According to the IBM / Ponemon 2020 Cost of a Data Breach Report, data breaches cost businesses an average of $3.86 million per incident. The report is based on 524 companies that experienced data breaches globally. Unsurprisingly, the U.S. continues to have the highest average cost per breach ($8.64 million), while Brazil has the lowest one ($1.12 million).
The cost of a data breach includes losses such as lost business, legal fees, and compensation & restitution to affected customers. Its also includes rising cyber investigation expenses and fines for compliance failures. According to the report, there are 4 main areas in that lead to this growing cost. These include:
- Detection, escalation, and investigation, incident handling, etc.
- Lost business with customers and partners
- Notification of affected parties, partners, and regulatory authorities
- Cleanup and response including the remediation of vulnerabilities that should, in retrospect, have been fixed long before the breach
These sums do not include the cost of the loss of reputation, nor do they include business lost forever as a result of loss of confidence by partners and customers, some of whom may have been significantly damaged as a result of the cybersecurity incident, or the failure of the attacked company to deliver according to contractual agreements during the incident.
Nor do these figures include the expanded costs of investigation and clean up of a distributed 'remote' workforce as has become common under COVID restrictions in 2020. In such cases this average cost rises to over $4 million US dollars the report concludes.
According to the study, the average time to identify and contain a breach is 280 days, 207 days to identify the problem and 73 days to contain it. This indicates that most organizations do not have effective 24/7 security operations monitoring or incident response capabilities, and that many incidents often go unnoticed till a regulator intercedes, by investigating a discovered breach of non-public data.
While cyber-forensic investigation is not cheap by any means, the greatest costs to businesses of a breach is lost business, the reports claims, which represents about 40% of the total average cost of a data breach. In other words, out of the average $3.86 million that a breach costs, around $1.5 million is linked to loss of revenue and customers.
Most importantly however, the report points out that security breaches directly affect the company's reputation, damaging the brand and impacting acquisition and retention of business. While some consumers may be extremely fickle chasing the best deal regardless, others may be lost forever.
Healthcare
While all industries are affected by data breaches, the costs of a healthcare breach far exceeds all other verticals. It is perhaps the combination of a rich and diverse source of data - PHI, PII and IP, found in hospitals and clinics, and the regulatory protections enforced under law that make healthcare a particularly expensive breach proposition. The healthcare industry’s breach life-cycle is also longer, averaging about 329 days compared to the overall average of 280 days. That leads to higher costs. At the same time, healthcare spends less on cybersecurity than most other industry verticals, and so is an easy target for cyber criminals and pariah nation states given its relative lack of preparedness.
“Healthcare is a highly regulated industry and faces a lot of regulatory burdens when it comes to remediation of a breach, and there are a lot of additional costs with medical records compared to other types of record.” claimed Charles Debeck, senior threat analyst at IBM X-Force IRIS.
While rising CEO Fraud or Business Email Compromise (BEC) accounted for 5% of malicious breaches, the average cost of a ransomware breach was a staggering $4.44 million. Though the average cost of a breach is relatively unchanged from 2019, IBM says the costs are getting smaller for prepared companies and much larger for those that don’t take any precautions.
"If you dig deeper into the data what we saw was an increasing divergence between organizations that took effective cybersecurity precautions versus organizations that didn't." claimed Debeck.
“This divergence has been increasing year over year; the organizations that are engaging in effective cybersecurity practices are seeing significantly reduced costs, the organizations that aren't engaging in these same practices are facing significantly higher costs” he added.
"Given the massive size of recent GDPR fines, OCR penalties, and state breach rules, most of which are not reported in time, it undoubtedly makes a lot more sense to invest in security up front, rather than to throw the dice and take a chance that it won't be you that gets hit with a cyber incident," claimed Richard Staynings, Chief Security Strategist with Cylera, a pioneer in the security of medical and HIoT devices. "The problem is, that in healthcare, most HIPAA Covered Entities have at best, only a partial appreciation of where their PHI data resides. Most don't consider the thousands of medical devices on their networks, or what data resides on each of those devices. Now that HIoT devices outnumber IT endpoints such as workstations, laptops and servers, healthcare IT and security teams are often looking in the wrong places for risks and vulnerabilities," he added.
Read the full Ponemon Report for details.