According to the latest data breach report by IBM and the Ponemon Institute, the cost of a data breach in 2021 is US$ 4.24 million, this is a 10% rise from the average cost in 2019 which was $3.86 million.
The report by Ponemon Institute and IBM Security takes into account hundreds of cost factors from legal, regulatory, and technical activities, loss of brand equity, customer turnover, and drain on employee productivity.
Its findings are based on 537 breaches across 17 countries and 17 industries with data gathered from almost 3,500 interviews.
In this post, we discuss some of the concerning findings of the 2021 cost of a data breach report to prevent your organization from becoming an unfavorable statistic in 2022.
Key findings of the 2021 IBM Cost of Data Breach Report
The 17th cost of a data breach report by IBM and the Ponemon institute had 13 key findings:
1. Average Total Data Breach Cost Increase By 10%
The average data breach costs in 2021 is $4.24 million, a 10% rise from 2020 findings. This also sets a new data breach cost peak in the entire history of the IBM and Ponemon Institute report.
2. Average Breach Cost was $1.07 Million Higher Where Remote Work was a Factor
Organizations adopting some form of a remote working model paid an average of $1.07 million for data breach damages. It also takes longer for remote workforces to contain breaches. On average, surveyed businesses with up to 50% of staff working remotely took at least 58 days to identify and contain data breaches.
3. The Cost of a Data Breach was the Highest in the Healthcare Industry
For 11 consecutive years, the healthcare industry is paying the most for data breaches. The average cost increased by 29.3% from $7.13 million in 2020 to $9.23 million in 2021.
4. Lost Business Contribute to 38% of Data Breach Costs
The largest contributing factor to data breach costs was lost business cost. This included customer turnover and, additional costs for acquiring new business, and lost revenue due to system unavailability during a cyberattack.
5. Customer PII was the Most Common and Most Expensive Type of Record Lost or Stolen in a Data Breach
Customer PII was included in 44% of breaches in the IBM & Ponemon Institute study. The average cost per customer PII record was $180.
6. Compromised Credentials was the Most Common Initial Attack Vector
Compromised credentials, such as compromised business emails, facilitated 20% of data breaches.
The financial impact of the top 4 types of initial attack vectors are as follows:
- Business Email Compromise (BEC) - $5.01 million
- Phishing - $4.65 million
- Malicious insiders - $ 4.61 million
- Social engineering - $4.47 million
7. Average Number of Data to Identify and Contain a Breach was 287
The longer a breach remains undetected, the higher the financial impact will be. The new average of 287 is well above the absolute maximum threshold of 200 days for reducing data breach costs.
Data breaches that were identified and contain within 200 days had an average cost of $3.61 million. But breaches that took more than 200 days to identify ad contain had an average cost of $4.87 million - a difference of $1.26 million.
8. Breaches Involving at Least 50 Million Records Cost 100x More
Mega breaches involving the compromise of at least 50 million records cost 100x more than the data breach average.
Breaching involving between 50 million and 65 million records had an average cost of $401 million in 2021, compared to $392 million in 2020.
9. Zero Trust Strategies Reduced the Average Cost of a Data Breach by $1.76 Million
Companies that implemented a zero-trust architecture paid an average of $3.28 million for a data breach. Those without zero trust strategies paid $1.76 million more - $5.01 million.
10. Security AI and Automation Controls Reduced Data Breach Costs by 80%
Security AI and automation controls helped businesses detect and contain data breaches much faster. Because these tools reduced one of the largest factors of data breach costs - time - their implementation had the greatest positive impact.
11. Data Breaches in Hybrid Cloud Environments Cost $1.19 Million Less than Public, Private, and On-Premise Cloud Models
Hybrid cloud environment data breaches cost an average of $3.61 million, 23% less than other forms of cloud environments.
12. Organizations with High Compliance Failures Paid an Average of $2.3 Million More for Data Breaches
Both system complexity and degree of compliance failures contributed to the higher cost of data breaches.
13. Average Cost of a Ransomware Breach was $4.62 Million
The average cost of a ransomware breach cost more than the average cost of a data breach - $4.62 million vs, $4.24 million.
What was the Biggest Contributor to Data Breach Costs?
Time was found to be the biggest contributor to data breach costs. This makes sense, the longer a breach remains undetected the more sensitive data can be exfiltrated by cybercriminals.
The negative financial impact of delayed remediation further compounds when business is lost due to system outages and customer turnover.
How Long Do Data Breaches Impact Organizations?
Data breach costs accrue over several years. The cost of a data breach study found that, on average, 53% of data breach costs were incurred in the first year, 31% in the second year, and 16% more than 2 years after the event.
Organizations in highly regulated industries, such as healthcare organizations and financial services, suffered the worst long-tail costs with the cost of a breach rising in the second and third years compared to low-regulated industries.
High data protection regulatory environments incurred 47% of breach costs in the first year, 33% in the second year, and 20% more than 2 years after a breach.
