both of these factors, among others, drove the average cost per breach to a new record high.
Consider remote work: The average cost of a breach in which remote work was cited as a factor was $1.07 million more than incidents in which remote work wasn't a factor. Of the companies that reported a breach in the last year, 17.5% said remote work was a factor. Those with more than 50% of employees working remotely took 58 days longer to identify and contain breaches.
"For organizations that had significant remote work operations … they had to stand up new infrastructure and new capabilities very, very quickly," says Charles DeBeck, senior cyber-threat intelligence strategic analyst at IBM Security.
The shift posed a challenge to many breach victims. Networks that were quickly assembled and had security gaps as a result created a higher risk for breaches to expand beyond the initial attack area, he adds. Intruders could move quickly and effectively across target environments.
"When you look at the ways organizations quickly built out remote work capabilities, it made it more challenging to quickly detect and contain breaches," DeBeck says. On average, it took victims 287 days to identify and contain a breach, though researchers note longer detection led to higher cost: Breaches that took longer than 200 days to identify cost an average of $4.87 million — far more than the $3.61 million for those that took fewer than 200 days to detect.
This doesn't mean remote work is bad or inherently insecure, continues DeBeck. The problem, in many cases, was the speed with which organizations set up their remote infrastructure. Businesses that want to support remote employees in the long term should do so carefully and securely.
System complexity was a major factor driving breach cost. Organizations with greater system complexity added an average of $2.15 million to their total breach cost, compared with those with lower levels of complexity, the researchers report.
"If your organization has a complex system design, it's going to be difficult to identify and contain a breach when it occurs," DeBeck points out.
Cloud deployment also affects breach cost. Public cloud breaches, in which a victim was at least 80% deployed in a public cloud environment, had an average cost of $4.80 million per incident, followed by private cloud ($4.55 million), on-premises ($4.15 million), and hybrid deployments ($3.61 million). Organizations with a higher level of cloud migration had a higher average cost ($5.12 million) compared with those who reported low levels ($3.46 million).
"The nice thing about hybrid cloud is it allows you to tailor your environment based on the operations you're engaged in," DeBeck says. If you're only using public cloud, everything must be tailored to the public cloud. Businesses running hybrid cloud environments can use a hybrid model to deploy some data to private cloud and some to public, depending on what's needed.
As he notes, it's easier for organizations to tailor their data needs to fit the cloud, than to tailor the environment to suit the needs of their data.
Attack Vectors Affect Breach Detection & Cost
The most common initial attack vectors were compromised credentials (20% of breaches), phishing (17%), and cloud misconfiguration (15%). Business email compromise made up only 4% of breaches but had the highest average total cost at $5.01 million. Phishing was the second most-expensive vector ($4.65 million), followed by malicious insiders ($4.61 million), social engineering ($4.47 million), and compromised credentials ($4.37 million).
Breaches that stemmed from compromised credentials took the longest time to identify (250 days) and contain (91 days) on average, for a total of 341 days. Business email compromise was second at 317 days, and malicious insiders was the third-longest life cycle at 306 days.
"I think it captures, for organizations, where they can organize their overall security spend," says DeBeck of the attack vector breakdown. "It's really meant to emphasize where we can most effectively protect ourselves."
Calculating Breach Cost: Behind the Numbers
Researchers divide the $4.24 million average cost of a data breach into four categories: detection and escalation, breach notification, post-breach response, and lost business cost.
Of these four, lost business accounted for $1.59 million, or 38% of the average total cost. This includes business disruption and revenue loss from system downtime, the cost of losing customers and acquiring new ones, reputation loss, and diminished goodwill, the report states. Detection and escalation made up $1.24 million, or 29% of cost, followed by post-breach response ($1.14 million), and breach notification ($0.27 million).
Customers' personally identifiable information (PII), seen in 44% of breaches, was the most common type of data lost or stolen. It was also the most expensive: The average cost per record of customer PII was $180.
Anonymized customer data was compromised in 28% of incidents studied, followed by intellectual property (27%), employee PII (26%), and other sensitive data (12%). Employee PII cost $176 per record, intellectual property cost $169, and "other sensitive data" cost $165.