CAMBRIDGE, Mass. — Data breaches now cost companies an average of $4.24 million per incident, according to a recent report.
The finding is part of 17th-annual “Cost of Data Breach Report” by IBM Security and represents the highest-ever average cost in the global report, according to IBM last month.
The report is based on “in-depth analysis” of real-world data breaches experienced by over 500 organizations.
Security incidents became costlier and harder to contain due to drastic operational shifts during the pandemic, with costs rising 10% compared to the prior year, according to the report.
Companies were forced to quickly adapt their technology approaches last year, with many of them encouraging or requiring employees to work from home — and 60% of organizations moving further into cloud-based activities during the COVID-19 pandemic.
The findings in the “Cost of Data Breach Report” suggest that security might have lagged behind these rapid IT changes, hindering organizations’ ability to respond to data breaches:
- Remote work impact: Breaches cost over $1 million more on average when remote work was indicated as a factor in the event, compared to those in the group without this factor ($4.96 vs. $3.89 million)
- Health care breach costs surged: Industries that faced huge operational changes during the pandemic (health care, retail, hospitality, and consumer manufacturing/distribution) experienced a substantial increase in data breach. Health care breaches cost the most by far, at $9.23 million per incident, a $2 million increase
- Compromised credentials led to compromised data: Stolen user credentials were the most common root cause of breaches. Customer personal data (such as name, email, password) was the most common type of information exposed in data breaches, with 44% of breaches including this type of data
- Modern approaches reduced costs: The adoption of artificial intelligence (AI), security analytics, and encryption were the top three mitigating factors shown to reduce the cost of a breach, saving companies between $1.25 million and $1.49 million compared to those that did not have significant usage of these tools. For cloud-based data breaches studied, organizations that implemented a hybrid cloud approach had lower data breach costs ($3.61 million) than those that had a primarily public cloud ($4.80 million) or primarily private cloud approach ($4.55 million).
- Time to respond: Average time to detect and contain a data breach was 287 days (212 to detect, 75 to contain), which is one week longer than the prior year
- Mega breaches: Average cost of a mega breach was $401 million, for breaches between 50 million and 65 million records. This is nearly 100x more expensive than the majority of breaches (which ranged from 1,000-100,000 records)
- By industry: Data breaches in health care were most expensive by industry ($9.23 million), followed by financial ($5.72 million) and pharmaceuticals ($5.04 million). While lower in overall costs, retail, media, hospitality, and the public sector experienced a large increase in costs vs. the prior year
- By country/region: The U.S. had the most expensive data breaches at $9.05 million per incident, followed by the Middle East ($6.93 million) and Canada ($5.4 million)
“Higher data breach costs are yet another added expense for businesses in the wake of rapid technology shifts during the pandemic,” said Chris McCurdy, VP and GM, IBM Security.
“While data breach costs reached a record high over the past year, the report also showed positive signs about the impact of modern security tactics, such as AI, automation, and the adoption of a zero-trust approach – which may pay off in reducing the cost of these incidents further down the line.”
The 2021 “Cost of a Data Breach Report” was conducted by Ponemon Institute for IBM Security.
The report is based on data breaches of 100,000 records or less experienced by over 500 organizations worldwide between May 2020 and March 2021.
The report takes into account hundreds of cost factors involved in data breach incidents: including legal, regulatory, and technical activities; and loss of brand equity, customers, and employee productivity.
See more: Top Cloud Security Companies & Solutions