What’s new in the 2021 Cost of a Data Breach Report.

Has cybersecurity ever been more important than it is right now? Even in these extraordinary times, with its focus on manufacturing vaccines and getting shots into arms, new research in the Cost of a Data Breach Report shows that the increasing cost of security breaches makes preventing and responding to these threats a critical concern.

Now in its 17th year, the annual Cost of a Data Breach Report — conducted by the Ponemon Institute and sponsored, analyzed, reported and published by IBM Security — continues to be relevant in helping organizations understand and respond to security risks. This year’s report looked at dozens of factors that influence data breach costs, including the impact of millions of workers logging on from home to access data and applications.

As we saw in last year’s report, survey participants predicted that the rapid onset of remote work and other factors due to the pandemic would increase the costs associated with data breaches and the amount of time to contain them. Those predictions turned out to be accurate, as data breach costs reached a record high.

In the 2021 study, the average total cost of a data breach increased by nearly 10% to $4.24 million, the highest ever recorded. Moreover, costs were even higher when remote working was presumed to be a factor in causing the breach, increasing to $4.96 million.

Remote working due to the pandemic also impacted the speed of response, increasing the time to identify and contain data breaches. At organizations with a greater than 50% remote work adoption, it took an average of 316 days to identify and contain the breach. Compared to the overall average of 287 days, increased levels of remote work appeared to make containing a breach take nearly a month longer.

The research for this report showed that faster incident response times were associated with substantially lower costs, with a cost savings of nearly 30% if a breach was contained in less than 200 days.

Despite increasing costs and breach timelines, this year’s report reveals encouraging developments in the successes of artificial intelligence (AI), security automation and zero trust at mitigating the worst financial impacts. Not only does it appear that AI, automation and zero trust technologies are helping limit the damages, more companies are also entering a mature stage in their deployment.

Among the top findings in this year’s report, we saw:

• Levels of automation increased. The share of organizations with fully or partially deployed security AI and automation rose to 65% in the 2021 study, compared to 59% in 2020.
• Security AI and automation when fully deployed provided the biggest cost mitigation. Organizations with fully deployed security AI and automation saw breach costs that were USD3.81 million less than organizations without it. With no security automation, breach costs averaged USD6.71 million, vs. USD2.90 million on average at organizations with fully deployed security automation, a difference of 79.3%.
• A zero trust approach helped reduce the average cost of a data breach. Just 35% of organizations used a zero trust approach, which aims to wrap security around every user, device and connection. While the average cost of a breach was USD5.04 million for those without a zero trust approach, in mature stage of deployment, the average cost of a breach was USD3.28 million, a 42% cost difference.

The report also looked into the impacts of data breaches in the cloud, and the influence of cloud migration on breach costs.

• The hybrid cloud model had the lowest average total cost. Hybrid cloud breaches had a lower average cost compared to public, private and on-premise cloud models. Hybrid cloud breaches cost an average of USD1.19 million less than public cloud breaches, or a difference in cost of 28.3%.
• Cloud modernization appeared to help decrease breach response times. While companies that experienced a breach during a major cloud migration had higher costs, those who were further along in their overall cloud modernization strategy were able to detect and respond to incidents more effectively. Mature organizations successfully contained the breach 77 days faster than those who were in the early stage of their deployments (252 vs. 329 days).

CISOs, risk managers and security teams can use benchmark research like the Cost of a Data Breach Report to infer general trends and cost averages in their industry or geography, or use risk quantification to understand risks for their specific organization.

As part of a comprehensive strategy for risk management, security risk quantification calculates the probability of certain events and calculates the estimated financial impact to the business. One prime example of how cyber risk affects business value is in mergers and acquisitions, where an undisclosed data breach at the acquired company could contribute to the company losing value. Other risks include threats to stock valuation, lost business, business disruption and regulatory and legal costs.

The Cost of a Data Breach Report highlights how the Factor Analysis of Information Risk (FAIR), an open international standard for cyber risk modeling, combined with threat intelligence, can help organizations assess the potential impacts of cyber risks through financial projections and probabilities. The report offers a hypothetical example of how an organization in the financial services industry might use FAIR to project probability and ranges for monetary damages from a breach of sensitive information.