This is likely driven by new regulatory fines and the introduction of breach notification laws like GDPR.
How Long was the Average Breach Lifecycle?
A breach lifecycle is the time between a data breach occurring and its containment.
In 2019, it took an average of 206 days to identify a breach and 73 days to contain it; amounting to a 279 day breach lifecycle.
In 2021, the average time to identify a breach is 212 days, and the average time to contain it is 75 days; totaling a 287 day breach lifecycle.
The key thing to understand is that the faster a data breach is identified and contained, the lower the damage costs.
Lifecycles less than 200 days were on average $1.26 million less costly than breaches with lifecycles greater than 200 days ($3.61 million vs $4.87 million).
What was the Most Common and Expensive Cause of Breaches?
The annual cost of a Data Breach Report found that the most common initial attack vector was compromised credentials, followed by phishing, cloud misconfigurations, and vulnerabilities in third-party software.
The top 5 most expensive data breach attack vectors in 2021 are:
- Business email compromise - $5.01 million
- Phishing - $4.65 million
- Malicious insiders - $4.61 million
- Social engineering criminal attacks - $4.47 million
- Vulnerabilities in third-party software - $4.33 million
How Much Did Breaches Caused by Human Errors and System Glitches Cost?
Data leaks likely account for a majority of breaches studied in this report since the most common initial attack vector in 2021 is compromised credentials. Data leaks often involve user credentials and these inadvertent exposures are often caused by human error.
Human error is also the primary facilitator of phishing attacks and social engineering attacks. Because of its broad attribution, the cost of a data breach caused by human error can be loosely estimated by calculating the average cost across all 4 data breach events - business email compromise, credential compromise, phishing, and social engineering.
This amounts to $4.63 million.
Are Small Businesses Affected by Data Breaches?
In 2021, organizations with an employee range between 500 and 1000 had the smallest average data breach cost at $2.63 million.
Surprisingly, organizations with up to 500 employees had a higher average data breach cost of $2.98 million.
The highest average data breach costs are linked to businesses with 10,000 - 25,000 employees, totalling $5.52 million.
What are the Biggest Cost Amplifiers of Data Breaches?
The x largest data breach cost amplifiers were:
- Compromise of over 50 million records - increased data breach costs by 100x
- Lack of digital transformation changes in response to COVID-19 - Increased data breach cost by $750,000 above the average.
- Remote work models - Increased breach lifecycle by up to 58 days.
- Lack of security automation - Prevented potential data breach cost reductions of 80%.
What Reduces the Cost of a Data Breach?
Extensive use of encryption, data loss prevention, threat intelligence sharing and DevSecOps were all associated with a lower average data breach cost.
Among these encryption had the largest positive impact. Organizations using high-standard encryption methods (at least 256 AES encryption) had an average breach cost of $3.62 million.
Organizations using a low standard encryption method or, no encryption method had an average data breach cost of $4.87 million.
What is the Impact of an Incident Response Team and Testing?
Organizations that were able to respond effectively after a data breach and followed a well-rehearsed incident response plan were able to lower the average cost of a data breach by $1.83 million ($5.71 million vs $3.88 million).
Do Automated Security Processes Reduce Data Breach Costs?
Organizations with security automation technologies reduced data breach costs by up to 80%. Organizations that did not deploy security automation technology paid an average of $6.71 million for a data breach, compared to $2.90 million for organizations that implemented such solutions.
It's becoming more costly to not use automation. The average data breach cost with no automation tools rose from $5.16 million in 2019 to $6.71 million in 2021.
What is the Average Cost of a Data Breach by Country?
Data breaches in the United States continue to be vastly more expensive than other countries, with an average total of $9.05 million (more than double the global average). This cost has increased by 255% over the last 15 years, up from $3.54 million in 2006.
The Middle East is the second most expensive region for data breaches, averaging $6.93 million in 2021, compared to $6.52 million in 2020.
Canada is ranked third with an average data breach cost of 5.40 million in 2021, compared to $4.50 million in 2020.
Which Industry has the Highest Data Breach Cost?
Healthcare, for the 11th year in a row, continues to have the highest data breach cost at $9.23 million in 2021. This is a 29.5% increase from 2020 which was $7.13 million.
What are the Odds of Experiencing a Data Breach?
The chance of experiencing a data breach was 29.6 percent in 2019, an increase from 27.9 percent in 2018.
In the span of six years, the likelihood of a data breach within two years grew 7 percentage points, a 31 percent increase in the odds of experiencing a breach within two years.
In other words, your organization is nearly one-third more likely to experience a breach within two years than they were in 2014.
UpGuard Can Prevent Data Breaches and Shut Down Data Leaks
UpGuard prevents data breaches by detecting and remediating vulnerabilities across the attack surface before they're discovered by cybercriminals.
This attack surface monitoring engine extends to the entire third-party landscape, shutting down data leaks before they develop into costly third-party breaches and supply chain attacks.