The cost of data breaches reached an all-time high of $4.24 million per incident on average during the pandemic, the highest cost in the 17-year history of IBM Security report. The report found that along with digital acceleration, cybercriminals also accelerated their attacks that resulted in compromised data.
IBM Security “Cost of Data Breach,” which was conducted by Ponemon Institute, analyzed about 500 organizations that experienced data breaches. The technology company concluded that the cost of data breaches during the COVID-19 pandemic is far costlier rising 10% compared to the prior year.
“Higher data breach costs are yet another added expense for businesses in the wake of rapid technology shifts during the pandemic,” said Chris McCurdy, VP and GM, IBM Security. “While data breach costs reached a record high over the past year, the report also showed positive signs about the impact of modern security tactics, such as AI (artificial intelligence), automation and the adoption of a zero trust approach, which may pay off in reducing the cost of these incidents further down the line.”
The remote work setup required companies to adopt the cloud technology and this is the vulnerability that attackers found and exploited. Breaches cost over $1 million more on average when remote work was indicated as a factor in the event, than those in this group without this factor ($4.96 vs. $3.89 million), according to IBM.
While organizations were quick to adapt to new technologies, the report found that security has been overlooked. It also didn’t help that most security postures companies adopted are mostly on-premise. The most common attack method used by cybercriminals is through compromised user credentials, representing 20% of breaches studied.
It is no surprise, though, that most attacks are on the healthcare sector because this is among the industries, along with retail, hospitality, and consumer manufacturing/distribution, that faced huge operational changes during the pandemic. Healthcare breaches cost the most by far, at $9.23 million per incident or a $2 million increase over the previous year.
The pandemic also accelerated consumer adoption of e-commerce. This may explain the findings that customer personal data (such as name, email, password) was the most common type of information exposed in data breaches with 44% of breaches including this type of data.
However, IBM said emerging technologies such as AI, security analytics, and encryption were the top three mitigating factors shown to reduce the cost of a breach, saving companies between $1.25 million and $1.49 million compared to those who did not have significant usage of these tools. For cloud-based data breaches studied, organizations that had implemented a hybrid cloud approach had lower data breach costs ($3.61million) than those who had a primarily public cloud ($4.80 million) or primarily private cloud approach ($4.55 million).
Cloud migration has become prevalent during the pandemic as companies realized the benefits of going online. Companies that adopted early have a more robust security posture detecting incidents 77 days faster on average than those who were in early-stage adoption. Companies that had implemented a hybrid cloud approach had lower data breach costs ($3.61m) than those that had a primarily public cloud ($4.80m) or a primarily private cloud approach ($4.55m).
According to IBM, companies studied that adopted a zero trust security approach were better positioned to deal with data breaches. This approach operates on the assumption that user identities or the network itself may already be compromised and instead relies on AI and analytics to continuously validate connections between users, data, and resources. Organizations with a mature zero trust strategy had an average data breach cost of $3.28 million, which was $1.76 million lower than those who had not deployed this approach at all.
The report also found that more companies were deploying security automation compared to prior years, leading to significant cost savings. Around 65% of companies surveyed reported they were partially or fully deploying automation within their security environments, compared to 52% two years ago. Those organizations with a “fully deployed” security automation strategy had an average breach cost of $2.90 million – whereas those with no automation experienced more than double that cost at $6.71 million.