2020 has taught us some profound lessons in cyber-security and data protection. While an unprecedented mass of people has transitioned to online working & schooling and companies are fighting for survival, cyber-attacks are on the rise. Our dependency on data has never been bigger than these days. And the consequences and costs of a data breach can be thus devastating for companies of every size.
On the 1st of June 2020, the medical laboratories of the University of California in San Francisco, which are working on a cure for COVID-19, were compromised. Hackers extorted 116.4 bitcoins ($1.14M) from the research institute for restoring the encrypted data. Contrary to common expert advice, they decided to pay, since the work they are doing is critical for the public good.
The amount of this ransom alone is a heavy loss for the organization, yet it is only a fraction of the expenditures associated with a breach. What is the real cost of a data breach? The answer to this question alone isn't vital for security leaders when it comes to mitigating risks and maintaining business continuity in the context of disruptive changes and remote working.
In this regard, IBM’s Cost of a Data Breach Report is more than just a simple breakdown of costs. The analysis based on interviews with 524 organizations provides companies with insightful details on cost components, root causes, targeted data types and preventive security measures. To navigate you through the cost landscape of a potential data breach, we’ve highlighted some key findings below:
1. Despite the slight drop in the average data breach costs, many organizations still pay a lot more
It might come as a surprise to many that the average data breach costs have slightly declined to $3.86 million compared to last year. A deeper look at the findings reveals, however, that the costs were much higher for companies lacking security measures than for those with advanced security automation.
2. Data breaches continue to be the costliest in the healthcare sector & in the US
Healthcare continues to experience the highest data breach costs at $7.13 million, which is a 10% increase compared to 2019. The high pressure medical institutions were under due to COVID-19 is just one factor that makes the sector a highly attractive target for hackers. Patient data is worth a lot of money, and healthcare institutions are lagging behind when it comes to implementing secure technology.
While 12 out of 16 countries have seen an increase in average costs, data breaches are the most expensive in the United States at $8.64 million on average.
3. Remote work during COVID-19 increases data breach costs and response time
Every second organization (54%) reported about being transitioned to remote working during the pandemic. The participants say that the new way of working increases the time to detect and contain a breach. And 70% of companies with a remote workforce are convinced that this will also have an amplifying impact on the costs of a potential data breach.
4. Customer personal data is at the highest risk and the most expensive type of data
80% of data breaches were targeted at customer personally identifiable information (PII), whereas intellectual property was compromised in 32% of the incidents. Customer PII turned out to be the costliest type of breach, too, with a cost of $150 per compromised record.
5. Malicious attacks are the most common and costliest root cause
52% of data breaches are caused by malicious attacks and cost $4.27 million on average. Unlocking the value of data is appealing not only for companies, but also for cybercriminals. On top of that, the forced and in many cases unprepared digitalization due to COVID-19 also turned out to be favorable for malicious individuals.
While 53% of breaches were caused by financially motivated cybercriminals, compromised credentials and a misconfigured cloud were responsible for 19% of malicious attacks. Third-party software vulnerability (16%) and phishing (14%) are still among the most common causes.
6. Security automation as an effective cost mitigator
Companies are more and more taking advantage of security automation and the use of artificial intelligence, machine learning and automated orchestration. Countries like the United States and Germany excel in automation maturity, and similarly some sectors like communication, technology and retail are early adopters of the new security technologies.
The impact of this approach is clearly reflected in the findings: with an average total cost of $6.03 million for a data breach, companies without security automation suffered twice as much as businesses with automated security workflows in place.
7. Lost business is the largest cost factor and has the longest-lasting impact
When it comes to expenditures following a data breach, the accumulating costs over time are like throwing a stone into water – it will create bigger and bigger ripples. Though the directs costs resulting from incident detection, regulatory fines and payouts for lawsuits might be the most visible ones, the hidden costs cause the most painful shock for businesses.
The report shows that 40% of the average total costs incurred from lost business. Operational outage, eroded customer trust, negative publicity - all impact the revenue and can set back company growth for years. Especially highly regulated industries such as healthcare, financial, technology, pharma and education suffered substantial longtail costs.
By pointing out some typical vulnerabilities and long-term consequences, the report can help companies to slip into the hackers’ mindset and build their strategy with security in mind.
One of the key findings is that customer personal data is the most targeted and most valuable type of data. This should ring alarm bells for companies and persuade them to rely on fully secure, end-to-end-encrypted services when it comes to collaborating with customers and other external parties, or when integrating third-party services. Your customers’ trust is your most valuable business asset. And yet businesses often underestimate the importance of the safe handling of customer data and tend to sacrifice security on the altar of convenience.