The cost of a data breach has increased slightly in the last six years on average. Costs are up 10% since 2014 to $3.86 million, according to the annual Cost of a Data Breach Report, published by IBM Security and based on research conducted by the Ponemon Institute.
Three areas in particular proved to have the biggest cost impact for organizations in the study. Take a look at steps organizations can take to mitigate data breach costs, from security automation and a well-trained incident response capability to securing cloud environments.
Behind the Numbers on Protecting Against a Data Breach
Specifically, the difference between costs for the least prepared organizations in the study and most prepared organizations — those with best practices for proactive, responsive security measures — has grown over the past few years.
The study, based on 524 recent global data breaches, found the average cost of a data breach went down slightly since 2019. This statistic hides a key connection. Organizations that had implemented an advanced security program faced significantly lower average data breach costs. Meanwhile, those without such programs struggled with much higher average costs.
In other words, the savings for investing in cybersecurity have increased.
Here are three major factors that most affect the cost of a 2020 data breach.
Security Automation and Incident Response Work
First, the numbers in this year’s report present compelling evidence that having effective, efficient security controls in place protecting against a data breach lower the cost of an attack.
The report shows security automation has a massive impact on the average cost of a data breach. In this research, security automation means enabling security technologies that augment or replace what IT staff normally do. They include any security solution, such as SIEM tool, that uses artificial intelligence, machine learning, analytics and automated orchestration.
According to the report’s findings, companies that did not deploy any form of security automation experienced much higher average breach costs and took much longer to identify and contain a breach than those with these technologies fully deployed. The average total cost of a data breach at organizations with fully deployed security automation was $2.45 million, compared with $6.03 million on average for organizations that had not deployed security automation — a difference of $3.58 million.
Incident response (IR) also remained a top cost saver, with trained and tested IR teams contributing to an average $2 million in data breach cost savings.
These benefits increased year over year. In the 2019 report, the cost difference between having no IR team or testing versus a trained and tested team was $1.23 million. The 2020 report’s finding of a $2 million difference was a whopping 63% more than 2019.
Despite these findings, many organizations still don’t have security automation fully deployed. Only one-fifth of organizations in the study had security automation fully deployed. But more and more companies are making the investment in automating their security. The number of organizations having fully deployed security automation increased from 16% in 2019 to 21% in 2020.
The percentage of companies with no security automation decreased from 48% in 2019 to 41% in 2020. Another 38% of organizations in the 2020 study said they had partially deployed security automation. This is an increase from 36% with security automation partially deployed in the 2019 study.
The vast majority of organizations can still take steps to deploy security automation in their organization. Speed up incident response time, and you might also reduce data breach costs.
Time is Still Money When it Comes to Data Breaches
Why are we seeing this increasing gap between lower cost and higher cost breaches? Time is a big factor. Data breach costs correlate to the amount of time it takes to identify and contain the breach (the data breach lifecycle). In 2020, a breach with a lifecycle of fewer than 200 days on average cost an organization only $3.21 million. But for a lifecycle greater than 200 days, the average cost jumps 30% to $4.33 million.
If longer breaches mean higher costs, it follows that speeding up the identification would lead to lower costs. Security automation, which was associated with much lower data breach costs on average, also sped up the detection and containment of breaches. Organizations with no security automation took more than two months longer to identify and contain a breach. (They took 308 days, compared with 234 days.)
Meanwhile, breach costs accrue over a long period of time. Losses from things like customer turnover and regulatory and legal fines can extend breach costs. Only 61% of breach costs occur in the first year on average. Therefore, organizations need to be ready to pay for data breaches for years, not months, after the event.
This changes for highly regulated organizations in industries such as finance and healthcare. In the 2020 study, those highly regulated organizations experienced 44% of costs in the first year and 21% of the cost more than two years later. In less regulated industries, 77% of breach costs accrued in the first year. These groups felt just 8% of costs more than two years after the breach.
Cloud-Based Expertise Pays Dividends
One other trend in this year’s report shows that organizations need to be very aware of their cloud security. Cloud misconfigurations tied for the most frequent source of data breaches, accounting for 19% of the breaches caused by malicious attacks. In addition, organizations that suffered a data breach during a cloud transition had an average breach cost of $4.13 million, or $267,000 higher data breach costs on average.
Cloud environments provide organizations with a myriad of security benefits and can help reduce security system complexity. This, in turn, may speed up response times to incidents. Migrating to the cloud is an absolute win for many organizations, but this study also tells us that companies need to do cloud migration right. Using managed security services was one of the factors that can mitigate the average cost of a data breach.
Discover More in the Cost of a Data Breach Report
The Cost of a Data Breach Report can help you decide where to efficiently allocate your security spend to minimize the costs of a data breach. Register for the report to use interactive tools, explore the data and access key findings and recommendations.
Senior Cyber Threat Intelligence Analyst - IBM
Charles DeBeck is a senior cyber threat intelligence strategic analyst with IBM X-Force Incident Response and Intelligence Services (IRIS). Charles brings 7 ...