IBM Security just released its 2020 Cost of Data Breach Report and showed a 1.5% decrease in costs due to global data breaches, from $3.92 million in 2019 to $3.86 million per breach.
There was sizeable change in costs of data breach in various locations and industries. Companies in the U.S. had the greatest data breach costs, with a usual breach having costs at $8.64 million, greater by 5.5% from 2019.
COVID-19 Estimated to Increase the Costs of Data Breach
This is IBM Security’s 15th year of conducting the report. Ponemon Institute conducted the research and included information from 524 breached companies, and interviewed 3,200 people across 17 countries and locations and 17 industry sectors. Research for the report was done from August 2019 to April 2020.
The research was mainly done before the COVID-19 crisis, which is most likely to have an effects on data breach expenses. To check out how COVID-19 will affect the cost of a data breaches, the Ponemon Institute re-contacted study participants to inquire about their opinions. 76% of surveyrespondents believed the growth in doing remote work would grow the time it requires to determine and handle a data breach and 70% stated remote working might increase the cost of a data breach. The average cost increase because of COVID-19 was computed to be $137,000.
Healthcare Data Breaches Cost a Lot
Healthcare data breaches were the most expensive to take care of. The average price tag of a healthcare data breach is $7.13 million throughout the world and $8.6 million in America. The total cost of a data breach may have gone down throughout all countries and industry sectors, but healthcare data breach costs have gone up by 10.5% year-over-year.
The global average cost of a breach per record is $146, which went up to $150 per record at the time PII was breached, then it went up to $175 per record when PII was breached because of a malicious attack.
The average days to detect and resolve a breach is 280 days, but it takes 315 days to detect and control a malicious attack, with each growing by 1 day starting from 2019. In the U.S. the average days to identify a data breach is 186 days and 51 days to control the attack. The healthcare industry took the longest time of 236 days to identify data breaches and contain it in 93 days for a total of 329 days.
The costs of a data breach are distributed over a number of years, with 61% of costs suffered in the year 1first year, 24% in the year 2, and 15% in the year 3 and beyond. In very regulated industries for instance healthcare, the percentages were 44% (year 1), 32% (year 2), and 21% (year 3+).
For year 3, IBM Security measured the costs of mega data breaches – those impacting more than 1 million records. The cost of a breach impacting 1 million to 10 million records is $50 million on average, the cost of breaches impacting 10 million to 20 million records is an average of $176 million, and the cost of a breach impacting 50 million records is $392 million.
Most Typical Reasons for Malicious Data Breaches
- 19% of breaches were due to malicious attacks and were mostly because of compromised credentials and cloud misconfigurations.
- 16% of breaches were due to vulnerabilities in third-party software program
- 14% of breaches were due to phishing
- 10% were due to physical security compromises
- 7% were due to malicious insiders
- 6% were due to system errors and other misconfigurations
- 5% were due to business email compromise attacks
Breaches that involve compromised credentials were the most expensive. Breaches resulting from vulnerabilities in third-party software program and cloud misconfigurations were the second most expensive.
Of all the attacks, 53% were financially motivated, 13% were caused by nation state hacking groups, and 13% were due to hacktivists. The threat actors responsible for 21% of the breaches were unidentified. Financially driven attacks were the least costly, with a global cost of $4.23 million on average and the most costly were attacks caused by nation state hackers, which cost an average of $4.43 million. The average cost of a malicious attack was $4.27 million. Damaging data breaches relating to ransomware cost an average of $4.4 million and damaging malware, such as wipers, cost an average of $4.52 million.
50% of data breaches in healthcare were because of malicious attacks, 23% were because of system glitches, and 27% were due to human error.