Time Is (Still) Money and Other Findings from the 2020 Cost of a Data Breach Report

Listen to this podcast on Apple Podcasts, SoundCloud or wherever you find your favorite audio content.

The average cost of a data breach in 2020 was $3.86 million, according to the Cost of a Data Breach Report,  a study of breaches at 500-plus organizations, conducted by the Ponemon Institute and published by IBM Security. Yet the average cost could go much higher, or lower, depending on a wide range of cost factors studied in this year’s report.

On this week’s Security Intelligence podcast, Charles DeBeck, a cyber threat intelligence expert with IBM X‑Force IRIS, returns to the podcast to dig into the findings of the 2020 Cost of a Data Breach Report. The conversation covered lots of ground, including major risk factors, the cost of “mega breaches,” costs associated with malicious threat vectors and threat actors including nation states. And he dives into the good news in the report, that security automation and incident response readiness proved especially effective at mitigating data breach costs.

Reducing the Dwell Time of a Data Breach

The average time to identify and contain a breach (its dwell time or “lifecycle”) was 280 days, according to the 2020 study. The lifecycle of a breach factors heavily into the overall cost.

For example, malicious breaches, and in particular breaches carried out by nation state actors, were more expensive than an average breach. DeBeck posits that it may take longer to identify a nation state-based breach or remediate in its wake, with this longer lifecycle driving up costs. Not only that, but sophisticated nation state actors tend to target highly complex environments, which can be more expensive to rebuild.

The global pandemic poses another potential impact on longer lifecycles and therefore higher costs. Organizations surveyed for the report presented the majority opinion that “remote work will negatively impact their data breach response capabilities.”

DeBeck underscores, “If you can shorten that lifecycle of a data breach, you can save a lot of money.”

Cost Savers Before and After a Data Breach

DeBeck stresses the importance of security automation for reducing the cost of a data breach. “Security automation helps organizations detect breaches faster and respond to breaches more effectively,” DeBeck says. According to the report, organizations with fully deployed security automation solutions reduced the lifecycle of a breach by an average of 74 days.

Incident response planning and testing also saved costs for organizations. On average, having a well-tested plan and incident response team in place helped organizations reduce the cost of a breach by an average of $2 million compared to organizations with neither incident response teams or testing an incident response plan.

This is something DeBeck finds heartening. “What this suggests to me is that the things that we’re recommending actually, in fact, work,” he says, “which is really exciting.”

Tune in to the conversation and see the episode transcript below for more highlights. Dive further into the complete findings by downloading the 2020 Cost of a Data Breach Report.

Episode Transcript:

MOULTON:  Pam, it’s that time of year again: it’s the cost of the data breach time.

COBB:  It’s the best time of the year. It is. In fact, the new report came out July 29th, 2020, just what we all need in our work from home reading.

So, we have a lot to get into in terms of what’s new in the report this year. And we’re so lucky to have Charles DeBeck, a friend of the pod, back with us, this time to talk about data breaches in addition to some of the topics that he’s covered earlier. And there’s a little bit of a tie back; if you listen closely, you may want to revisit our episode on destructive malware earlier in the feed.

But it was really intriguing to see, you know, the impact of the different types of attack vectors and the impact that they have on the ability to recover from a data breach and the speed at which one can do that.

MOULTON: Pam, that doesn’t surprise me; and in fact, while this report looks back at some of the 2019 and early 2020 data, you were still seeing that the areas of malware, destructive malware, are the types of things that attackers are using. Just recently hearing that from our IRIS team again reiterating that this continues to be an area that we need to focus on and be able to act to faster.

COBB: Absolutely. This is the Security Intelligence podcast where we discuss cybersecurity industry analysis, tips and success stories. I’m Pam Cobb.

MOULTON:  And I’m David Moulton.

COBB: I’ll turn it over to Charles to share the other insights from the report. Here’s our conversation.

Well, I am delighted to welcome back to the podcast Charles DeBeck. So, Charles, for those that maybe haven’t listened to your voice on our podcast in a while, could you please reintroduce yourself?

DEBECK: Of course. My name is Charles DeBeck. I’m a cyber crime intelligence expert with IBM X‑Force IRIS, and very glad to be here today. Thanks for having me.

