An IBM report that examined more than 500 cyber-security breaches occurring between August 2019 and April 2020 found the average breach costs companies $3.86 million and requires nearly 300 days to identify and contain.
More than half of the breaches studied (52 percent) were caused by malicious attacks, followed by system glitches (25 percent) and human error (23 percent).
IBM’s “2020 Cost of a Data Breach Report” also found 80 percent of the breaches studied involved personally identifiable information (PII), and that PII breaches were the most expensive to handle. More than 3,200 cyber-security professionals in 17 countries who work at companies who experienced data breaches participated in the survey, IBM said.
Breaches studied in the report ranged from 3,400 to 99,730 compromised records.
By way of comparison, an Audit Analytics study of data breaches among public companies from 2011-2019 pegged the average cost of a breach at $116 million. IBM’s study included private companies and studied “mega-breaches” separately.
Such mega-breaches were, of course, considerably more costly. Breaches of 1 million to 10 million records cost companies an average of $50 million to address, more than 25 times the average cost of $3.86 million for breaches of less than 100,000 records. In breaches of more than 50 million records, the average cost was $392 million, more than 100 times the average, the report said.
Although the report period covered only about two months of the coronavirus pandemic (March and April 2020), “the report found that 70% of companies studied that adopted telework amid the pandemic expect it will exacerbate data breach costs.” And the report found having a remote workforce increased the average total cost of a data breach of $3.86 million by nearly $137,000, for an adjusted average total cost of $4 million.
IBM found a wide disparity over how much a data breach costs particular industries and those who are unprepared.
For example, the average breach costs healthcare companies $7.13 million, followed by energy ($6.39 million) and financial services ($5.85 million). All of these industries are heavily regulated, which contributed to the higher data breach costs, the report said. Public entities had the lowest average data breach cost of just over $1 million, due to the fact they generally do not suffer reputational harm or lose customers as a result of a breach.
The IBM report noted two types of data breach preparedness helped companies pare down the cost of a breach.
The first was having an incident response (IR) team that had a data breach plan that had been tested using tabletop exercises or simulations. The average cost for a data breach for companies with an IR team was $3.29 million, compared to $5.29 million for companies with neither an IR team nor tests of the IR plan, the report said.
Another way companies pared down the cost of data breaches was to have a fully deployed security automation system, which IBM defined as the use of artificial intelligence platforms and automated breach orchestration.
Businesses that had not deployed security automation saw an average total cost of $6.03 million, more than double the average cost of a data breach of $2.45 million for businesses that had fully deployed security automation.