The Ponemon Institute has recently completed the global 2020 Cost of a Data Breach report and it's time for me to recap some of the top research findings for this year. So let's jump right into the key findings of this report and dissect some of the data they have provided.
Average total cost of a data breach in the United States increased by 5.5%.
While the global average cost has gone down by 1.5%, the United States has seen a 5.5% increase with an average total cost of $8.64M - this is a $450K increase from 2019. The report states that there was large cost variance between organizations with mature security postures compared to those that lacked investments in key areas such as security automation and incident response. The global energy, healthcare and retail industries are three of seventeen industries that saw a non-trivial increase in costs between 9-14%.
PII continues to be the most frequent type of data that is targeted.
Personal information is the main target for theft, 80% of all data breaches contained PII data. PII is also the costliest type of information for many organizations with an average per record cost of $175 for malicious breaches.
COVID-19 made it more expensive to respond to security incidents.
The shift to a remote workforce due to COVID-19 increased incident response times and expected costs of a data breach by about 4%. That's a global average increase of about $137K. Organizations going through remote workforce transitions are likely to increase their risk exposure making it even more likely for attackers to succeed in stealing data.
Password theft and cloud misconfigurations are the top causes of breach.
This should not be of any surprise, but 19% of all global data breaches are the result of stolen or compromised credentials like passwords. Data breaches as a result of stolen credentials increased costs by an average of $1M. Tied with password theft, misconfigured cloud servers are responsible for another 19% of global data breaches and it increased the average cost by $500K.
40% of the cost of a data breach is lost business.
The global average loss of business as a result of a data breach is $1.52M. This includes customer turnover, lost revenue due to system downtime and damaged reputation. This is a $100K increase from the previous year.
Security automation is making a big impact to reduce costs.
Full deployment of artificial intelligence, machine learning, analytics and security orchestration solutions reduced the global average total cost by $3.58M. Organizations with full deployment incurred costs of $2.45M as compared to organizations with partial deployment ($4.11M) or those with no existing investments ($6.03M).
Very large data breaches multiply costs and are not the norm.
High profile breaches impacting many records are many times higher than the average cost. Global data breaches affecting 1M-10M records are more than 25x the average cost, which also increased by 22% since 2018. For organizations with 50M+ records, costs increased by 100x the average. Incidents impacting 50M+ records cost organizations a global average of $392M, a $19M increase over the previous year.
No surprise, but more than half of all threats are financially motivated.
53% of all data breaches were a result of cyber criminals looking to profit from the data they steal. 13% of data breaches were caused by nation-state actors and hacktivists. Nation-state cyber attacks were also the most expensive of all incidents with a global average cost of $4.43M. Try not to get yourself hacked by a foreign government, it will be expensive.
Complex systems drive up costs, incident response drive down costs.
Out of 25 cost factors that influenced the total cost of a data breach, complex security systems increased costs. In fact, complexity was the single greatest cost factor out of that list. On the flip side, incident response teams provided the highest cost savings to organizations. Investments in incident response teams and testing incident response plans through activities such as tabletop exercises reduced data breach costs by an average of $2M.
It takes 237 days to find and contain a data breach in the United States.
Speed to find and contain data breaches is critical to reduce the total cost of the incident. The global average has stayed relatively the same since 2018 at 280 days. For malicious breaches, the global average increased to 315 days. In the United States, the average time to find and contain a data breach is 237 days, 51 days focused on just containment.
Thank you for reading this article and feel free to contact me if you need assistance building or advancing your security program.