In a world of uncertainty and change, it’s a comfort that some things are consistent year after year. Now in its 15th year, the annual Cost of a Data Breach Report, with research by the Ponemon Institute and published by IBM Security, continues to provide a detailed view of the financial impacts security incidents can have on organizations, with historical data revealing trends in data breach causes and consequences.

This year’s study analyzed 524 breaches that occurred between August 2019 and April 2020, in organizations of all sizes, across 17 geographies and 17 industries. The 2020 Cost of a Data Breach Report shows some consistency with past research, including the global total cost of a data breach, which averaged $3.86 million in the 2020 study, down about 1.5% from the 2019 study, but in line with previous years. The average time to identify and contain a data breach was 280 days in the 2020 study, nearly identical to the average of 279 days in 2019.

Yet 2020 has been an exceptional year. In response to the global coronavirus pandemic that has disrupted so many businesses, economies and lives, many organizations have shifted to remote work models. According to survey results in the 2020 Cost of a Data Breach Report, 76% of respondents whose organizations have shifted to remote work expect that working from home could increase the time it takes to identify and contain a data breach. Additionally, 70% of respondents expect remote working could increase the cost of a data breach.

As organizations continue to adjust to COVID-19, to protect their employees’ health, continue to serve customers and adapt to rapid changes in business models, the need to assess and mitigate cybersecurity risks has never been higher. The Cost of a Data Breach Report offers insights and recommendations to help you along the way.

See the 2020 Cost of a Data Breach report and calculator

The real value of this research is not pegging the cost of a breach to a single average, but in highlighting the numerous factors that impact those costs, so that organizations can identify the best possible strategies for mitigation. Here we offer some highlights of the report.

New Insights, Remote Working and Vulnerability Testing

Each year, Ponemon Institute asks participating organizations to estimate costs* on hundreds of factors that impact the cost of a data breach, from lost business to detection and response activities, to notification activities and many more. To keep up with changing business needs, new technologies and new threats, the 2020 report explores previously unexamined factors including various types of threats, organizational factors and security measures.

This year, the research added analysis of the cost impact of vulnerability testing and red team testing, which uses an adversarial approach to penetration testing. Compared to the average total cost of $3.86 million, organizations that conducted red team testing said their average costs were about $243,000 lower, while organizations with vulnerability testing said they experienced costs that were on average about $173,000 less than the global average.

And for the first time, the research explores the cost impact of remote work and the security skills shortage, both of which were found to have a cost amplifying effect. Organizations with remote work arrangements cited costs that were nearly $137,000 higher than the global average of $3.86 million, while organizations estimated that the security skill shortage increased costs by an average of $257,000 compared to the global average.

You can explore the impacts of these cost factors and more – some that amplify costs and others that mitigate costs – using the interactive cost calculator that is a companion to this year’s report. You can register to access the full calculator to see the estimated impact of 25 cost factors on the average cost of a data breach in 17 geographies and 14 industries.

Download the webinar to learn more key findings and best practices from the 2020 Cost of a Data Breach Report

Key Findings That May Surprise You

Here are five of the key findings from the 2020 Cost of a Data Breach Report, including several new areas of research.

1. Security automation and incident response readiness are effective at mitigating costs

Detecting a breach as quickly as possible through the use of automation, and responding to contain the breach faster with a trained and prepared incident response (IR) team, were found to significantly limit the financial damages of a data breach.

In the 2020 study, the average cost of a data breach at organizations that have deployed security automation technologies – such as artificial intelligence, machine learning, analytics, and automated orchestration – was far less than at organizations that have not yet deployed these technologies. In fact, the average cost of a breach at organizations with fully deployed security automation was $2.45 million, compared to $6.03 million at organizations with no security automation, or a difference of $3.58 million.

Meanwhile, organizations with IR teams who regularly test their IR plans through simulated breach exercises experienced an average data breach cost of $3.29 million, while organizations without IR teams or IR testing experienced an average data breach cost of $5.29 million – a difference of $2 million on average.

