What Does a Data Breach Cost?
Ponemon Institute's annual Cost of a Data Breach report tracks how industry data breach costs have changed over time.
How much does a data breach truly cost? When it comes to picking up the pieces post-attack, the numbers continue to vary, especially industry by industry.
According to the Ponemon Institute’s Cost of a Data Breach Report, an annual compendium of data breach trends that over the years has become a barometer of sorts for the information security industry, in 2020, data breaches on average cost $3.86 million.
While the average cost is down a tick (1.5%) from Ponemon's 2019 figure, $3.92 million, the report’s highest cost - the average cost of a data breach in the United States in 2020 - $8.64 million, is higher than 2019's figure, $8.19 million.
Ponemon and IBM, which has sponsored the report for the last five years, suggest that despite the dip, organizations who lacked security automation and incident response mechanisms experienced a higher cost of remediation.
Worldwide, the cost of a breach, is largely going up. In the Middle East, which was the second costliest region last year (a breach cost $5.97 million there) a breach this year would cost $6.52 million. Canada and Japan – third and fifth on the list respectively – saw their average costs go up too.
The full report, which spans 82 pages, digs into the numbers further.
For the 10th year in a row, healthcare organizations have had the highest costs associated with a data breach. This year IBM claims on average that a healthcare breach costs an organization $7.1M, up a hair from last year's cost ($6.45M). The second costliest industry, the energy industry, cost firms $6.39 million on average.
Only three industries saw an increase in the total cost of a breach: Healthcare - a 10.5% increase, energy - a 14.1% increase, and the retail industry, which saw a 9.2% uptick.
As Ponemon points out, industries with higher regulatory bars had higher data breach costs this year. The more damaging the data breach, the more likely an organization is to lose business, which could explain why the healthcare, energy, financial, and pharmaceutical industries were some of the the hardest hit.
Like previous reports, this year's boils down responses from individuals who experienced a data breach incident at their organization. 3,200 individuals from 524 breached organizations across 17 countries/regions, and 17 different industries were interviewed this year.
This year's report, for the first time, breaks down records breached, by customer personally identifiable information, employee PII, and intellectual property.
More often than not, the breaches involved organizations' personally identifiable information. According to the report, 80 percent of the organizations that were breached said customer PII was breached; that breached data cost businesses $150 per compromised record and even more ($175) when that data was breached via a malicious attack.
Less breaches involved intellectual property (32%) anonymous customer data (24%) and employee PII (21%).
The report doesn't just drill into the cost of breaches, it looks at mitigating factors, the time to identify and contain breaches, and other security best practices.
The amount of time it’s taken organizations to identify and contain data breaches unfortunately hasn't changed much. This year, it took companies on average 207 days to identify and 73 days to contain a breach - a total of 280 days. Last year, organizations said it took them 279 days to identify and contain a breach.
Respondents claimed having incident response testing, red team testing, threat intel sharing, and data loss prevention proved to be cost mitigating factors. Being sloppy when it came to meeting compliance, a lack of qualified cybersecurity personnel, and overly complex security systems proved to be cost amplifying factors, at least according to respondents.
The report builds on a finding last year: That having an incident response team and an incident response plan can go a long way when it comes to saving an organization money. Last year the report said having both in place could save a firm $1.23 million per breach. This year, it suggests that having both in place could save an organization $2 million; $5.29 million without either vs. $3.29 million with both.
Deploying security automation technologies can help too; organizations without security automation experienced a higher cost, by $3.58 million, than those with automation deployed.
Unlike many reports coming out as of late, the Cost of a Data Breach gives us a slight idea of how COVID-19 has affected organizations. This report spans from August 2019 to April 2020, meaning it covers about two months of the ongoing coronavirus pandemic.
Of those asked, 70 percent said that having workers work remotely would increase the cost of a data breach; 76% said it would make it take longer to identity and contain a data breach. It's possible not a large enough population was polled however as only 54% of those surveyed said they were requiring remote work in response to COVID-19.
Regardless, of those whose workspaces went virtual, 70 percent said it would likely increase the cost of a potential data breach.