A data breach report published by IBM Security revealed that the average total cost of a data breach fell to $3.86 million this year from $3.92 million in 2019.
Of all 17 countries and regions studied for the report, the United States witnessed the highest data breach costs in the world at $8.64 million on average, up from $8.19 million last year. It was followed by the Middle East at $6.52 million, an increase from $5.97 million.
Worldwide, the cost of breach is going up. The research conducted by Ponemon Institute showed that the average total cost of a data breach increased in 12 of 16 countries, led by Scandinavian countries with the greatest increase.
Among industries, healthcare continued to incur the highest average breach costs for the tenth year in a row- $7.13 million, up 10.5% from the 2019 study. It was followed by the energy industry at $6.39 million on average. Other than healthcare and energy, only retail industry saw an uptick of 9.2% in total cost of a breach. Public sector, education and media industries saw a biggest decline.
The report pointed out that industries with more restrictions and higher regulations had more instances of data breach, suggesting greater damage would lead to higher loss to the business.
The report found that businesses with security automation system were more equipped to handle data breaches. Average total cost of businesses without security automation was $6.03 million, more than double the average cost of a data breach of $2.45 million for businesses that had fully deployed security automation.
The share of businesses that use artificial intelligence platforms and automated breach orchestration, rose from 15% in 2018 to 21% in the 2020 study. This directly impacted the average cost of a data breach. Automation helped companies reduce the lifecycle of a breach by 74 days from 308 to 234 days as compared to companies with no security automation deployment.
However, the amount of time organisations took to identify and contain data breaches hasn't changed much. Last year, organisations took 279 days to identify and contain a breach; whereas, according to 2020 report, on average, it took a company 207 days to identify and 73 days to contain a breach. Within industries, healthcare reported the longest lifecycle with 329 days and the financial sector took the least time with 233 days.
According to the study, every four in five breached organisations said customers’ personally identifiable information (PII) was the most compromised type of record. While the average cost per lost or stolen record was $146 across all data breaches, PII cost businesses $150 per compromised record.
As COVID forced greater digitisation, organisations depend on integrity and availability of IT services more than ever. That reflects in organisations’ lost businesses numbers as well which accounted for nearly 40% of the average total cost of a data breach, increasing from $1.42 million in the 2019 study to $1.52 million in the 2020 study. It included increased customer turnover, lost revenue due to system downtime and the increasing cost of acquiring new business due to diminished reputation.
Types of data breaches
The report also found that malicious attacks were the prime cause of data breaches, with 52% followed by human error or system glitches. Stolen or compromised credentials were the costliest cause of malicious breaches. Almost 20% of companies that experienced a malicious breach were hacked using stolen or compromised credentials.
While most attacks were carried out by hackers looking to extract money, the financial damage from attacks by nations states was higher. 53% of malicious breaches in the 2020 study were carried out by financially motivated cybercriminals, compared to 13% by nation state threat actors. However, the presumed state-sponsored breaches cost an average $4.43 million, compared to $4.23 million in financially motivated breaches.
The report takes into account data from August 2019 to April 2020, which gives a little idea about the impact of COVID as well.
As most employees are working-from-home due to the pandemic, an increased demand for videoconferencing, cloud applications, VPN access, and network resources is posing new challenges for IT department. Remote work access raises the probability of their exposure to the security threats and breaches.
The study revealed that 76% organisations said that work-from-home would make responding to data breach much more difficult.
Of organizations that required remote work as a result of COVID-19, 70% believed remote work would increase the cost of a data breach. While 76% said it would increase the time to identify and contain a potential data breach.
Having a remote workforce was found to increase the average total cost of a data breach of $3.86 million by nearly $137,000, for an adjusted average total cost of $4 million.
The Cost of a Data Breach Report is a global report, combining results from 524 organizations across 17 countries and regions, and 17 industries to provide global averages.