COBB: We’re going to take a look at the newest version of our annual report, the Cost of a Data Breach Report, which is done by the Ponemon Institute. Can you tell us a little bit about the kinds of insights that you can get out of this report?

DEBECK: Absolutely.  So, I love this report. I think it’s a really interesting report that IBM sponsors through the Ponemon Institute.  And what it is, is it’s looking at how much does a data breach cost an organization on average.  And it really dives deep into a lot of different, interesting elements of how we can assess the cost of a data breach and how we can help mitigate some of those expenses.

Just to give you a sort of a high‑level overview of the methodology, the report itself actually looks at 524 different breaches across 17 different geographies across 17 different industries.  So, there’s a really wide aperture of collection here in terms of data breach information.

COBB:  Can you tell us some of the of the findings from this report?  What’s new?

DEBECK: There’s actually a lot of new components to this year’s report compared to last year.  All we really did this year, we really want to focus on digging deeper into the data and trying to get more granularity into some of the data types that we already had.

So, instead of just providing average cost for lost record, this year, we also looked at the cost by different types of data being lost.  So, for example, how much of the cost was associated with customer PII being lost versus a different type of data.

Additionally, we looked at some of the root causes of data breaches, saying, was it malicious?  Was it human error?  Was it system error?  And we looked a little bit deeper at the different kinds of malicious breaches that we observed in different data breach events.

And we also tried to find new cost factors; you know, is remote work affecting the cost of a data breach?  Does red team testing help with the cost of data breach; or, do security skills shortages impact the cost of a data breach?  We also looked at comparing ransomware and destructive breaches versus more standard traditional data breaches to see which of those are more expensive.

So, really, this year’s report is cool because I think it really dives into the granular detail of some of the elements that we’ve seen in previous years’ reports but tries to get even more information pulled out of it so you can really dig deep and figure out for your organization what’s going to be most effective and what’s most at risk.

COBB: Awesome.  So, the million dollar question every time this report comes out: key findings. Did the cost of a data breach increase or decrease over last year?

DEBECK: The cost of a data breach on average went down to 3.86. However, what was really interesting to me was that even though that cost on average declined, the reason it declined was because we observed a growing divide between organizations that were well prepared and organizations that weren’t.

So, we saw that there was a wider variance in the data. So, if you weren’t prepared for a data breach, your cost was significantly higher. But if you were well prepared for a data breach, then the cost for you was significantly lower, which dragged the overall average down. But again, it was because of this variance that we saw this really interesting outcome.

We also saw one of the key findings for this year was that security automation was a key component for effective defense against a data breach. It significantly reduced the lifecycle of a breach, going down by 74 days.

And as we’ve said on previous reports and as well as in this one, longer breach cycles in general increase the cost of a data breach overall — so, the longer it takes to identify and respond to a breach, the more it’s going to cost your organization. And security automation reduced the time it took pretty significantly — almost 25 percent — compared to not having effective security automation implemented.

One thing I thought was interesting from our findings was that lost business continues to be the largest cost factor overall for organizations. And this is, again, going back to that sort of reputational harm as well as lost customers as a result of people just not trusting the business any longer.

This is sort of a tough one to gauge in any other way except for this report. There’s not a lot of great ways to figure out how much lost business constitutes for a data breach cost, but this report really dives deep into that fact.  And we found it to be that lost business was, in fact, a major contributor.

Another key finding I wanted to address was that the leading breach causes this year were credential compromise and cloud misconfiguration. And credential compromise is one that we’ve seen over and over again, but it continues to be a major issue.

But cloud misconfiguration I thought, was a little bit different because we haven’t seen it play this significant of a role in data breaches as we have this year. We actually saw credential compromise and cloud misconfiguration tying for the top spot.

COBB: So, you talked about lost business as one of the costs.  I actually wanted to take a step back and understand, when we say cost of a data breach, what costs go into that?

DEBECK: That’s a great question, Pam. One thing that’s interesting about measuring the cost of a data breach is the report really looks into four main cost centers.  Lost business is one broad cost center, and those are activities that attempt to minimize the lost customers, the business disruption.  These are revenue losses as a result of the business just losing clients.

But in addition, other costs we look at include the detection escalation costs, you know, how much it costs to actually find the breach and then escalate it appropriately to get it taken care of, the notification costs that are accompanied with the data breach, notifying the data subjects, any data protection regulators as well as other third parties that require it.

