IBM Security has found in its annual Cost of a Data Breach report that cyber breaches are costing companies globally $4.24 million per incident on average – the highest cost in the 17-year history of the report.
The comes amidst a backdrop where businesses were forced to quickly adapt their technology approaches last year, with many companies encouraging or requiring employees to work from home, and 60% of organisations moving further into cloud-based activities during the pandemic.
Analysing data breaches experienced by over 500 global organisations, the study, conducted by Ponemon Institute and sponsored by IBM Security, reveals that security incidents became more costly and harder to contain due to drastic operational shifts during the pandemic, with costs rising 10% compared to the prior year.
At the same time, businesses are forced to quickly adapt their technology approaches last year, with many companies encouraging or requiring employees to work from home, and 60% of organisations moving into cloud-based activities during the pandemic.
The study also identified three trends that have driven up the costs of breaches:
- Remote work impact: The rapid shift to remote operations during the pandemic appears to have led to more expensive data breaches. Breaches cost over $1 million more on average when remote work was indicated as a factor in the event, compared to those in this group without this factor ($4.96 vs. $3.89 million.)
- Healthcare breach costs surged: Industries that faced huge operational changes during the pandemic (healthcare, retail, hospitality, and consumer manufacturing/distribution) also experienced a substantial increase in data breach costs year over year. Healthcare breaches cost the most by far, at $9.23 million per incident – a $2 million increase over the previous year.
- Modern approaches reduced costs: The adoption of AI, security analytics, and encryption were the top three mitigating factors shown to reduce the cost of a breach, saving companies between $1.25 million and $1.49 million compared to those who did not have significant usage of these tools.
Higher breach costs now another added expense
Higher data breach costs are yet another added expense for businesses in the wake of rapid technology shifts during the pandemic," said Chris McCurdy, Vice President and General Manager, IBM Security.
"While data breach costs reached a record high over the past year, the report also showed positive signs about the impact of modern security tactics, such as AI, automation and the adoption of a zero trust approach – which may pay off in reducing the cost of these incidents further down the line."
“What caught my eye was the increase in the length of time it took to identify and contain a breach which increased by a week from the 2020 analysis to 287 days”, said Tim Mackey, Principal Security Strategist at Synopsys Cybersecurity Research Centre, commenting on the study.
“Arguably, the COVID influenced remote work environment we saw for much of 2020 shouldn’t have a large impact on breach identification and containment, but that wasn’t the case. Organisations who adopted more than 50% remote work saw an increase of 46 days to identify and 12 days to contain a breach.”
Mackey said that with a remote workforce, normal IT defences are stretched to include the remote work environment which is fundamentally an unmanaged environment. “It isn’t surprising to find that compromised credentials, phishing and social engineering resulted in times to identify and contain a breach that exceeded the baseline of 287 days.
“This situation might cause some business leaders to focus their cyber defence efforts on the people side of the security equation, but the telling stat relates to how long it took to identify and contain a breach associated with third-party software," said MacKey.