It might be tempting to blame the record-high costs of data breaches on the COVID-19 pandemic alone. But dig deeper and a more nuanced picture emerges.
Any narrative about cybersecurity in 2020 is naturally going to focus on the COVID-19 pandemic. This once-in-a-generation crisis and the digital transformation it accelerated both broadened corporate attack surfaces and directed resources and attention away from vital security projects. So, when we look at the IBM Cost of a Data Breach Report 2021 study, which found data breach costs at an all-time high, it’s tempting to blame it all on COVID-19. But it’s not the whole story.
Aside from 2020, breach costs have been on the rise for several years. Although the scale of the increase last year was exceptional, it’s clear that despite spending more than ever on security, many organizations still aren’t getting the desired results.
Data breaches in 2020
Now in its 17th year, the report provides useful insight into how well organizations are doing at finding, containing and remediating incidents – because the longer a breach goes undetected, the more it will usually cost. These costs are ascribed to four key areas:
Detection and escalation – including forensics, auditing, crisis management and communication.
Lost business – including system downtime, business disruption, lost customers and reputational damage. This accounted for the largest slice (38%) of breach costs this year.
Notification – to data subjects, regulators and outside experts.
Post-breach response – including helpdesk issues, credit monitoring for customers, issuing of new accounts/credit cards, legal costs, product discounts and regulatory fines.
In total, data breach costs rose from US$3.86 million in last year’s report to US$4.24 million this—a 10% increase. For “mega breaches” featuring between 50-65 million records, the average cost was US$401 million, a more modest 2% increase from US$392 million in 2020.
Stolen user credentials were the most common cause of breaches in the study, while customers’ personal data (including passwords and names) were the most common type of data exposed in these incidents, present in 44% of breaches. It’s not hard to see the correlation: as more users share and reuse passwords across multiple accounts, a vicious circle begins to form where breached data is used in turn to facilitate more intrusions and data heists.
The pandemic played its part
There’s absolutely no doubt that the pandemic played a major part in the large increase in breach costs from 2020-21. Insecure remote working endpoints, distracted home workers, preoccupied IT staff and unpatched or misconfigured remote working infrastructure led to an increase in breaches and may have driven up the costs of these incidents. Nearly 20% of organizations studied in the report claimed that remote work was a factor in breaches. These incidents cost US$4.96 million, almost 15% more than the average.
It’s also true that healthcare was the industry with by far the highest breach costs. These increased at an even higher rate than the average over the past year. Costs surged from an average of US$7.13m in 2020 to US$9.23m in 2021, up 29.5%. It’s no coincidence that healthcare organizations (HCOs) were among the most acutely affected by cyber-attacks during the pandemic.
The bigger picture
However, the truth is that breach costs had been on the rise since 2017, before a slight dip in 2020. Mega breach costs have also been steadily increasing for the past three years and didn’t show a major spike from 2020-21. Why? A major factor is that organizations are not getting any better at detection and response. In 2021 it took an average of 287 days to identify and contain a data breach, a whole week longer than in the previous report. This figure has also been continuously on the rise since 2017, so can’t simply be explained by the pandemic, although the explosion of remote working endpoints may have made threats harder to discover.
Put simply, the longer a threat actor is allowed to operate unchecked inside a victim network, the more damage they can do and the more time and money it will take to kick them out and remediate.
Ransomware is another contributing factor to rising breach costs, and here too the trend over recent years has been of increasing threat volumes, not only during last year. Covert lateral movement techniques using legitimate tools are driving higher success rates for the bad guys. Ransomware attacks cost an average of US$4.62 million this year, more than the average data breach.
Finally, we can look to Business Email Compromise (BEC), which accounted for more financial losses in 2020 than any other threat, according to the FBI. The average cost of a BEC attack is US$5.01 million, according to the Ponemon Institute study. Unless organizations find a better way of preventing phishing and spotting when they are being defrauded, breach costs related to BEC will continue to rise.
How to lower breach costs
There’s plenty in the report that organizations and their security bosses can use proactively to help reduce breaches and associated costs. Unsurprisingly, costs were much lower for those with a more mature security posture. But how do you get there? Here are some ideas:
Adopt a Zero Trust approach based on the principle of “never trust, always verify.” The average cost of breaches for those without Zero Trust was $5.04 million versus $3.28 million for those at a mature stage of Zero Trust deployment
Implement encryption for your most sensitive data. The average cost of a breach without encryption was US$4.87 million versus US$3.62 million with encryption.
Deploy tools to remotely monitor and secure all endpoints, including home workers
Improve education and awareness training for all employees to better spot phishing attacks
Optimize detection and response with tools like EDR
Develop and regularly test comprehensive incident response plans to react fast to breaking incidents
The pandemic has changed the way businesses operate forever and reshaped the threat landscape. To ensure breach volumes and costs don’t continue to surge over the coming years, organizations must adapt to the new reality by updating their security posture.