Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

8/24/2020
10:00 AM
Marc Wilczek
Marc Wilczek
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Average Cost of a Data Breach in 2020: $3.86M

When companies defend themselves against cyberattacks, time is money.

A recent survey of 3,200 people in 524 organizations that suffered data breaches is a bit of a mixed bag. Ponemon's "Cost of a Data Breach Report 2020" (commissioned by IBM) reveals that despite an apparent decline in the average cost of a data breach — from $3.92 million in 2019 to $3.86 million this year — the price tag was much less for mature companies and industries and far higher for firms that had lackluster security automation and incident response processes. In the same vein, Ponemon's examination of the average cost per record varied widely according to the kind of data that was exposed or stolen.

Among the breaches analyzed in Ponemon's study, the most sought-after record type was customers' personally identifiable information (PII). Fully eight out of 10 hacked organizations reported that the thieves specifically targeted PII. Stolen PII was also the costliest. According to the study, the average cost per lost or stolen data record was $146, but each compromised record containing personal customer information cost businesses $150. That cost grew to $175 in breaches stemming from malicious attacks. A quarter of the breaches in the study involved anonymized customer data — average cost: $143 per record, which increased to $171 per record for malicious attacks.

Costs Vary Greatly Between Verticals
In recent years, the average cost of a security breach has risen and fallen, but it generally has hovered between $3.5 million and $4 million. However, the cost varies across industries. On average, it takes an organization 280 days to spot and contain a breach. Healthcare organizations fare poorly in this regard: In this industry, the average cost of a data breach was $7.13 million. Of the 17 industries examined in the report, healthcare ranked highest in average cost, and the average time to identify and contain a breach was 329 days. 

The Biggest Cost Factor: Lost Business
As more organizations go digital, an increasing share of their revenues rely on the integrity and availability of their IT services. Customers that don't come back —that is, lost business — make up almost 40% of the average cost per incident (in 2020, $1.52 million). Other lost business costs were attributed to greater customer turnover, system downtime, the cost of finding new business because of a tarnished corporate reputation, legal expenditures, and regulatory fines. 

In a sample of significant data breaches, companies that exposed more than 1 million records racked up costs that were far in excess of the overall average. Breaches of 1 million to 10 million records cost an average of $50 million, over 25 times the average cost of $3.86 million for breaches of less than 100,000 records. In breaches involving more than 50 million records, the average cost was $392 million, more than 100 times the average.

Malicious Attacks Caused Most Security Incidents
Ponemon found that malicious attacks were the most common cause of breaches (52%), followed by human error (23%) and system glitches (25%). The average cost of these was $4.27 million. Another leading cause of breaches was misconfigured clouds.

Stolen or compromised credentials were the costliest cause of malicious breaches. Almost 20% of companies that experienced a malicious breach were hacked using stolen or compromised credentials. This jacked up the average total cost of the breach for these companies by almost $1 million, to $4.77 million.

In addition to pilfered or compromised credentials, the most common threat vector (19%) in breaches caused by malicious attacks was misconfigured cloud servers. These attacks increased the average cost of a breach by more than half a million dollars, to $4.41 million (14% higher than the average cost).

Attacks by Nation-States Were the Most Expensive
While most malicious attacks were launched by cybercriminals hoping to extort money, attacks by nation-states caused the most financial damage. Ponemon figures that just over half (53%) of the malicious attacks examined in the 2020 study were the handiwork of cyber extortionists. The rest were carried out by nation-states and hacktivists (13% each), with 21% of undetermined origin. Although they were less frequent, the state-sponsored attacks cost an average of $4.43 million, as opposed to $4.23 million in the case of financially motivated cybercriminals.

Security Automation Lowers the Costs 
The proportion of businesses taking advantage of security automation — and particularly solutions based on artificial intelligence — swelled from 15% in 2018 to 21% in the 2020 study. And these solutions have continued to reduce the average cost of breaches. Businesses without automated security protection forked out an average total of $6.03 million per incident, which is more than twice the average cost ($2.45 million) for businesses that had fully deployed security automation. The $3.58 million savings in average breach costs for companies with fully deployed security automation versus those without deployed security automation grew from a savings of $1.55 million in the 2018 study.

Time Is Money
In today's digital world, outages and security breaches have larger financial ramifications than ever. The COVID-19 pandemic has affected how many organizations do business in a major way, as armies of employees are working from home. Meanwhile, skyrocketing demand for videoconferencing, cloud applications, VPN access, and network resources is posing new challenges for IT departments. In the report, 76% of respondents said remote work would prolong the time needed to identify and contain a security breach, while 70% said it would increase the cost of a breach.

The "average time to identify" refers to how long it takes to discover that an incident has occurred. Time-to-mitigate describes how long it takes for an organization to contain and resolve a situation. These measures are commonly used benchmark to assess the effectiveness of a form's incident response and containment processes. The faster incidents can be spotted and contained, the lower the costs.

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Google Cloud Debuts Threat-Detection Service
Robert Lemos, Contributing Writer,  9/23/2020
Shopify's Employee Data Theft Underscores Risk of Rogue Insiders
Kelly Sheridan, Staff Editor, Dark Reading,  9/23/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26120
PUBLISHED: 2020-09-27
XSS exists in the MobileFrontend extension for MediaWiki before 1.34.4 because section.line is mishandled during regex section line replacement from PageGateway. Using crafted HTML, an attacker can elicit an XSS attack via jQuery's parseHTML method, which can cause image callbacks to fire even witho...
CVE-2020-26121
PUBLISHED: 2020-09-27
An issue was discovered in the FileImporter extension for MediaWiki before 1.34.4. An attacker can import a file even when the target page is protected against "page creation" and the attacker should not be able to create it. This occurs because of a mishandled distinction between an uploa...
CVE-2020-25812
PUBLISHED: 2020-09-27
An issue was discovered in MediaWiki 1.34.x before 1.34.4. On Special:Contributions, the NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML.
CVE-2020-25813
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, Special:UserRights exposes the existence of hidden users.
CVE-2020-25814
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> ...