IBM Security has announced the results of a global study examining the financial impact of data breaches, revealing that these incidents cost the companies studied $3.86 million per breach on average, and that compromised employee accounts were the most expensive root cause.
Based on analysis of data breaches experienced by more than 500 organizations worldwide, 80% of these incidents resulted in the exposure of customers' personally identifiable information (PII). Out of all types of data exposed in these breaches, customer PII was also the costliest to businesses studied.
As companies are increasingly accessing sensitive data via new remote work and cloud-based business operations, the report sheds light on the financial losses that organizations can suffer if this data is compromised.
A separate IBM study found that over half of surveyed employees new to working from home due to the pandemic have not been provided with new guidelines on how to handle customer PII, despite the changing risk models associated with this shift.
The data breach report highlighted the growing divide in breach costs between businesses implementing advanced security technologies and those lagging behind, revealing a cost-saving difference of $3.58 million for studied companies with fully deployed security automation versus those that have yet to deploy this type of technology. The cost gap has grown by $2 million, from a difference of $1.55 million in 2018.
Companies in the study with fully deployed security automation also reported a significantly shorter response time to breaches, another key factor shown to reduce breach costs in the analysis. The report found that AI, machine learning, analytics and other forms of security automation enabled companies to respond to breaches over 27% faster on average, than companies that have yet to deploy security automation—the latter of which require on average 74 additional days to identify and contain a breach.
"When it comes to businesses' ability to mitigate the impact of a data breach, we're beginning to see a clear advantage held by companies that have invested in automated technologies," said Wendi Whitmore, vice president, IBM X-Force Threat Intelligence. "At a time when businesses are expanding their digital footprint at an accelerated pace and the security industry's talent shortage persists, teams can be overwhelmed securing more devices, systems, and data. Security automation can help resolve this burden, not only supporting a faster breach response but a more cost-efficient one as well."
Sponsored by IBM Security and conducted by the Ponemon Institute, the 2020 Cost of a Data Breach Report, key findings included the following:
- Smart Tech Slashes Breach Costs in Half: Companies studied who had fully deployed security automation technologies (which leverage AI, analytics and automated orchestration to identify and respond to security events) experienced less than half the data breach costs compared to those who didn't have these tools deployed—$2.45 million $6.03 million on average.
- Paying a Premium for Compromised Credentials: In incidents where attackers accessed corporate networks through the use of stolen or compromised credentials, studied businesses saw nearly $1 millionhigher data breach costs compared to the global average – reaching $4.77 million per data breach. Exploiting third-party vulnerabilities was the second costliest root cause of malicious breaches ($4.5 million) for this group.
- Mega Breach Costs Soar by the Millions: Breaches wherein over 50 million records were compromised saw costs jump to $392 million from $388 million the previous year. Breaches where 40 to 50 million records were exposed cost studied companies $364 million on average, a cost increase of $19 million compared to the 2019 report.
- Nation State Attacks—The Most Damaging Breaches: Data breaches believed to originate from nation state attacks were the costliest, compared to other threat actors examined in the report. State-sponsored attacks averaged $4.43 millionin data breach costs, surpassing both financially motivated cybercriminals and hacktivists.
According to the study, stolen or compromised credentials and cloud misconfigurations were the most common causes of a malicious breach for companies in the report, representing nearly 40% of malicious incidents. With over 8.5 billion records exposed in 2019, and attackers using previously exposed emails and passwords in one out of five breaches studied, businesses should rethink their security strategy via the adoption of a zero-trust approach—reexamining how they authenticate users and the extent of access users are granted.
Similarly, companies' struggle with security complexity—a top breach cost factor—is likely contributing to cloud misconfigurations becoming a growing security challenge. The 2020 report revealed that attackers used cloud misconfigurations to breach networks nearly 20% of the time, increasing breach costs by more than half a million dollars to $4.41 million on average—making it the third most expensive initial infection vector examined in the report.Despite representing just 13% of malicious breaches studied, state-sponsored threat actors were the most damaging type of adversary according to the 2020 report, suggesting that financially motivated attacks (53%) don't necessarily translate into higher financial losses for businesses. The highly tactical nature, longevity and stealth maneuvers of state-backed attacks, as well as the high value data targeted, often result in a more extensive compromise of victim environments, increasing breach costs to an average of $4.43 million.
In fact, the respondents in the Middle East, a region that historically experiences a higher proportion of state-sponsored attacks compared to other parts of the world3, saw over 9% yearly rise in their average breach cost, incurring the second highest average breach cost ($6.52 million) amongst the 17 regions studied. Similarly, businesses studied in the energy sector, one of the most frequently targeted industries by nation states, experienced a 14% increase in breach costs year over year, averaging $6.39 million.
To download a copy of the 2020 Cost of a Data Breach Report, visit www.ibm.com/databreach.
For more information about IBM Security, go to www.ibm.com/security.