According to the 2021 IBM Security Cost of a Data Breach report, the average cost of a data breach has risen by 10% to $4.24 million and healthcare data breaches are the most expensive, costing an average of $9.23 million to resolve, up from $7.13 million last year. Data breach costs are now at the highest level they have been in the 17 years that IBM Security has been publishing annual data breach reports.
The report is based on a survey conducted by the Ponemon Institute and analyses of data breaches of between 2,000 and 101,000 records at 500 organizations worldwide. IBM Security separately analyzed a handful of mega data breaches of between 50 million and 65 million records, with those breaches costing an average of $401 million to resolve, up from $392 million the previous year.
Ransomware attacks have higher than average costs. 8% of studied data breaches involved ransomware and cost an average cost of $4.62 million to resolve, with attacks involving wiper malware costing a little more. One of the main factors that increased data breach costs was having a largely remote workforce. Data breaches where remote working contributed to the cause of the breach cost over $1 million more to resolve and took an additional 58 days to contain on average.
The most common cause of a data breach was compromised credentials, which was the root cause of 20% of breaches studied. The most commonly breached data was customers’ personally identifiable information (PII). PII includes names, email addresses, passwords, and health data. PII was exposed in 44% of the studied data breaches. When PII is exposed, breach costs are higher. PII breaches cost an average of $180 per record, compared to the $161 per record average for all data types.
The analysis of breach costs highlighted several factors that play a key role in the cost of a data breach. Data breach costs were typically much lower at organizations that had adopted a zero-trust approach to cybersecurity. On average, breaches at organizations that had a zero-trust approach was $1.76 million lower than those that had not, with an average cost of $3.28 million per breach.
Implementing AI, security analytics, and encryption helps to keep data breach costs down. These three mitigating factors typically resulted in data breach cost savings of between $1.25 million and $1.49 million per breach.
Having a fully deployed security automation strategy greatly reduces data breach costs. Organizations that had a fully deployed security automation strategy had an average breach cost of $2.90 million, compared to $6.71 million at organizations with no security automation.
Having an incident response team and a tested incident response plan can greatly reduce data breach costs. Organizations with both had an average breach cost of $3.25 million. Without these two, breach costs were 54.9% higher at $5.71 million per breach.
Cloud-based data breach costs were less at organizations that had a hybrid cloud strategy, where the average cost of a data breach was $3.61 million. The cost was $4.80 million at organizations with a primarily public cloud and $4.55 million for those with a private cloud strategy.
If a data breach occurred during a cloud migration project, data breach costs were an average of 18.8% higher. Organizations that had a more mature cloud migration plan were able to detect data breaches 77 days faster than organizations in the early stages of cloud migration. Overall, the average time to identify and contain a breach increased by 7 days year-over-year to 287 days – 212 days to identify a breach and 75 days to contain it.