Data breaches are a commonplace occurrence now, and cyberattacks launched against companies have spawned a new cyber insurance industry, the emergence of regulatory and class-action lawsuits against firms that fail to protect data, and new laws – such as the EU’s GDPR – that can be used to impose heavy penalties against data controllers with lax security.
Yet, the data breaches keep rolling in, some of which lead to the theft of consumer records for sale on underground forums and an increased risk of identities being stolen.
To tackle the aftermath of a data breach, organizations may need to spend funds on repairing systems and upgrading architectures, they may need to invest in new cybersecurity services and cyber forensics, and they may also face lawsuits or regulatory penalties – and the cost continues to increase year-on-year when customer personal information is involved.
Last week, IBM released its annual Cost of a Data Breach Report, which says that the average data breach now costs $3.86 million. While this average has decreased by 1.5% in comparison to 2019, when over 50 million consumer records are involved, these “mega” breaches can cost up to $392 million to remedy, up from $388 million in 2019.
If an organization is acting as a data controller for between 40 and 50 million records, the cost, on average, is $364 million, and organizations could face a charge of up to $175 per consumer record involved in data theft or leaks.
The study, conducted by the Ponemon Institute, includes interviews with over 3,200 security professionals working at companies that have experienced a data breach in the past year.
Compromised employee and insider accounts, as highlighted by the recent Twitter hack, are one of the most expensive factors in data breaches today, bringing the average cost of a data breach up to $4.77 million. When insider accounts were involved, 80% of incidents resulted in the exposure of customer records.
In total, stolen or compromised account credentials – alongside cloud misconfigurations – account for close to 40% of security incidents.
IBM says that in one out of five breaches, compromised account credentials have been used as an entryway for attackers, leading to the exposure of over 8.5 billion records in 2019 alone. Cloud misconfigurations account for close to 20% of network breaches.
The exploit of third-party vulnerabilities, such as zero-day or unpatched security flaws in enterprise software, is also a costly factor in data breaches. An enterprise company that suffers a data breach due to such vulnerabilities can expect to pay up to $4.5 million.
State-sponsored attacks, including those conducted by advanced persistent threat (APT) groups, are far less common and only represent 13% of overall data breaches reported by enterprise companies. However, when these threat actors are involved, the damage they cause often results in higher recovery costs, represented by an average of $4.43 million.
If cyber insurance has been taken out by organizations, this can reduce the damage bill on average by $200,000, with the majority of insurance payouts used for legal services and consultancy fees.
Within the report, IBM cites AI, machine learning, and automation as valuable tools for responding to data breaches that may cut down incident response times by up to 27%.
“At a time when businesses are expanding their digital footprint at an accelerated pace, and the security industry’s talent shortage persists, teams are overwhelmed, securing more devices, systems, and data,” commented Wendi Whitmore, VP of IBM X-Force Threat Intelligence. “When it comes to businesses’ ability to mitigate the impact of a data breach, we’re beginning to see a clear advantage held by companies that have invested in automated technologies.”