IBM Security has published its 2021 Cost of a Data Breach Report. The report is based on an analysis of data breaches at 500 organizations between May 2020 and March 2021 and shows data breach costs have increased by 10% year-over-year. Data breach costs are now at the highest they have been in the 17 years that IBM Security has been publishing data breach cost reports.
The average cost of a data breach is now $4.24 million, having increased from $3.86 million last year. The most expensive data breaches are those experienced by the healthcare industry, with healthcare industry data breaches costing an average of $9.23 million per breach, up from $7.13 million the previous year.
The study was conducted on breaches of fewer than 101,000 records, although the report does include a section on mega data breaches of between 50 million and 65 million records. The average cost of a mega data breach was $401 million per incident – more than 100 times the cost of breaches of 1,000 to 100,0000 records, up from $392 million last year.
During the period of study, the most common cause of breaches was compromised credentials. Compromised credentials were involved in 20% of data breaches. The most common data types compromised in breaches were customers’ personal data such as names, email addresses, passwords, and healthcare data. 44% of data breaches studied included personally identifiable information (PII). Breaches involving PII cost an average of $180 per record, compared to the average of $161 per record.
In 2020, ransomware attacks increased significantly and accounted for 8% of all data breaches studied. Ransomware attacks typically cost more to resolve, with an average cost of $4.62 million.
Data breach costs were typically around $1 million higher in cases where remote working contributed to the cause of the breach, and those breaches typically took much longer to contain. At companies with more than half of their workforce working remotely, breaches took an additional 58 days to contain on average. The average time to identify and contain a security incident increased by 7 days to 287 days.
The majority of the breach cost is lost business which accounts for 38% of the total breach cost. Lost business includes lost revenue due to downtime, increased customer turnover, and the cost of acquiring new business due to diminished reputation.
IBM Security identified several factors that increase or decrease breach costs. Breach costs were significantly lower at organizations with a mature security posture that had implemented AI, security automation, and at organizations that had adopted a zero-trust approach to security.
The average cost of a breach at an organization with a mature zero trust strategy was $3.28 million, which was $1.76 million less than those who had not deployed this approach at all.
The average breach cost at an organization with a fully deployed security automation strategy was $2.90 million, compared to $6.71 million at organizations that had no security automation.
Having an incident response team and a tested incident response plan reduced data breach costs by an average of 54.9% from $5.71 million when neither were in place to $3.25 million with both.