A month ago, Ponemon and IBM released the Cost of a Data Breach 2021 report, an annual study on the cost of data breaches and the modern threat landscape. The report not only highlighted that the cost of data breaches is on the rise but also showed that enterprises are taking longer to contain security incidents.
This article will examine seven key findings from the report and break down some of the most promising solutions that enterprises can use to reduce the costs associated with breach incidents.
1. The Average Cost of a Data Breach Reaches an All-Time High
One of the most shocking findings of the report was the fact that the overall cost of a data breach is increasing. 2021 saw the highest average cost of a data breach in 17 years, with a total of $4.24 million. This figure is the highest in the report’s history, increasing by 10% between 2020-2021.
The top five industries with the highest average total cost were Healthcare ($9.23 million), Financial ($5.72 million), Pharmaceuticals ($5.04 million), Technology ($4.88 million), and Energy ($4.65 million). This is unsurprising, given the complex web of regulations that healthcare and finance organisations need to navigate.
It’s worth noting that the public sector also saw a significant increase in data breach costs, increasing by 78.7% between 2020-2021 from $1.08 million to $1.93 million. The public sector wasn’t alone in seeing cost increases; the retail, media, hospitality, and communications industries also had an increase in average data breach costs.
2. Lost Business is the Biggest Cost of a Data Breach
When breaking down the factors that contributed to the overall cost of a data breach, the report found that lost business carried the highest cost, accounting for 38% of the average total cost of a data breach for a total of $1.59 million.
The cost accounts for a range of business costs arising from a data breach, from initial business disruption to revenue loss due to downtime, customer loss, customer acquisition, and reputational damage.
The next most significant cost was detection and escalation costs with an average cost of $1.24 million, at 29% of the cost of a data breach. The third most significant cost was post-breach response at 27%, which accounted for $1.14 million.
These findings suggest that enterprises need to invest in more cost-efficient technologies for detecting security incidents while planning and optimising their incident response processes to enhance post-breach response.
3. Remote Working Environments are Struggling to Contain Data Breaches
The report also highlighted that decentralised remote working environments increase the impact of data breaches considerably. In fact, organisations that had more than 50% of their workforce working remotely took 58 days longer to identify and contain breaches than those organisations with 50% or less employees working remotely.
The higher amount of time taken to identify and contain breaches also increased the overall cost of intrusions in remote environments. For instance, the average cost of a data breach was $1.07 million higher in breaches where remote work was a factor in causing the breach.
These findings indicate that organisations offering work from home opportunities to employees need to ensure that security best practices are maintained off-site, or they leave themselves at risk of encountering security incidents that are more difficult to contain.
4. Enterprises are Taking Longer to Identify and Contain Data Breaches
Due to the increasing complexity of modern threats, enterprises are taking longer to identify and contain data breaches. The average time taken for organisations to contain data breaches was 287 days in 2021, 7 days more than in 2020.
Organisations that took longer to identify data breaches also had a higher overall incident cost. Breaches with a lifecycle of over 200 days had an average cost of $4.87 million compared to $3.61 million for breaches with a lifecycle of less than 200 days.
While this is likely due to the fact that the longer it takes to contain an incident, the greater the chance of data loss, downtime, and regulatory liabilities, it also depended heavily on the initial attack vector.
Data breaches caused by compromised credentials were the most difficult to contain, taking an average of 341 days, compared to Business email compromise at 317 days, malicious insiders at 306 days, phishing at 293 days, physical security compromise at 292 days, and social engineering at 290 days.
5. Compromised Credentials May be the Most Common Threat but they Don’t Have the Highest Average Cost
The most frequent initial attack vectors identified in the study were compromised credentials, accounting for 20% of breaches, followed by phishing attempts (17%), cloud misconfiguration (15%), and business email compromise (4%).
Although compromised credentials were involved in the highest proportion of data breaches, they didn’t have the highest average cost. Business email compromise attackers were the initial attack vector with the highest overall cost, with an average cost of $5.01 million.
The other threat vectors with the highest costs included phishing attacks, with an average cost of $4.65 million, followed by malicious insiders at $4.61 million, social engineering at $4.47 million, and compromised credentials at $4.37 million.
6. Incident Response Has a Big Role to Play in Cutting Costs
The research also found that incident response strategies had a significant role to play in reducing costs, with the average cost of a data breach totalling $3.25 million in organisations with incident response capabilities compared to $5.71 million in organisations without an incident response plan in place.
In other words, organisations that implement a balanced incident response plan can expect to cut the cost of a data breach by $2.46 million, meaning that investing in incident response is key for limiting the costs of security incidents going forward.
Part of the reason for the effectiveness in reducing costs is that a well-thought-out incident response plan can decrease the amount of time it takes to contain security incidents and lessens the overall financial impact of a breach.
7. AI, Automation and Zero-Trust Offers Some Protection Against Data Breaches
There were also a number of other solutions that had success in decreasing the overall cost of data breaches. For example, organisations using AI and automation experienced an 80% lower average data breach cost, a total of $2.90 million compared to $6.71 million in organisations without AI or automation.
A key reason for this dramatic decrease in cost is the fact that organisations implementing AI and automation can automate security incident investigations and reduce the number of manual tasks needed to investigate security incidents.
The research also highlighted that zero-trust approaches help reduce the costs of data breaches, though not as dramatically as AI and automation. Organisations in a mature stage of zero-trust deployment had an average cost of a breach of $3.28 million, $1.76 million less than organisations without zero-trust implementations in place.
This suggests that zero-trust approaches are worth investing in alongside AI and automation to shield protected data from unauthorised users and decrease an organisation’s overall data breach liabilities.
As Costs Increase Organisations need to Invest to Stay Protected
As the costs of data breaches continue to spiral and increase as threats become more difficult to contain, organisations need to adapt and invest in technologies and approaches that can optimise their incident prevention and resolution capabilities.
Taking steps such as investing in an incident response plan, implementing AI, automation, and zero-trust is key for decreasing the costs of security incidents in the future and for avoiding the devastation associated with lost business and reputational damage.
Want to find out how an incident response plan can cut data breach costs? Contact our team today.