And then there’s the post-response costs, and these are costs that are activities to help the victims of a breach communicate with a company and redress activities.

So, this is something like if I have to set up a website to make it so that individuals that are impacted can notify me or can let me know about issues, then that’s a cost with an ex post response cost.  It’s something that comes after the response that helps the victims of the data breach in some way.

COBB: So, let’s touch on a different area.  At the time that we’re recording this, the COVID‑19 pandemic is still very much affecting how business gets done. Did the respondents anticipate COVID‑19 impacting their data breach and response capabilities?

DEBECK: Based on the information we gathered, a lot of organizations, 76 percent, think it will increase the time it takes to contain a breach as well as increase the overall cost of a breach. So, a vast majority of organizations think that this increase in remote work will significantly impact their ability to do data breach response.

As a cyber threat intelligence expert myself, I sort of agree with this assessment. There’s a lot of components to remote work that make incident response and data breach response more challenging for organizations that aren’t properly prepared.

And as a lot of organizations are quickly finding out in the time of COVID‑19, there’s a lot of steps that have to be taken very, very quickly to make sure that they can maintain their business functionality.

As we continue in remote capability and as remote work becomes more normalized, as organizations become more comfortable and develop response plans that are more effective for remote work, I expect that this will make it so that we can get these costs coming back down to the average again.

But I think that’s a pretty fair assessment by organizations, that there’s a very high probability that remote work will negatively impact their data breach response capabilities and that will lead to longer lifecycles and higher costs across the board.

But since the report was released during COVID‑19, we don’t have the data to really say one way or the other whether or not this is actually the case. But based off of informed opinion and based off of the opinion of a number of different organizations working in this space, everyone kind of tends to agree that they think this is probably going to be the case.

COBB: Could you talk about the kind of records that are most frequently compromised in a data breach?

DEBECK: The most commonly compromised types of records are customer PII — so, this is Personal Identifiable Information from customers and clients of organizations. In fact, 80 percent of the breaches studied included customer PII in some amount. A much smaller number also included employee PII, so, that’s personally identifiable information of the customer.

There’s an interesting question here. You know, why do we see customer PII so frequently being compromised? And I think there’s a few possible explanations here. First, customer PII is easily monetizable. It’s very easy for a threat actor to take customer PII, turn around and sell that on a dark web marketplace and make money off of it. And so, if I’m a bad guy, that’s something I’m going to go for, because anything I can do to make my life easier is good.

Additionally, a lot of different organizations have customer PII. It’s just very prevalent in a lot of different organizations, because everyone has customers and they have to store data on those customers. So, it makes it very easy for customer PII to be stolen if it’s everywhere.

Also, I found that customer PII tends to be very voluminous, there’s just a lot of it; and so, when there’s so much quantity of customer PII out in the ecosystem, it’s very easy for this type of data to be stolen.

Interestingly, incidents that involve customer PII were also some of the most expensive data breaches on average. So, when we saw customer PII being stolen, it tended to cost organizations more, which I thought was kind of interesting.

COBB: I want to zoom in a bit on the idea of malicious breaches and tie that to the cost of a data breach. I also got a chance to read the report, and one of the things that I noted was that over half of the malicious breaches were caused by financially motivated cyber attackers, which is kind of what you would expect, like well, of course, they’re financially motivated. But the ones that nation state actors were behind were the costliest. Can you tell us why that might be the case?

DEBECK: Absolutely. So, I’m going to kind of break it down into why do we see so much financially-motivated cyber attackers and also why did we see nation state actors costing more? So, in terms of why we tend to see more of the financially motivated cyber attackers, oftentimes, this is just because of a numbers game. There’s just a lot more financially-motivated actors out there in terms of there’s just a lot more criminals than there are nation state actors on average. So, seeing more of that overall makes a lot of sense.

But when we look at why nation state actors are the most expensive, here we kind of have to take some educated guesses. It’s really tough to tell, because we just don’t necessarily have that level of detail.

But based on what we know about APT actors, we know that these sort of nation state actors are very sophisticated and they are very capable actors and they often take a lot longer in their targeting and their efforts than we see for financially motivated actors who are more smash and grab type of actors.

So, is a nation state actor might have a longer lifecycle. It may take longer to identify. It may take longer to remediate after a nation state-based breach. And as we said earlier, the longer that lifecycle is for a data breach, the more expensive it is for the organization; and so, that could be one reason why nation state actors were a little bit more expensive.

