Average Cost of a Data Breach: $3.86 Million

  /     /     /  
Publicated : 23/11/2024   Category : security


Average Cost of a Data Breach: $3.86 Million


New IBM study shows that security system complexity and cloud migration can amplify breach costs.



The latest edition of IBMs annual cost-of-a data-breach study shows that security system complexity and incident response testing are two factors that have the biggest impact on the total cost of a breach.
The 2020 IBM study — conducted by the Ponemon Institute — is based on data gathered from executives at 524 organizations around the world that experienced a data breach between August 2019 and April 2020. For purposes of the study, Ponemon only considered data breaches that involved between 3,400 and 99,730 compromised records.
To calculate how much a breach might have ended costing a company, the research considered the costs associated with four process-related activities: the costs involved in detecting a breach, including investigation and forensics activities, assessment and audit; notification costs; lost business from system downtime and disruption and; legal fees and costs related to activities like providing help desk services, credit monitoring, and ID protection for victims.
The analysis showed that globally, a data breach cost companies $3.86 million per incident during the nine-month period of the study. The average breach cost in the US as usual was more than twice that, at $8.64 million on average. Healthcare organizations globally once again shelled out more on average for a data breach — $7.13 million — than organizations in any other sector.
Even though breach-related costs increased for many organizations, the global average of $3.86 million itself was marginally lower than the $3.92 million reported last year. That was because there were more organizations in the 2020 study with mature security practices, and therefore substantially lower breach costs, compared to 2019.
The
IBM/Ponemon study
showed that total data breach costs for organizations that reported having a complex security system environment was nearly $292,000 higher on average than companies that did not have the same issue. Other factors that substantially amplified the average cost of a breach included cloud migration ($267,469), security skills shortages ($257,429), and compliance failures ($255,626).
At the same time the study highlighted several other factors that can help mitigate breach costs for organizations. For instance, organizations that regularly tested their incident response plans ended up spending some $295,000 less than the global average on breach-related costs while those with a business continuity plan spent about $279,000 less. Other cost mitigating factors included red-team testing ($243,185), AI-enabled response ($259,354), and employee training ($238,019).
Charles DeBeck, strategic cyber threat analyst at IBMs X-Force IRIS incident response team, says one notable data point from the report is the difference in breach costs between those organizations that have automated their threat response capabilities, and those that have not.
Growing Cost Divide
The main takeaway I see is this growing cost divide, DeBeck says. Businesses that are investing in advanced technologies and practicing preparedness of their incident response experience significantly lower costs, while those that didnt prepare see their costs rising year over year.
In fact, average breach costs for an organization with an IR team that conducted regular tests including tabletop exercises was $3.29 million while those that did not have either spent $5.29 million.
The IBM/Ponemon study showed that the attack vector, the type of data compromised, and the length of time it took for an organization to detect a breach, all had a substantial bearing on the final breach cost.
For instance, the average breach cost was almost $1 million higher in incidents involving the use of stolen or compromised credentials to access an organizations network. One reason could be that credentials give attackers a way to remain undetected for a longer period of time, DeBeck says. As a result, the compromise may be more extensive, which would impact costs.
Attacks involving nation-state actors, which accounted for 13% of the breaches in the IBM study, were also expensive, at $4.4 million per incident.
Similarly, data breaches involving personally identifiable information cost organizations more last year than breaches involving employee data and other kinds of sensitive data. Not only was PII the most commonly breached data, it was also the most expensive, at around $150 per breached record globally and $175 per record in the US.
One likely reason is that PII often is lost in bulk, DeBeck says. Often PII is stored together, so if a threat actor breaches an organization and grabs PII, this can lead to all of the PII being lost, which can have a very high cost.
The time an organization takes to detect a breach has an impact on breach costs as well. Organizations in the IBM/Ponemon study took an average of 280 days to detect and contain a breach. When a victim was able to detect and shut down a breach in less than 200 days, total breach costs went down some $1.1 million on average.
The biggest thing we see impacting breach costs is an organizations ability to respond quickly to an attack, and a lot of this comes down to planning and preparation, Debeck says. Technology, particularly that which enables automation, can also play big role speeding response and lowering overall breach costs, he says.
Related Content:
With Data Breach Costs, Time is Money
Average Cost of a Data Breach: $116M
Security, Networking Collaboration Cuts Breach Cost
Rising Fines Will Push Breach Costs Much Higher
Register now for this years fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on
conference information
 and
to register
.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Average Cost of a Data Breach: $3.86 Million