A global study commissioned by IBM Security shows that the average cost of a data breach exceeded $4.2 million during the coronavirus pandemic, which the company pointed out is the highest in the 17-year history of its “Cost of a Data Breach” report.
The report is based on information collected from 500 organizations worldwide between May 2020 and March 2021. It analyzes real data breaches and calculates costs associated with incidents based on various factors, including legal, regulatory and technical activities, as well as loss of customers, employee productivity and brand equity.
The average cost of a data breach increased by nearly 10% compared to the previous year, from $3.86 million to $4.24 million, but IBM noted that “costs were significantly lower for some of organizations with a more mature security posture, and higher for organizations that lagged in areas such as security AI and automation, zero trust and cloud security.”
The study found that these are also important factors when it comes to detecting and containing a breach. The average number of days to identify and contain an incident was 287, seven days more than in the previous year.
The largest part of breach costs represented lost business. This accounted for 38% of the total, or roughly $1.6 million. “Lost business costs included increased customer turnover, lost revenue due to system downtime and the increasing cost of acquiring new business due to diminished reputation,” IBM explained.
Another noteworthy finding is that the cost of a data breach was more than $1 million higher in the case of incidents where remote work contributed to the breach. In addition, companies where more than half of their employees had been working remotely took 58 days longer to contain a breach compared to firms where less than half of the workforce had been working remotely.
For the 11th year in a row, healthcare organizations incurred the highest costs, $9.23 million on average per breach, up from $7.13 million. However, in the energy sector the average data breach cost dropped to $4.65 million from $6.39 million.
Nearly half of the analyzed breaches involved compromised personally identifiable information (PII). For PII records, the average cost per record was $180, and the overall average cost per record was $161, up from $146 in the previous year.
Roughly 8% of breaches analyzed for the report involved ransomware, and the average cost of these incidents was $4.62 million, and slightly higher for attacks involving destructive wipers.
The study is based on breaches where between 2,000 and 101,000 records were compromised. However, the report has a section on mega breaches — incidents where more than 1 million records were impacted.
Fourteen companies in IBM’s study experienced a mega breach, and costs ranged between $52 million for breaches impacting up to 10 million records and $401 million for the largest breaches, which involved up to 65 million records.
The full Cost of a Data Breach Report is available for download in PDF format on IBM’s website.
Related: Financial Sector Remains Most Targeted by Threat Actors: IBM
Related: IBM: 44 Organizations Targeted in Attacks Aimed at COVID-19 Vaccine Cold Chain
Related: Cost of Data Breach in UK Increases More Than 41% in Two Years