Additionally, nation state actors tend to target highly complex environments to steal highly complex information or just to get in a highly complex organizations. So, if a nation state actor’s only breaking into complex environments, those environments are going to be more expensive to reconstitute and be more challenging to sort of fix back up again.

And as a result, that’s going lead to a higher cost across the board on average. If they’re only going after expensive stuff, it’s going to cost more an average than financially motivated actors who will go after anything they can get their hands on.

So, there’s a lot of possible reasons as to why we see nation state actors being more expensive. But overall, I think it really comes down to the fact that on average, they are more sophisticated than your average financially motivated actor, and they’re also much more driven to really get into networks and really dive deep and cause harm in that regard.

COBB: So, were all of these breaches caused by malicious actors, then?

DEBECK: Actually, no. In reality, only about 52 percent of the breaches that were studied were caused by malicious actors, which I thought was an astonishingly low figure, because that suggests that almost half ‑‑ almost 50 percent — of the overall breaches that we observed were not caused by malicious actors but just by system or human errors.

System errors accounted for 25 percent on average, human errors accounted for 23 percent on average of the total number of breaches. And this suggests to me that technical fixes and effective human training could prevent almost 50 percent of the overall data breaches that we observed over the last year which is, to me, pretty nuts.

But what is interesting, though, is when it is a malicious breach and when we do see malicious breaches taking place when there’s a malicious actor behind it, the average cost of the breach is significantly higher than the average cost for data breaches overall.

And when it is malicious, it also takes a lot longer to detect and repair the breach. The human error or system error breaches were faster at that identifying and remediating step; whereas, malicious breaches, they probably tried to hide their activity a little more effectively, making it tougher to detect and repair; and as a result, again, longer lifecycle, higher costs.

COBB: So, we’ve been talking at a pretty high level across all of business. Could you share some of the findings across different industries?

DEBECK: From an industry perspective, we saw that over the last six years, we looked at eight key industries, and healthcare remained number one year over year; the number two spot came in as energy; number three was financial services. Energy was a bit surprising, but healthcare and financial services being the most expensive industries for data breaches isn’t really that surprising to me.

When you look a healthcare, it has a lot of regulatory regimes around it that make it so data breaches are very expensive. Similarly, financial services sort of falls into the same boat. But so, there wasn’t a lot of change in the industry approach.

I think the more interesting thing that we observed was across industry, the larger variance that we noticed had to do with organizational size. If you look at the report, what we saw was that data breaches in general get more and more expensive the larger an organization is. So, you know, if you’re a very small organization, it’s one cost on average. And that cost slowly ticks up as you become a larger and larger organization up until you become a really large organization, and then the cost drops back down again.

And so, what this suggests to me is that the average data breach becomes more and more expensive as an organization grows until they reach a critical mass and start investing in their cybersecurity more effectively. And then once we see this cybersecurity investment starting to manifest itself in these larger organizations, suddenly a switch flips and the cost starts going back down again. And so that, to me, was a really interesting conclusion to see from this report that we hadn’t seen in previous years.

COBB: We’ve been talking a lot about the cost side of it, and I’d love to touch on some of the cost savers for businesses. What actions can they take to reduce their potential costs of a data breach?

DEBECK: So, the number one recommendation I have here in terms of how to make it so data breaches are less expensive to your organization is security automation. Security automation is something we’ve been recommending for a long time, and this year the numbers really came back highlighting just how critical it was.

We looked at organizations that have no security automation deployed versus organizations that have effective security automation deployed and said, what’s the difference, on average, of a data breach between these two organizations? And the difference was, to me, an unbelievable $3.58 million difference on average.

Additionally, security automation helps organizations detect breaches faster and respond to breaches more effectively and reduce the overall time it took to identify and contain a breach by 74 days. That’s almost two months of difference, so that’s a pretty significant impact. Security automation, far and away, to me, the number one recommendation in terms of how you would help save costs for a data breach incidental in your organization.

Additionally, I would look at having a trained incident response team and plan in place and having those team and plan tested on a regular basis. And this is something that I, again, have been recommending to organizations because I think it really, really helps because as we’ve said a few times here, if you can shorten that lifecycle of a data breach, you can save a lot of money.