2. Customer PII drives costs more than other record types

For the first time, the report drills down into the per record cost of a data breach** based on the type of records involved. Customer personally identifiable information (PII) was the most expensive type of record, costing an average $150 per lost or stolen record, compared to the per record cost of intellectual property ($147), anonymized customer records ($143) or employee PII ($141). Customer PII was the most frequently compromised type of data, present in 80% of the breaches analyzed.

3. Compromised credentials and cloud misconfiguration are biggest attack vectors

Malicious attacks were responsible for 52% of breaches in the 2020 study, a slight increase from 51% in 2019. For the first time, the 2020 report took a deeper dive into the types of malicious attacks, analyzing the cost and frequency of nine initial attack vectors. The most frequent initial attack vectors included compromised credentials (19% of malicious breaches), cloud misconfiguration (19%) and vulnerabilities in third-party software (16%). These three attack vectors are also the costliest, with breaches due to compromised credentials averaging $4.77 million, vulnerabilities in third-party software averaging $4.53 million and cloud misconfiguration breaches averaging $4.41 million.

4. Ransomware and destructive attacks are more expensive than average breaches

Not all data breaches involve the theft or leakage of data – sometimes records are destroyed or held hostage for a ransom. For the first time, the report analyzed the cost of breaches involving destructive malware and ransomware. The average destructive malware breach cost $4.52 million and the average ransomware breach cost $4.44 million. The overall average cost of a malicious breach was $4.27 million.

5. Nation state attacks are uncommon but costliest malicious breaches

For the first time, the 2020 report analyzed malicious breaches based on the type of threat actor believed to be responsible for the breach. The most common type of malicious breach was caused by financially motivated attackers (53% of malicious breaches), compared to nation state threat actors (13%) and hacktivist threat actors (13%). Although less common, the average cost of a breach was higher for state-sponsored breaches ($4.43 million) and hacktivist breaches ($4.28 million) than financially motivated breaches ($4.23 million).

Discover More in the 2020 Cost of a Data Breach Report

The Cost of a Data Breach Report contains more information and insights this year than ever before. To make the report more accessible and interactive, IBM Security offers an interactive calculator, a global map and other tools for exploring the data for insights and recommendations. Visit the website at ibm.com/databreach to view an infographic with key highlights and register for the report to use the calculator, see industry recommendations, download data charts and access the complete report as a PDF document.

See the 2020 Cost of a Data Breach report and calculator

If you are experiencing a cybersecurity incident, contact the X-Force IRIS U.S. hotline 1-888-241-9812; Global hotline (+001) 312-212-8034. Visit IBM X-Force Incident Response and Intelligence Services to learn more.

* To preserve confidentiality, the Ponemon Institute does not use actual financial records, but asks people with knowledge of the breach to estimate costs for a range of direct and indirect costs. For a more thorough explanation of the methodology, see the Research methodology section of the full Cost of a Data Breach Report.

** The breaches studied in the Cost of a Data Breach Report ranged from approximately 3,000-100,000 records. The cost per record of data breaches of this size should not be used to extrapolate the cost of larger data breaches, which have a lower per record cost. The largest data breaches were studied in a separate analysis. See the complete Cost of a Data Breach Report for more information.

More from Threat Intelligence

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - Summary As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed…

CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones

7 min read - CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this vulnerability. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability.Vulnerability detailsThe following Cisco Security Advisory (Cisco IP Phone 6800, 7800, and 8800 Series Web UI Vulnerabilities - Cisco) details CVE-2023-20078 and…

X-Force data reveals top spam trends, campaigns and senior superlatives in 2023

10 min read - The 2024 IBM X-Force Threat Intelligence Index revealed attackers continued to pivot to evade detection to deliver their malware in 2023. The good news? Security improvements, such as Microsoft blocking macro execution by default starting in 2022 and OneNote embedded files with potentially dangerous extensions by mid-2023, have changed the threat landscape for the better. Improved endpoint detection also likely forced attackers to shift away from other techniques prominent in 2022, such as using disk image files (e.g. ISO) and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today