Ponemon Institute’s annual Cost of a Data Breach report reveals how industry data breach costs have changed recently.
How much does a data breach really cost? Post-attack, the nos. vary, especially sector by sector.
According to the Ponemon Institute’s Cost of a Data Breach Report, an annual compendium of data breach trends that over the years has become a measure for the information security industry. In 2020, data breaches on average cost $3.86 million.
Although the avg. cost is a little lower (1.5%) from Ponemon’s 2019 figure, $3.92 million, the report’s highest cost – the avg. cost of a data breach in the US in 2020 – $8.64 million, is more than 2019’s figure, $8.19 million.
Ponemon & IBM, which sponsored the report for 5 years, suggest that despite the reduction, organisations who lacked security automation & incident response mechanisms had a higher cost to redress.
Globally, breach costs are mainly increasing. In the ME, which was the 2nd costliest region last year (avg. breach cost $5.97 million there) a breach in 2020 would cost $6.52 million. Canada & Japan, 3rd & on 5th the list, also saw their avg. costs increasing too.
The full report, which is 82 pages, further breaks down numbers.
For the 10th year, healthcare organisations had the biggest costs linked to a data breach. In 2020 IBM claims on avg. that a healthcare breach costs an organisation $7.1M, up a bit from the 2019 cost ($6.45M). The 2nd costliest industry, the energy industry, cost firms $6.39 million on avg.
Only 3 industries saw increases in total breach cost: Healthcare – a 10.5% increase, energy – a 14.1% increase, & the retail industry, a 9.2% increase.
As Ponemon observes, industries with tougher regulations had higher data breach costs in 2020. The more damaging the data breach, the more likely an organisation would lose business. This may explain why the healthcare, energy, financial, & pharmaceutical industries were amongst the hardest hit.
Similar to previous reports, this year’s analyses responses from those who experienced a data breach incident at their organisation. 3,200 people from 524 breached organisations across 17 countries/regions, & 17 different industries were looked at in 2020.
This year’s report, for the 1st time, breaks down records breached, by customer personally identifiable information, employee PII, & intellectual property.
More often, the breaches involved organisations’ personally identifiable information. Reveals the report, 80% of the organisations that were breached observed customer PII was breached; that breached data cost businesses $150 per compromised record & even more ($175), when that data was breached via a malicious attack.
Less breaches involved intellectual property (32%), anonymous customer data (24%) & employee PII (21%).
The report does not just examine the cost of breaches, but it looks at mitigating factors, the time to identify & contain breaches, & other security best practices.
The time organisations take to identify & contain data breaches unfortunately has not changed by a lot. In 2020, it took companies on avg. 207 days to identify, & 73 days to contain a breach – a total of 280 days. In 2019, organisations said it took them 279 days to identify & contain a breach.
It was claimed having incident response testing, red team testing, threat intel sharing, & data loss prevention proved to be ‘cost mitigating’ factors.
Being lax when it came to meeting compliance, a lack of qualified cyber-security personnel, & too complex security systems proved to be cost increasing factors, says the report.
Incident Response Plan
The report builds on a 2019 finding: That having an incident response team & an incident response plan can help a lot to save money. In 2019 the report suggested having both could save a firm $1.23 million per breach.
In 2020, it suggests that having both could save an organisation $2 million; $5.29 million without either, vs. $3.29 million with both.
Using security automation technologies can be helpful; organisations without security automation witnessed a bigger cost, by $3.58 million, than those with automation in use.
‘The Cost of a Data Breach’ gives some idea of how the virus has affected organisations. The report spans Aug. 2019 to April 2020, meaning it covers about 2 months of the ongoing pandemic.
Of those polled, 70% thought that having workers work remotely would increase the cost of a data breach; 76% said it would make it take longer to identity & contain a data breach.
It is possible not enough numbers were polled, however, as only 54% of those spoken to replied they were requiring remote work in response to the pandemic.
Despite those whose workspaces became virtual, 70% said it would be likely to increase the cost of a potential data breach.