Data breaches have been growing in numbers and scale, taking longer to detect and contain. The average total cost of a data breach is at its highest of 17 years, at $4.24 million. The year over year increase of 10% is the largest single year cost increase recorded in the last 7 years.

IBM and the Ponemon institute have been analyzing the real cost of data breaches for over a decade now. Each year, we drill down to a large variety of cost factors and long-term effects of breaches. During 2020, a year in which the world was thrown into a global pandemic, data breach costs increased considerably. Part of the rise in costs was due to the pandemic’s effects on how quickly organizations detect and respond to cyberattacks.

Remote working and digital transformation were rushed by necessity during the pandemic. With security lagging behind, that increased the cost of a data breach. Organizations that pointed at remote work as a factor in causing the breach saw breach costs that averaged $1.07 million more than where remote work was not identified as a factor. That’s 24.2% higher than the average we saw across all breaches analyzed.

Remote work also had effects on the time it took to identify a breach and contain it. Companies that had more than 50% of the work taking place remotely experienced a longer than average time to identify and contain a data breach. The result was a 16.6% increase in breach costs compared with organizations that did not work remotely to the same extent.

Download the Report

The pandemic is not over yet

The picture that’s painted by the pandemic is one of impact to the people and technologies that sustain businesses. The rise in breach costs speaks to the impact security teams sustain as remote work and cloud deployments continue to grow. And the pandemic is far from over. As new waves of virus variants lead to lockdowns and quarantines, remote work is here to stay. This evolving situation demands that we look at new ways to protect technological backbones and support the people who enable business continuity.

To respond to the need, organizations are modernizing infrastructure rapidly and scaling in the cloud, but that can cause most to scramble to have their security program follow. All too often security sees new demands appear without any extra investment or more staff.

Complexity is a costly fault

As pandemic style work persists, moving more work to the cloud is resulting in more complexity than most organizations could handle. We know that infrastructure complexity is one of the worst enemies of securing it. Unfortunately, with forced rapid change, most organizations continue to see their infrastructure grow in complexity over time. When it comes to data breaches, that complexity proves to be costly on more than one front. System complexity and compliance failures were top factors amplifying data breach costs. Organizations with higher levels of system complexity piled on an average of an extra $2.15 million than those that worked with low levels of complexity.

Compliance failures augment costs

Another cost multiplier came from the compliance department, where failures are a troubling factor that also increases breach costs. Although compliance is a more structured process and one that is under constant scrutiny, nowadays it is also more complex than ever. With third-party risk that rises over time, compliance failures are more frequent and costly. Within the context of a data breach, compliance failures are associated with average breach costs $2.3 million higher than where they were absent.

Mitigating breach costs stems from better security

Organizations dread finding themselves in the throes of a major breach, and breach costs are the easier part of what must be dealt with. But there are proven ways that can help mitigate both risk and breach costs. Having spoken to organizations that experienced a breach provided insight into what worked best for them. Security automation and the use of AI have been the top factors that decreased time to identify and contain breaches, and lowered the total cost of a breach.

Security automation and AI

With security teams often stretched thin and new talent harder to recruit, automation is critical to any organization. A definite highlight of the report is that more organizations are increasing their use of artificial intelligence (AI) and security automation. The share of organizations with fully or partially deployed security AI/automation rose from 59% in 2020 to 65% in 2021, continuing an upward trend from previous years.

Automation also helped save time and money in case of a breach. By the numbers, organizations that fully deployed security automation saw an average breach cost that was nearly 80% lower than those that did not deploy automation. Organizations that forewent security AI/automation saw breach costs of $6.71 million on average – 58% higher than the average across all breaches.

Opening up to innovation in the security department paid dividends and using an AI platform was a top cost mitigator. Those who extended the use of AI saved $1.49 million or 36.8% on average when compared with companies that used it to a lesser extent.

The cost difference of $3.81 million represents the largest cost differential in the study.

Zero trust – Big win

With stolen passwords and compromised devices abound, trusting authenticated users is harder than ever. To that effect, the most common initial access vector in 2021 was the use of compromised credentials. Responsible for 20% of breaches, when stolen credentials were used, attacks cost organizations an average of $4.37 million.

Using zero trust approaches and architectures significantly reduced the average cost of a data breach. While only 35% of companies interviewed used zero trust, most were either midway or in a mature stage. In terms of costs, zero trust maturity paid off most. A difference of $1.76M, or 42.3% was noted between mature zero trust organizations and organizations that did not start on that path. Moreover, organizations that did not apply a zero trust approach paid 19% more in breach costs for an average of $5.04 million.

Zero trust has been especially effective with a mass migration of users to the cloud. It is an effective way to support privacy, mitigate insider threats, and work across hybrid clouds and edge devices.

Hybrid clouds limit blast radius and costs

The accelerated move to the cloud during the pandemic year impacted breach costs in a few ways:

  • Remote working resulted in delayed detection and containment, which raised breach costs
  • Extensive cloud migration resulted in higher breach costs
  • Maturity level counted, and the more mature companies paid less in case of a breach
  • Breach costs were lowest in hybrid cloud deployments

Those who migrated extensively to the cloud saw higher breach costs, averaging $5.12 million, compared to $3.46 million for organizations with low levels of cloud migration. The difference of $1.66 million represents 38.7%.

How did hybrid clouds help reduce costs? It is possible that in being inherently separate, it’s about not putting all the eggs in one basket. Likely by limiting blast radius, hybrid clouds hindered attackers’ ability to reach additional troves of data. Data breaches in hybrid cloud environments cost $1.19 million less than those affecting public clouds — a cost difference of 28.3%.

Quantifying risk, investing better, becoming more resilient

Reports like Cost of a Data Breach are the sort of benchmarks that help security leaders learn from others’ success. It provides insights and focuses on the factors that yield the best real-world results to better manage risk. Articulating information security risk, and ways to mitigate it, are a business imperative that security leaders reckon with as part of the C-Suite and with their boards. Risk quantification can help make things more tangible, and hard numbers make money sense.

Benchmark research like the Cost of a Data Breach report is a reliable reference for CISOs, risk managers and security teams. The numbers in the report can be used to infer general trends and cost averages in various industries or geographies. They can also help make better assumptions about the effectiveness of security strategies and technologies the organization may consider as part of its risk management program.

Read the full report on the Cost of a Data Breach, and get information and advice on ways that help prevent data breaches.

More from X-Force

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Getting “in tune” with an enterprise: Detecting Intune lateral movement

13 min read - Organizations continue to implement cloud-based services, a shift that has led to the wider adoption of hybrid identity environments that connect on-premises Active Directory with Microsoft Entra ID (formerly Azure AD). To manage devices in these hybrid identity environments, Microsoft Intune (Intune) has emerged as one of the most popular device management solutions. Since this trusted enterprise platform can easily be integrated with on-premises Active Directory devices and services, it is a prime target for attackers to abuse for conducting…

You just got vectored – Using Vectored Exception Handlers (VEH) for defense evasion and process injection

10 min read - Vectored Exception Handlers (VEH) have received a lot of attention from the offensive security industry in recent years, but VEH has been used in malware for well over a decade now. VEH provides developers with an easy way to catch exceptions and modify register contexts, so naturally, they’re a ripe target for malware developers. For all the attention they’ve received, nobody had publicized a way to manually add a Vectored Exception Handler without relying on the built-in Windows APIs which…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today