Has cybersecurity ever been more important than it is right now? Even in these extraordinary times, with its focus on manufacturing vaccines and getting shots into arms, new research in the Cost of a Data Breach Report shows that the increasing cost of security breaches makes preventing and responding to these threats a critical concern.

Now in its 17th year, the annual Cost of a Data Breach Report — conducted by the Ponemon Institute and sponsored, analyzed, reported and published by IBM Security — continues to be relevant in helping organizations understand and respond to security risks. This year’s report looked at dozens of factors that influence data breach costs, including the impact of millions of workers logging on from home to access data and applications.

As we saw in last year’s report, survey participants predicted that the rapid onset of remote work and other factors due to the pandemic would increase the costs associated with data breaches and the amount of time to contain them. Those predictions turned out to be accurate, as data breach costs reached a record high.

How much does a data breach cost in 2021?

In the 2021 study, the average total cost of a data breach increased by nearly 10% to $4.24 million, the highest ever recorded. Moreover, costs were even higher when remote working was presumed to be a factor in causing the breach, increasing to $4.96 million.

Remote working due to the pandemic also impacted the speed of response, increasing the time to identify and contain data breaches. At organizations with a greater than 50% remote work adoption, it took an average of 316 days to identify and contain the breach. Compared to the overall average of 287 days, increased levels of remote work appeared to make containing a breach take nearly a month longer.

The research for this report showed that faster incident response times were associated with substantially lower costs, with a cost savings of nearly 30% if a breach was contained in less than 200 days.

Download the Report

Top findings: Security AI, zero trust and cloud

Despite increasing costs and breach timelines, this year’s report reveals encouraging developments in the successes of artificial intelligence (AI), security automation and zero trust at mitigating the worst financial impacts. Not only does it appear that AI, automation and zero trust technologies are helping limit the damages, more companies are also entering a mature stage in their deployment.

Among the top findings in this year’s report, we saw:

  • Levels of automation increased. The share of organizations with fully or partially deployed security AI and automation rose to 65% in the 2021 study, compared to 59% in 2020.
  • Security AI and automation when fully deployed provided the biggest cost mitigation. Organizations with fully deployed security AI and automation saw breach costs that were $3.81 million less than organizations without it. With no security automation, breach costs averaged $6.71 million, vs. $2.90 million on average at organizations with fully deployed security automation, a difference of 79.3%.
  • A zero trust approach helped reduce the average cost of a data breach. Just 35% of organizations used a zero trust approach, which aims to wrap security around every user, device and connection. While the average cost of a breach was $5.04 million for those without a zero trust approach, in mature stage of deployment, the average cost of a breach was $3.28 million, a 42% cost difference.

The report also looked into the impacts of data breaches in the cloud, and the influence of cloud migration on breach costs.

  • The hybrid cloud model had the lowest average total cost. Hybrid cloud breaches had a lower average cost compared to public, private and on-premise cloud models. Hybrid cloud breaches cost an average of $1.19 million less than public cloud breaches, or a difference in cost of 28.3%.
  • Cloud modernization appeared to help decrease breach response times. While companies that experienced a breach during a major cloud migration had higher costs, those who were further along in their overall cloud modernization strategy were able to detect and respond to incidents more effectively. Mature organizations successfully contained the breach 77 days faster than those who were in the early stage of their deployments (252 vs. 329 days).

Quantifying security risk

CISOs, risk managers and security teams can use benchmark research like the Cost of a Data Breach Report to infer general trends and cost averages in their industry or geography, or use risk quantification to understand risks for their specific organization.

As part of a comprehensive strategy for risk management, security risk quantification calculates the probability of certain events and calculates the estimated financial impact to the business. One prime example of how cyber risk affects business value is in mergers and acquisitions, where an undisclosed data breach at the acquired company could contribute to the company losing value. Other risks include threats to stock valuation, lost business, business disruption and regulatory and legal costs.

The Cost of a Data Breach Report highlights how the Factor Analysis of Information Risk (FAIR), an open international standard for cyber risk modeling, combined with threat intelligence, can help organizations assess the potential impacts of cyber risks through financial projections and probabilities. The report offers a hypothetical example of how an organization in the financial services industry might use FAIR to project probability and ranges for monetary damages from a breach of sensitive information.

More to explore

Inside the report, you’ll also find IBM Security recommendations for security measures that can reduce the potential financial and brand damages from a data breach, based on what the research found were most effective for organizations in the study. These recommendations include leveraging security orchestration, automation and response technologies and services; creating and practicing an incident response plan; identify and access management for remote employees; and employing a zero trust security model to help prevent unauthorized access to sensitive data.

Other topics covered in the report include:

  • Global findings and highlights – average costs in 17 countries and 17 industries, including the top country (the United States: $9.05 million) and top industry (healthcare: $9.23 million)
  • Frequency and cost of various initial attack vectors including the top three most common: compromised credentials (20% of breaches), phishing (17%) and cloud misconfigurations (15%).
  • The cost of mega breaches of more than 1 million records, which reached over $400 million for the largest breaches of 50 million to 65 million records.
  • The cost of different types of records, including customer personally identifiable information – the most frequently breached and the most expensive at $180 per record.

Download the full report for the complete findings.

More from X-Force

Q&A with Valentina Palmiotti, aka chompie

4 min read - The Pwn2Own computer hacking contest has been around since 2007, and during that time, there has never been a female to score a full win — until now.This milestone was reached at Pwn2Own 2024 in Vancouver, where two women, Valentina Palmiotti and Emma Kirkpatrick, each secured full wins by exploiting kernel vulnerabilities in Microsoft Windows 11. Prior to this year, only Amy Burnett and Alisa Esage had competed in the contest's 17-year history, with Esage achieving a partial win in…

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today