A survey of more than 500 organizations conducted by the Ponemon Institute on behalf of IBM Security suggests that the shift to remote work has been a significant factor in driving up the cost of data breaches.
Nearly 20% of organizations studied reported that remote work was a factor in a data breach. Breaches cost over $1 million more on average when remote work was indicated as a factor in the event, compared to the cost of data breaches without this factor ($4.96 vs. $3.89 million), the survey finds.
Compromised user credentials were the most common method used as an entry point by attackers, representing 20% of breaches studied. Customer personal data such as names, email addresses, and passwords, were the most common type of information exposed in data breaches (44%).
The average time to detect and contain a data breach was 287 days. Breaches resulting from compromised credentials at 250 days took longer to detect than any other type of breach.
The loss of customer personal identifiable information (PII) was also the most expensive compared to other types of data at an average of $180 per lost or stolen record compared to $161 overall per record.
Overall, the survey finds companies experienced costs of $4.24 million per incident on average, a 10% increase over the previous year. However, those average costs factor in several mega breaches. The average cost of a mega breach involving 50 to 65 million records was $401 million. That is nearly 100x more expensive than the majority of breaches studied.
The study also finds organizations that experienced a breach during a cloud migration project had an 18.8% higher cost than average. However, the study notes that those who were further along in their overall cloud modernization strategy were able to detect and respond to incidents 77 days faster on average than those who were in early-stage adoption. Companies that had implemented a hybrid cloud approach had lower data breach costs ($3.61M) than those that had a primarily public cloud ($4.80M) or a primarily private cloud approach ($4.55M).
Organizations that have invested in a wide range of security technologies were also able to limit the cost of a breach. The adoption of AI, security analytics, and encryption were the top three mitigating factors shown to reduce the cost of a breach, reducing costs on average between $1.25 million and $1.49 million.
The cost of a breach was $750,000 higher than average at organizations that had not undergone any digital transformation. Organizations with a mature zero-trust strategy had an average data breach cost of $3.28 million, which is $1.76 million lower than those who have not implemented zero-trust IT architecture.
The report also found that more companies were deploying security automation compared to prior years, leading to significant cost savings. Around 65% of companies surveyed reported they were partially or fully deploying automation within their security environments, compared to 52% two years ago. Those organizations with a “fully deployed” security automation strategy had an average breach cost of $2.90 million, compared to organizations that had automation that at $6.71 million incurred more than twice the cost of a data breach.
Organizations with an incident response team that also tested their incident response plan had an average breach cost of $3.25 million, while those that had no plan or had not tested their plan experienced an average 55% higher cost of $5.71 million.
Obviously, the cost of any data breach will vary widely from one organization to another. There are many ways to mitigate those costs but in the absence of any additional effort being made by most organizations, the average cost of a breach continues to head in the wrong direction.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.