Already in its 17th year, IBM Security recently published its latest annual “Cost of a Data Breach Report”. The data referenced in the report was gathered independently by the Ponemon Institute. In the 2021 edition, 537 real data breaches in 17 countries and regions, as well as 17 different industries, were examined closely.
When compared to the previous year, the average total cost of a data breach rose by almost 10 percent from US$3.86 million to US$4.24 million. This represents the largest single-year increase in seven years. Unsurprisingly, the better the companies were set up and prepared in terms of IT security, the less severely they were impacted by the breach.
COVID-19 a significant cost factor
Remote work and digital transformation, trends accelerated by the COVID-19 pandemic, increased the cost of a data breach by US$1.07 million on average, in cases where they played a role in causing the breach (17.5 percent of the impacted companies). It took companies where more than half the staff were working remotely, 58 days longer to identify and contain breaches. As a baseline, it took 287 days on average until a data breach had been discovered and remedied. This is seven days longer than reported the previous year. And the longer it took to detect a data breach, the more expensive it became to resolve.
Breaches involving more than 50 million data sets are classified as “mega breaches” by IBM and Ponemon. A data breach of this magnitude currently costs companies US$401 million on average, whereas a year earlier a similar catastrophe had cost US$392 million. This means that data breaches involving 50 to 65 million data sets were nearly 100 times more expensive than smaller breaches with 1,000 to 100,000 data sets.
Irretrievably lost business
The biggest cost factor in data privacy breaches was lost business, which amounted to US$1.59 million on average, constituting 38 percent of total breach costs. This figure includes increased customer turnover, lost revenue through unplanned system downtimes, as well as the increased cost of acquiring new customers due to the company’s diminished reputation.
The type of data most commonly affected in breaches was personal data, which was also the most expensive – setting companies back US$180 per lost or stolen record. On average, each record cost US$161 in comparison to US$146 per lost or stolen record in 2020. Looking at the impact on specific industries, the most expensive data breaches were those in the healthcare sector with US$9.23 million, an increase of US$2 million in comparison to the previous year.
With an average of US$4.62 million per breach, ransomware attacks – which impacted roughly 8 percent of the surveyed companies – were more expensive than average. This expense is calculated including costs for escalation, notification, lost business, and response costs. It doesn’t include any digital ransom that may have been paid (according to a recent study conducted by Palo Alto Networks in the first half of 2021, this amounted to US$570,000 on average, an incredible 82 percent more than in the same period a year earlier). Even more expensive than ransomware were malicious attacks in which targeted company data was destroyed directly. These attacks set companies back US$4.69 million on average.
BEC and phishing most costly
As far as the initial vectors of attack are concerned, business email compromise was most costly with consequential losses of US$5.01 million. Yet, with a share of only 4 percent of all data privacy breaches, such attacks occurred relatively seldom. Far more common were phishing attacks, which accounted for 17 percent of all breaches and resulted in the second highest costs with US$4.65 million.
The fact that attacks conducted via email result in such high costs underlines the importance of comprehensive, multi-faceted email security for companies. Powerful protection for the business-critical email infrastructure, irrespective of whether it is on-premises or in the cloud has long been crucial. Equally vital is sensitizing the users on a regular basis about the importance of handling emails with caution, especially if they come from unknown sources. The Retarus Secure Email Platform with its modular email security services was awarded top marks in the latest Market Compass released by KuppingerCole. In addition to classifying the Retarus service as a comprehensive communication service, the analysts also especially highlight the platform’s full compliance with the GDPR.