And having a well tested plan and team in place for incident response can help significantly reduce the lifecycle of a data breach; and on average, leads to a difference in cost about $2 million between organizations that have an incident response team and plan versus don’t.

Now, I should make one clarification here. These cost savers are not additive. So, what I mean here is when I say that security automation on average saved $3.58 million and incident response teams saved on average $2 million for an organization, that doesn’t mean that if you have security automation and an incident response team that you’re on average going to save $5 million; otherwise, everyone would just have security automation and an incident response team and they’d make a million bucks on average from a data breach.

What it means is that these on average make a significant difference, but they don’t add together; they just sort of combine to help make it more effective jointly.

COBB: So, the way I hear you explain that, Charles, it just makes me think of the phrase, like, you can’t stack your coupons on data breaches, like…

DEBECK: Exactly. You get some of the discounts but you can’t just add them one on top of the other.

COBB: And the things that I hear you cite in terms of cost savers, these feel like the same things that we talk about over and over again. I think back to last year’s podcast about the report, and we heard a lot of the same things.

DEBECK: Yes, and I think that’s great. Right? What this suggests to me is that the things that we’re recommending actually, in fact, work, which is really exciting. It’s fun to see this data supporting things that we’ve been talking about and essentially verifying what we said previously.

And that’s what you want to see. You want to see indications that things you’re recommending are, in fact, effective, which is exactly what this report does as well as potentially recommending new ideas that we may not have otherwise seen, which is what we’re able do with this great data set at that we have.

And one thing I think that is really great about this report is I think there will be a lot of opportunity for us to keep digging into the data and finding new nuggets and new conclusions and new assessments that we can make based on the information well into year 2020 here as we keep diving in deeper and deeper.

COBB: So, we’ve been talking a lot about all of these cost factors and coupons and savings, and I just want to let everyone know, you can go read the report for yourself. You can find it at ibm.com/databreach, B‑R‑E‑A‑C‑H. So, as we’ve been considering all of those things, Charles, like when you read the report, is there anything in there that gives you hope?

DEBECK: I think to me, the biggest thing is we’re seeing that there’s some significant cost savings from security automation, from IR testing and planning, and that these cost savings are growing over time. So, we’re seeing these recommendations that we’ve been putting out are not only effective but they’re becoming more effective.

And that variance I talked about before where we see that there’s some organizations that are well prepared and that are significantly reducing the costs associated with their data breaches, to me, gives me hope that there is a good way and there’s a well tested way for us to get these costs down for organizations. And I think that’s great.

It also makes me hopeful that more organizations are getting better and are starting to implement these different methodologies. And so, we’re seeing that average overall coming down for the cost of a data breach. The concern on the other side is that there’s some organizations that are falling behind in this. We’re still seeing some pretty high costs for organizations that don’t have these protections in place.

But to me, the hope here, the silver lining is we have ways that we’ve shown are effective at saving costs for data breaches. We’ve been able to test these methodologies over the last year and we see that they’re working well and that they’re able to provide organizations with lower costs, faster turnaround for data breach response and more effective remediation in the short and long term. So, I think that’s a really great sign.

COBB: Well, Charles, thanks so much for joining us again on the Security Intelligence podcast. It’s been really great catching up with you.

DEBECK: Thanks so much for having me.

COBB: So, one of the things I really love talking to Charles is a lot of just the practical information that we get out of him and his perspective.  And it’s the classic story: once upon a time in cybersecurity land, user training was the most important thing a company could do to protect itself. The end. Is that a happy ending, David?

MOULTON: Well, sure. I think that the way I take it is just like exercise or anything else that’s related to health or hygiene, you know, you’ve got to keep it up; and if you don’t, you’re not going to have great results, and we’re seeing that those companies that are persistent in the fundamentals have better results.

COBB: Yes. It is staggering that for as fundamental as that is, it is still so problematic and troublesome to get right consistently.

MOULTON: That’s right. It’s never one of those things that’s easy to do. You’ve got to have that grit and discipline.

COBB: Well, that’s all we have for this episode. Thanks Charles for returning to the show yet again. To download the full cost of a data breach were, please visit ibm.com/databreach.

MOULTON: Subscribe wherever you get your podcasts. We’re on Apple podcasts, Google podcasts, SoundCloud and Spotify. Thanks for listening.