This year’s Cost of a Data Breach report, put together by IBM Security and the Ponemon Institute, has found an annual increase of 10% in the cost of a breach, with a $1.1 million gap between breaches with or without remote work as a factor.
This year saw the average price of a data breach rise to $4.24 million from $3.86 million in 2019-20, the largest single-year increase in the last seven years of the report.
Where remote work was a factor in the breach, the average cost was $1.07 million higher. The study also noted that companies took 58 days longer to identify and contain breaches when more than half their workforce was remote. The overall average was 287 days in total, up from 280 last year.
But while remote working has increased the risk posed by breaches, organisations which embraced the rapid digital transformation brought about by COVID-19 have reaped the benefits. According to the study, organisations which had not implemented any digital transformation changes in response to COVID-19 experienced costs $75k higher (16.6%) than the global average.
Compromised credentials were, as usual, the most common initial attack vector, and were responsible for 20% of total breaches. However, the report also noted that other vectors, while less common, could come with higher costs. While business email compromise was responsible for just 4% of breaches, the average cost of a BEC scam was over $5 million, making this attack method the most costly of all the attack vectors in the study. Phishing was the second most costly ($4.7 million), followed by malicious insiders ($4.6m), social engineering ($4.5m), and then compromised credentials ($4.4m).
Ransomware attacks, unsurprisingly, were more expensive than the total average, running up costs of $4.62 million even without including the price of the ransom itself, if paid. Wiper-style attacks which destroyed data pushed those costs up even higher, to $4.69 million.
But interestingly given the prevalence of ransomware, the overall cost of lost business did not increase hugely year-on-year, rising to $1.59m this year from $1.52m in 2020 and $1.42m in 2019. However, at almost 40% of the average total cost, it remained the largest expense in the average data breach.
One common feature in this year’s headlines has been more clearly reflected in the results, however. Healthcare and the public sector have been hit hard by cyberattacks during the pandemic, with the average cost of a data breach in the public sector increasing by 78.7% year-on-year. In the healthcare sector, which has seen the highest costs in the study for 11 years running, costs increased by 29.5% year-on-year, from $7.13 million in 2020 to $9.23 million this year. The high cost is in part due to the highly sensitive nature of healthcare information, and sector-specific regulation, but attacks such as those on the Irish healthcare system and the Waikato district health board in New Zealand show that despite promises in early 2020, cybercriminals are very deliberately targeting hospitals and healthcare.
While the overall trend shown is that breaches are getting bigger and more expensive each year, the report isn’t all doom and gloom – it also offers some insights into the measures which can help organisations mitigate the damage.
According to the study, the deployment of measures such as security AI and automation, cloud security and zero trust all reduced the total cost of a breach. The biggest differentiator was AI: organisations using automation and artificial intelligence in their security tool stack had an average breach cost of $2.9 million, compared with an average of $6.71 million at organisations which were not using security AI and automation – a difference of $3.81 million, or nearly 80%.
For organisations in the mature stages of zero trust deployment, the average cost of a breach was $3.28 million, compared to $5.04 million for those without zero trust – a difference of $1.76 million. And organisations using hybrid cloud environments experienced lower breach costs than those using public, private or on-prem cloud models. There was a difference of $1.19 million between organisations using hybrid versus public cloud.
Only 35% of organisations surveyed had implemented zero trust, and 65% were using AI or security automation. For those hoping to reduce the cost of a breach, or at least to slow the increase, the report advises embracing these new security technologies and models fast.