On July 29, IBM announced the release of IBM Security’s Cost of A Data Breach Report 2020. The Report, which the Ponemon Institute conducted, was based on in-depth interviews with more than 3,200 security professionals in organizations that suffered a data breach during the past year.
Principal findings of the Report included the following:
- Nation-State Attacks: Data breaches believed to originate from nation-state attacks were the costliest type of data breach (relative to other categories of threat actors), averaging $4.43 million per breach in data-breach costs. Only 13 percent of malicious breaches were believed to have been carried out by nation-state actors, compared to 53 percent by financially motivated cybercriminals, 13 percent by hacktivists, and 21 percent unknown.
- Root Causes of Malicious Breaches: In incidents where attackers accessed corporate networks by using stolen or compromised credentials, businesses incurred saw nearly $1 million greater data-breach costs, averaging $4.77 million per breach. The second costliest root cause of malicious breaches was exploitation of third-party vulnerabilities, averaging $4.5 million.
- Data Breach Lifecycles: The average time to identify and contain a data breach, according to the Report, “varied widely depending on industry, geography and security maturity.” Companies with data breaches had an average “lifecycle” of 280 days (i.e., 207 days to identify a breach and 73 days to contain it). Healthcare sector companies had an average lifecycle of 329 days, while financial-sector firms had a much shorter average lifecycle of 233 days. The Report noted that companies that had fully deployed security automation had an average lifecycle of 234 days, compared to companies that did not deploy security automation (averaging 308 days).
- Data Breach Costs: The average total cost of a data breach was $3.86 million, a slight decline from $3.92 million in the 2019 Cost of a Data Breach Report.
- Cost Factors: Of 25 cost factors that the report addressed, security system complexity was the most expensive, as it increased the average total cost of a breach by $292,000 (resulting in an adjusted average total cost of $4.15 million). Undergoing an extensive cloud migration at the time of the breach increased the average cost of a breach by more than $267,000 (resulting in an adjusted average cost of $4.13 million).
- Costs of Mega Breaches: Data breaches involving compromise of more than 50 million records had average costs of $392 million (a very slight increase from $388 million in the 2019 Report). Data breaches involving compromise of 40 to 50 million records had average costs of $364 million (also a slight increase from $345 million in the 2019 report).
- Smart Tech Benefits: Companies surveyed that “fully deployed security automation technologies (which leverage AI, analytics and automated orchestration to identify and respond to security events) experienced less than half the data breach costs” of those companies that did not deploy those tools ($2.45 million vs. $6.03 million, on average).
- Incident Response Preparedness: Companies that had an incident response (IR) team and tested an IR plan using tabletop exercises or simulations had an average data-breach total cost of $3.29 million, while companies that had neither an IR team nor IR testing had an average total cost of $5.29 million.
Note: By now, the cost of data breaches and the length of data-breach lifecycles should not be a surprise in any corporate sector. Information-security and compliance teams, however, should take note of the disproportionate effects of nation-state attacks, and ensure that their cybersecurity risk assessment processes are monitoring open-source reporting on such attacks. They should also incorporate a number of the Report’s principal findings – especially those pertaining to security automation tech and IR preparedness — into briefing materials for senior executives and training for corporate employees.