Ask yourself: if my organization suffers a data breach as the result of a cyberattack, what will it actually cost?
Although you won't have a specific answer until you are faced with a cyber incident, in the aggregate, you can answer the question right now.
New Ponemon Institute research reveals that the average cost of a data breach is higher than ever before.
Key findings from Ponemon IBM Cost of a Data Breach report
To learn more about data breaches, the Ponemon Institute conducts an annual study, titled Cost of a Data Breach Report. Now in its seventeenth year, the report offers IT, risk management, and security leaders a look into factors that can increase or help mitigate the cost of data breaches.
The research in this edition studied 537 real breaches across 17 countries and regions, spanning 17 industry verticals. IBM Security co-sponsors and publishes the report.
Here are some of the most significant findings:
- "The average total cost of a data breach increased by nearly 10% year over year, the largest single year cost increase in the last seven years."
- "Remote working and digital transformation due to the COVID-19 pandemic increased the average total cost of a data breach."
- "Healthcare organizations experienced the highest average cost of a data breach, for the eleventh year in a row."
- "Lost business represented the largest share of breach costs, at an average total cost of $1.59 million."
- "Customer personally identifiable information (PII) was the most common type of record lost, included in 44% of breaches."
- "Compromised credentials was the most common initial attack vector, responsible for 20% of breaches."
- "A zero trust approach helped reduce the average cost of a data breach."
- "Security AI and automation had the biggest positive cost impact."
- "Hybrid cloud had the lowest average total cost of a data breach, compared to public, private and on premise cloud models."
- "System complexity and compliance failures were top factors amplifying data breach costs."
This chart is included in the report, which shows the average total cost of a data breach broken down by industry, with the average total cost now being $4.24 million per breach:
Most common data breach vectors and data breach costs
To help security professionals better understand where breaches are coming from, the study looks into the prevalence and cost of initial attack vectors, as well as other contributing factors to data breaches.
In 2021, the most common initial attack vector was compromised credentials (20% of attacks), followed by phishing (17%) and cloud misconfiguration (15%). While these were the three most common, they were not the most expensive.
The initial attack vector that resulted in the highest average breach cost was Business Email Compromise ($5.01 million), then phishing ($4.65 million), followed by malicious insider threat ($4.61 million).
Ponemon report: breach to detection and remediation times
Dr. Larry Ponemon and his team found another key factor that plays into the cost of a data breach. It is the lifecycle of the cyber incident, which is the time elapsed from first detection to complete containment.
The average time to identify a breach in 2021 was 212 days, with an additional 75 days to contain. That's 287 total days, on average, for the lifecycle of a data breach.
The shorter the lifecycle, the smaller the cost to your organization. Data breaches with a lifecycle of more than 200 days had an average cost of $4.87 million, compared to $3.61 million when under 200 days. That is quite a difference.
One other significant contributor to the cost of data breaches is regulatory compliance failures:
"Out of a selection of 25 cost factors that either amplify or mitigate data breach costs, compliance failures was the top cost amplifying factor."
Organizations categorized with a "high level compliance failures"—meaning there were fines, penalties, lawsuits, etc.—had an average cost of $5.65 million, where those with low level failures had an average cost of $3.35 million, a difference of 51%
Ponemon: mitigation strategies impact data breach costs
With the cost of data breaches reaching an all-time high this year, it's import to look at some successful factors for mitigating the risk.
According to the Ponemon IBM report, there are three ways in which organizations are successfully mitigating the risk of and cost of data breaches: utilizing Zero Ttrust, implementing security AI and automation, and cloud model type.
Let's take a look at Zero Trust implementation: only 20% of organizations report that they have fully deployed Zero Trust, however, the impact for that small group shows. Here is the average total cost of a breach by the state of Zero Trust deployment:
[RELATED: What Zero Trust Is, How Zero Trust Works]
While the impact of Zero Trust is clear, it is not the largest contributing factor to the cost of data breaches:
"The biggest cost savings in the study was to organizations with high levels of security AI and automation."
Organizations that had not deployed any level of security AI and automation had an average breach cost of $6.71 million, while those with fully deployed automation had an average cost of $2.9 million, a difference of 84%.
Cloud migration and model also had a significant impact on the cost of data breaches. For example, those with a hybrid cloud model reported the lowest average total cost of a data breach versus other cloud usage models.
There is much more information in the report, including the impact of the pandemic and remote work, as well as recommended security mitigations for organizations. Visit here for more information.
[RELATED: SecureWorld cybersecurity webinar calendar]