IBM finds cyberattacks costing companies nearly $4 million per breach

The study showed concrete financial benefits to having security systems and teams in place.

Computer with data breach warning on the screen

Image: Rawpixel, Getty Images/iStockphoto

Data breaches are now costing companies nearly $4 million according to a new report from IBM Security and the Ponemon Institute released Wednesday. The annual Cost of a Data Breach Report provides an in-depth look at the financial implications of small-, medium- and large-sized breaches. Researchers with the Ponemon Institute interviewed more than 3,000 people working for 524 organizations that experienced data breaches between August 2019 and April 2020 from a variety of industries and countries.

On average, breaches now cost organizations $3.86 million per attack, with the United States having the highest average cost per breach and healthcare being the most heavily hit industry. Personally identifiable information was exposed in 80% of these incidents, and more than 75% of respondents predicted that teleworking would make a company's data breach response even more difficult than it already is. 

SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)

"When it comes to businesses' ability to mitigate the impact of a data breach, we're beginning to see a clear advantage held by companies that have invested in automated technologies," said Wendi Whitmore, vice president of IBM X-Force Threat Intelligence. 

"At a time when businesses are expanding their digital footprint at an accelerated pace and the security industry's talent shortage persists, teams can be overwhelmed securing more devices, systems, and data. Security automation can help resolve this burden, not only enabling a faster breach response but a significantly more cost-efficient one as well."

IBM Security has been sponsoring the study for five years but the Ponemon Institute has conducted the research and put the report together for 15 years. The breaches covered in the report were as small as 3,400 records lost and as large as 99,730. 

Cost variation in breaches

The report found stark differences in the cost of breaches according to an organization's security posture. Enterprises with a full-fledged security technology that included automation lost about $2.45 million in a breach, while those who did not saw losses beyond $6 million. 

Attacks sponsored by nation-states were the most damaging breaches, averaging about $4.4 million in losses. The number dwarfed figures related to the cost of attacks levied by cybercriminals and hacktivists, who make up more than half of all attackers in most breach scenarios, the study said.

"While the average cost per lost or stolen record was $146 across all data breaches, those containing customer PII cost businesses $150 per compromised record. The cost per record of customer PII increased to $175 in breaches caused by a malicious attack," the study said. "Anonymized customer data was involved in 24% of breaches in the study, at an average cost of $143 per record, which increased to $171 per record in breaches caused by malicious attacks."

Types of vulnerabilities and attacks

The most common attacks involved stolen or compromised credentials and third-party vulnerabilities. According to the study, Almost 20% of all companies that suffered from data breaches reported that it originated from credentials that had been compromised. 

More than half of all breaches covered in the report were due to malicious attacks, while human error and system glitches were also some reasons for compromised data. 

In addition to stolen credentials, another major source of problems for many organizations are misconfigured cloud servers. Other studies this year have shown that the problem is costing companies nearly $5 trillion. The IBM report said breaches involving cloud misconfigurations led to the average cost of a breach increasing by more than half a million dollars to $4.41 million.

The costs incurred from breaches involved a variety of factors, most notably the loss of business. According to the report, almost 40% of the average cost of a breach came from business that was lost and included things like customer turnover, system downtime causing lost revenue, and "diminished" reputations due to publicity around a breach.  

To deal with all of this, dozens of businesses have turned to automation, and the report found that the use of artificial intelligence (AI) platforms and automated breach orchestration tools ballooned to 21%, up from just 15% in 2018. 

The decision to not deploy either of these security tools was proven to be costly, with the study showing that enterprises who decided against using them had an average cost of data breach grow to more than $6 million. 

The study included a section dedicated to major breaches and included findings that said breaches where more than 50 million records were exposed saw costs skyrocket to $392 million compared with $388 million the year before. For breaches of at least one million records, enterprises lost an average of $50 million. 

In terms of time spent identifying breaches, the study discovered that on average, entities needed more than 200 days to find a breach and another 73 days to fully contain it in 2019. These figures were far higher for certain industries like healthcare (329 days) or far lower for fields like finance (233 days)

US has highest breach costs

In terms of how the breaches are broken down geographically and by industry, the United States and the healthcare industry led the pack with the highest costs associated with the average breach. 

"The United States continued to experience the highest data breach costs in the world, at $8.64 million on average, followed by the Middle East at $6.52 million. The average total cost increased in 12 of 16 countries or regions that were studied in both 2019 and 2020, with the biggest increase in Scandinavia, at 12.8%," the report said. 

"For the tenth year in a row, healthcare continued to incur the highest average breach costs at $7.13 million—a 10.5% increase over the 2019 study. Similarly, the energy sector saw a 14.1% increase from 2019, to an average of $6.39 million in the 2020 study. Overall, 13 of 17 industries experienced an average total cost decline year over year, with the steepest drops coming in media, education, public sector, and hospitality."

Attacks around the world

The study included breaches from a number of regions and countries like India, the United Kingdom, Germany, France, Brazil, Japan, Canada, South Korea, Australia, and Italy.

Malicious attacks were most common in the Middle East, Germany, and Australia while South Africa, Brazil, and Canada had the lowest percentage of malicious attacks, according to the report. Canada had the highest number of data breaches caused by system glitches, and Southeast Asia as well as Italy had the highest percentage of data breaches caused by human error.

Industries like technology, transportation, retail, and financial saw the highest percentage of malicious attacks but the entertainment, public sector, and consumer industries had the biggest percentage of data breaches caused by human error. The report said system glitches were more commonly the root causes of a breach in research, public sector and transportation.

The report also goes into what kind of malicious attacks were the most damaging, highlighting the particular devastation wrought by ransomware

"Malicious attacks that destroyed data in destructive/wiper-style attacks (average cost of $4.52 million) and ransomware attacks ($4.44 million) were more expensive than the average malicious breach ($4.27 million) or the average data breach ($3.86 million)," the report said. 

Also see