What is the cost of a data breach?

The average cost of a data breach has declined by 1.5% year-over-year, costing companies US$3.86 million per incident, according to IBM’s 2020 Cost of a Data Breach Report. The annual study analyzed data from 524 organizations that, while being based in 17 countries and regions and operating in 17 industries, have one thing in common – each of them has suffered a security breach over the past year.

For the first time this year, the study, conducted by IBM Security and the Ponemon Institute, broke down the costs per types of compromised records, which include customer personally identifiable information (PII), employee PII, and intellectual property (IP).

The analysis found that customer data was by far the most-commonly compromised type of record with 80% of breached organizations saying that customer PII was affected. “While the average cost per lost or stolen record was $146 across all data breaches, those containing customer PII cost businesses $150 per compromised record,” said the report.

However, the financial fallout also varied depending on a range of other factors. For example, if the breach was caused by a malicious attack, the cost went up to US$175. Meanwhile, if the incident impacted anonymized customer data, the average cost was US$143 but increased to US$171 if it was the result of a malicious attack.

Malicious attacks were behind most breaches (52%), with system glitches (25%) and human error (23%) coming in a distant second and third, respectively. “Alongside stolen or compromised credentials, misconfigured cloud servers tied for the most frequent initial threat vector in breaches caused by malicious attacks, at 19%,” said IBM.

RELATED READING: How much is your personal data worth on the dark web?

Lost business remains one of the costliest effects of a data breach, accounting for almost 40% of the cost and with the cost increasing from US$1.42 million last year to US$1.52 million. The figure factors in increased customer turnover, lost revenue, and the higher cost of acquiring new business due to a tarnished reputation.

The average lifecycle of a data breach was 280 days, with 207 days taking to identify the breach and an additional 73 days to contain it. These numbers remained largely unchanged on the year.

Meanwhile, there is a disparity between industries when it comes to the length of the lifecycle, also called ‘dwell time’. The healthcare sector has the longest lifecycle with 329 days, while the financial sector has ‘only’ 233 days. Out of the 17 surveyed industries, healthcare also shoulders the largest average cost with US$7.13 million per incident, maintaining its top position for the tenth year running.

It’s worth mentioning that companies that had tested an incident response (IR) preparedness plan or employ an IR team were able to save US$2 million on average compared to companies that did neither. Indeed, our own recent article offered insights into how preemptive measures can save businesses from costly headaches further down the road.

The United States remains the “leader” in data breach costs with an average cost of US$8.64 million per incident, with the Middle East following closely behind with a price tag of US$6.52 million per breach. And while most malicious breaches are carried out by financially motivated cybercriminals (53%), presumed nation-state sponsored breaches (13%) are considered to be the costliest at
an average of US$4.43 million.