A global study on the financial impact of data breaches revealed this week that cyber incidents cost companies $3.86 million per breach on average, and that compromised employee accounts were the most expensive root cause.
Based on in-depth analysis of data breaches suffered by over 500 organizations worldwide, IBM researchers found that 80% of these incidents resulted in exposure of customers' personally identifiable information (PII). Out of all types of data exposed in data breaches, customer PII was also the costliest to businesses studied.
Conducted by the Ponemon Institute, the 2020 Cost of a Data Breach Report is based on in-depth interviews with more than 3,200 security professionals in organizations that suffered at least one data breach between August 2019 and April 2020.
In a key finding, stolen or compromised credentials and cloud misconfigurations were the most common causes of a malicious breach, representing around 40% of incidents. Malicious actors exposed a whopping 8.5 billion records in 2019.
State-sponsored threat actors were the most damaging type of adversary in the past 12 months.
“The highly tactical nature, longevity and stealth maneuvers of state-backed attacks, as well as the high value data targeted, often result in a more extensive compromise of victim environments, increasing breach costs to an average of $4.43 million,” according to the report.
The data also highlights a growing difference in breach costs between businesses implementing advanced security technologies and those lagging. Studied companies with fully deployed security automation (AI, analytics and automated orchestration to identify and respond to security events) saved $3.58 million compared to those that have yet to deploy these technologies. If in 2018 this cost gap was $1.55 million, this year it’s $2 million.
Other key findings include:
- Paying a Premium for Compromised Credentials: In incidents where attackers accessed corporate networks using stolen or compromised credentials, studied businesses saw nearly $1 million higher data breach costs than the global average – reaching $4.77 million per breach. Exploiting third-party vulnerabilities was the second costliest root cause of malicious breaches ($4.5 million) for this group.
- Mega Breach Costs Soar by the Millions: Breaches with over 50 million records compromised saw costs jump to $392 million from $388 million the previous year. Breaches where 40 to 50 million records were exposed cost studied companies $364 million on average, an increase of $19 million from 2019.
- Remote Work Risk Will Have a Cost: With hybrid work models creating less controlled environments, the report found that 70% of companies studied that adopted telework amid the pandemic expect it will exacerbate data breach costs.
- CISOs Faulted for Breaches, Despite Limited Decision-Making Power: Forty-six percent of respondents said the CISO/CSO is ultimately responsible for the breach, despite only 27% stating the CISO/CSO is the security policy and technology decision-maker. The report found that appointing a CISO was associated with $145,000 cost savings versus the average cost of a breach.
- Most Cyber Insured Businesses Use Claims for Third-Party Fees: The report found that breaches at studied organizations with cyber insurance cost on average nearly $200,000 less than the global average of $3.86 million. In fact, of these organizations that used their cyber insurance, 51% applied it to cover third-party consulting fees and legal services, while 36% used it for victim restitution costs. Only 10% used claims to cover the cost of ransomware or extortion.
- Regional & Industry Insights: While studied companies in the U.S. continued to experience the highest data breach costs in the world, at $8.64 million on average, those in Scandinavia suffered the biggest year over year increase in breach costs, at nearly 13%. Responding healthcare companies continued to incur the highest average breach costs at $7.13 million — an over 10% increase from the 2019 study.
A separate IBM study found that over half of surveyed employees new to working from home have not been given adequate guidelines on how to handle customer PII, despite the changing risk models associated with this shift.