Now more than ever, organisations should handle the personal data of their customers with care. To complete numerous financial transactions or register for various services, people disclose their private information to organisations with an expectation that they will protect their personal data. Unfortunately, personal information is valuable to malicious adversaries, where criminals cyberattack to access this information. These breaches not only cost millions for companies, but they also result in customers feeling violated. Even the most prominent corporations have experienced data breaches, the brunt of the blame always falls on the company.
The primary consequences of a data breach include:
IBM released the Cost of a Data Breach 2021 report, an annual study on the cost of data breaches and the modern threat landscape. The report not only highlighted that the cost of data breaches is on the rise but also showed that enterprises are taking longer to contain security incidents.
In the US the overall cost of a data breach has increased, where 2021 saw the highest average cost of a data breach in 17 years, with a total of $9.05 million (£6.68 million), this increased from $8.64 million (£6.37 million) in 2020.
Although the cost of a data breach in the UK was above the global average, it was not above the US. Data breaches cost UK enterprises an average of £3.61 million ($4.89 million) per breach.
The top five industries with the highest average total cost were Healthcare ($9.23/£6.81 million), Financial Services ($5.72/£4.22 million), Pharmaceuticals ($5.04/£3.72 million), Technology ($4.88/£3.60 million), and Energy ($4.65/£3.43 million). This is unsurprising, given the complex web of regulations healthcare and finance organisations need to adhere to.
The public sector also saw a significant increase in data breach costs, increasing by 78.7% between 2020-2021 from $1.08 million (£0.80 million) to $1.93 million (£1.42 million). However, the public sector wasn’t only seeing cost increases; the retail, media, hospitality, and communications industries also had an increase in average data breach costs.
The report highlights that decentralised remote working environments increase the impact of data breaches considerably. Organisations that had more than 50% of their workforce working remotely took 58 days longer to identify and contain breaches than those organisations with 50% or fewer employees working remotely.
This indicates that organisations offering work from home opportunities to employees need to ensure that security best practices are maintained off-site, or they leave themselves at risk of encountering security incidents that are more difficult to contain.
The most frequent initial attack path identified were compromised credentials, accounting for 20% of breaches, followed by phishing attempts (17%), cloud misconfiguration (15%), and business email compromise (4%).
Although compromised credentials were the highest proportion of data breaches, they didn’t have the highest average cost. Business email compromise attackers were the initial attack vector with the highest overall cost, with an average cost of $5.01 million (£3.70 million).
The other threat vectors with the highest costs included phishing attacks, with an average cost of $4.65 million (£3.43 million), followed by malicious insiders at $4.61 million (£3.40 million), social engineering at $4.47 million (£3.30 million), and compromised credentials at $4.37 million (£3.22 million).
A breach lifecycle is a time between a data breach occurring and its containment.
In 2019, it took an average of 206 days to identify a breach and 73 days to contain it, amounting to a 279 day breach lifecycle.
In 2021, the average time to identify a breach is 212 days, and the average time to contain it is 75 days, totalling a 287 day breach lifecycle.
The faster a data breach is identified and contained, the lower the damage costs. Lifecycles less than 200 days were on average $1.26 million (£0.93 million) less costly than breaches with lifecycles greater than 200 days ($3.61/£2.66 million vs $4.87/£3.59 million).
The average UK cybersecurity budget is around $900,000 (£663,000), compared to an average of $1.46 million (£1.08 million) globally, according to Hiscox.
As the costs of data breaches continue to rise and threats become more difficult to contain, organisations need to adapt and invest in technologies and approaches that can optimise their incident prevention and resolution capabilities.
Taking steps such as investing in an incident response plan, implementing AI, automation, and creating a security team is key for decreasing the costs of security incidents in the future and for avoiding the devastation associated with lost business and reputational damage.
Want to find out how hiring for a security team can cut data breach costs? Contact our team today.