We know that data breaches can be costly. They pull time, energy, and money away from an organization’s core priorities. Breaches can have a lasting impact on an organization’s reputation and brand. IBM recently released Cost of a Data Breach Report 2020, a detailed report that breaks down the factors and costs associated with a breach. Today, we are going to highlight some of the key findings of the report.

The Sample

The report’s survey sample is diverse. They included 524 small, medium, and large organizations. Organizations are based in 17 countries and are spread across multiple industries from healthcare to entertainment. The main findings of the report were based on medium sized breaches where between 3,400 and 99,730 records were compromised. Mega-breaches were covered separately.

Key Cost Areas

IBM focuses on four key areas to evaluate the cost of a breach: detection and escalation, notification, ex-post response, and lost business. Within these categories, activities such as assessment and audit services or reputation losses and diminished goodwill are all assigned a real cost based using the activity-based costing method and information from the organizations themselves. Lost business is the largest share of the cost to organizations, followed by detection and escalation, ex-post response, and finally notification costs.

The Findings

The average total cost of a data breach is down slightly from 2019 to $3.86M and there is a wide variation between industries with the healthcare industry averaging $7.13M and public entities like local governments averaging $1.08M. Differences in costs are due to regulations in certain industries like healthcare or finance and customer elasticity (which is low for local governments). Geography also plays a big part in costs. A breach in the U.S. averages $8.64M, close to $5M higher than the global average.

Eighty percent of breaches involve customer PII, and more than a third of breaches involve intellectual property. Breach cost per record ranges from $141-$150 depending on the data exposed. Cost per record increases when the attack is defined as malicious (as opposed to accidental): $150-$175 per record.

One in five companies experienced a breach due to stolen or compromised credentials, something we’ve discussed recently on the blog.

Companies take an average of 280 days to identify (207 days) and contain (73 days) a data breach. This number also varies widely depending on the industry and the level of security automation in place at the organization.

The Remote Work Factor

The report captured the early half of 2020, the massive shift to remote work, and its implications. More than half of the organizations surveyed required a shift to telework due to COVID-19. When asked, “70% said remote work would increase the cost of a data breach and 76% said it would increase the time to identify and contain a potential data breach.” We can expect to see cybercriminals continue to exploit weakness associated with remote work.

Conclusion

This report gives detailed insight on the costs associated with a data breach. It’s a great reminder that we should view cyber awareness training, security automation tools, and other defense mechanisms as worthwhile investments meant to limit our exposure to data breaches and other cyber-attacks.