This article shares some of the key takeaways and statistics from the IBM Cost of a Data Breach Report 2021 and is a staunch reminder of the impact breaches can have on an organization from a cost, time and labor perspective.
The annual report provides a detailed analysis of the current landscape of data breaches on organizations across all industries, including the financial impact of incidents, the most targeted data and best practices to mitigate risk.
What is a Data Breach?
The report defines a breach as an event in which an individual’s name and a medical record and/or a financial record or debit card is potentially put at risk — either in electronic or paper format. Breaches included in the study ranged from 2,000 to 101,000 compromised records.
Defining the Cost of a Breach
The report calculates the total cost of a data breach by adding up the costs for Detection and Escalation, Notification, Post Breach Response (Incident Response) and Lost Business Cost. In 2021, Lost Business Cost was the primary cost driver, with Notification being the least. A full breakout is below.
38% Lost Business Cost
29% Detection and Escalation
27% Post Breach Response
Reputational cost is not included in this figure as that is hard to quantify, but we know that this type of damage can have a long lasting impact that can sometimes be near impossible to overcome.
So How Much Does a Data Breach Cost in 2021?
$9.05 Million – Average Total Cost of a Data Breach by Country or Region
First place is not always something to brag about, but for the eleventh year in a row the United States ranks as the top country for average total cost of a data breach. In 2021, the United States averaged $9.05 million, an increase from the $8.64 million in 2020. The other countries/regions in the top five include the Middle East, Canada, Germany and Japan – the same group from 2020.
$4.62 Million – Ransomware Breaches
According the report, the percentage of companies where ransomware played a role in the breach was 7.8% and the average cost of a ransomware breach in 2021 came to $4.62 million, which is higher than the average cost of a data breach ($4.24 million).
An important note on this number is that the cost does not take any ransom paid into consideration, which can range from a few hundred thousand to tens of millions. In fact, a US insurance company reportedly paid out a $40 million ransom in March according to Business Insider – which shows how the cost of a ransomware breach can far suprass the average $4.62 million with all factors considered.
$4.24 Million – Average Cost of a Data Breach
The average cost of a data breach increased 10% from 2020’s $3.86 million, which is the largest increase year over year since the report’s inception. The report did note that while the overall cost increased, organizations with more mature security postures did have lower associated costs vs organizations that had low scores in security AI and automation.
$1.07 Million – Cost Difference Where Remote Work Was a Factor in a Breach
With the shift to remote work accommodations, the report highlights a more than $1 million cost difference where remote work factored into a breach. Out of the companies surveyed, 17.5% reported remote work being a factor in a breach and organizations with more than 50% working remotely took 58 days longer on average to identify and contain breaches than those with the majority working on-site.
Data Breach by Industry Highlights
Healthcare Industry – For the 11th year in a row, the healthcare industry had the highest cost of breach per industry with a reported $9.23 million average data breach cost. While the healthcare industry being the most impacted was not a surprise, the fact the average cost was a 29.5% increase from 2020 is alarming.
Financial Industry – The financial sector came in with the second highest average total cost of a data breach by industry with a reported $5.72 million price tag, which is actually an improvement over 2020’s average cost of $5.85 million.
Public Industry – The public sector reported a whopping 78.7% increase in the average cost, with a price tag of $1.93 million from 2020’s $1.08 million. With the increased targeting of municipalities and local governments over the last year, the sharp increase comes as no surprise to those in the cybersecurity world.
Energy Industry – Not every statistic in the report was negative. In fact the energy sector recorded a noticeable improvement with the average cost of a data breach falling to $4.65 million (the average cost for an energy industry breach was $6.39 million in 2020).
What Data is Being Targeted?
So what exactly are cyber criminals targeting when breaching organizations? The general answer is whatever is the most valuable on the dark web and in 2021 that was customer personal identifiable information (PII). Other targeted records include intellectual property (Quanta Computer anyone?). The top five types of records targeted and their average cost per records is below.
44% Customer PII ($180)
28% Anonymized Customer Data ($157)
27% Intellectual Property ($169)
26% Employee PII ($176)
12% Other Sensitive Data ($165)
Responding to Data Breaches in 2021
The old "adage of time" is money rings true in the cybersecurity world and unfortunately, the 2021 report shows that the average time to identify and contain a data breach lifecycle has increased a full week since 2020 to 287 days. Many may take a double look at that number as it is almost a full calendar year, but the data shows on average it took organizations 212 days to identify a threat and an additional 75 days to contain the breach.
The most time consuming attacks were Compromised Credentials (342 total days), Business Email Compromise (317 total days) and Malicious Insiders (306 days). Additional average response time based on the initial attack include:
293 Days – Phishing
292 Days – Physical Security Compromise
290 Days – Social Engineering
286 Days – Third-Party Software Vulnerabilities
How Do I Protect My Organization from Data Breaches?
While the numbers are new, many of the types of breaches and entry points are the same as we have seen for years and we suspect the cost of a data breach will only grow as threat actors have grown more brazen and greedy over the last year. In fact, the largest ever ransomware attack took place over July 4th weekend and the Biden Administration is increasing focus on cybersecurity due the increasing targets on infrastructure and supply-chain providers.
As for strengthening security posture, our team will always promote developing a comprehensive cybersecurity plan that fits your organizational culture, structure and industry. There is no “one size fits all” approach to cybersecurity, but a commitment to regular vulnerability assessments, automated software, end user security education and proactive planning are foundational pieces that every organization should be able to benefit from.
We also recognize that the increasingly connected world has placed an emphasis on third-party risk, as many of the high profile breaches are usually rooted in a vendor or partner. Which is why it is more important than ever for every organization to consider working with third-party risk management professionals as part of their security and risk management plans.
About the IBM Cost of a Data Breach Report 2021
The annual report, featuring research by the Ponemon Institute, offers insights from 537 real breaches to help you understand cyber risk in a changing world. Now in its 17th year, this report has become a leading benchmark tool, offering IT, risk management and security leaders a lens into factors that can increase or help mitigate the cost of data breaches. The full report is available for download at https://www.ibm.com/security/data-breach
The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected].
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.