IBM and the Ponemon Institute have released their new Cost of a Data Breach Report 2021, based on analysis of 537 breaches across multiple locations and industries. The results are pretty eye-opening and provide a window into the nature and scale of reputational costs — lost business following a breach — that are independent of whether the data lost was actually protected or critical.
Overall, the total cost of a data breach rose 10% over 2020 to $4.24 million. That’s the largest year-over-year increase in seven years. But it’s not evenly distributed. For example, where remote work factored into the cause of a breach, the cost was higher by over $1 million. And the healthcare industry led all others in cost for the 11th consecutive year, growing nearly 30% to $9.23 million.
Reputational harm and lost business
There are several different types of cost that go into the total cost of a breach, but according to the report, the biggest contributor in 2021 was lost business, representing 38% of the total cost, or $1.59 million. This number includes increased customer turnover and increased cost of acquiring new business due to reputational harm, along with lost revenue due to system downtime.
Illuminate Education exemplifies this type of risk. In January 2022 the company — which provides education and assessment software to school districts across the U.S. — suffered a large data breach. New York City banned the use of their products after it was revealed that private data belonging to 820,000 students there had been taken.
The scope of the breach continues to expand, with many other students affected in districts nationwide. It seems prudent to assume that more of those districts will cut ties with Illuminate Education, with severe bottom-line effects for the company — all because of a data breach that may very well have been preventable.
Consider also the recent example in which the Oregon Secretary of State’s (SoS) reporting process was disrupted in the run-up to primary elections (discussed in detail an earlier blog post). A web hosting provider called Opus Systems suffered a severe ransomware attack and data theft. The Oregon SoS uses the campaign finance reporting system ORESTAR. Login information for ORESTAR is held in a database owned by campaign finance firm C&E Systems. And C&E Systems uses Opus Interactive for web hosting.
Despite not having been victimized itself, the Oregon SoS had to address the potential security consequences and invest in public relations efforts to reassure voters that the upcoming election was not in any way affected by the breach.
Key cost differentiators
The Cost of a Data Breach Report also provides considerable insight into the mitigating effects on cost of different security strategies.
- Breached companies with fully deployed security AI and automation capabilities (such as those provided by Barracuda Email Protection) saw the biggest positive impact on cost. Total breach costs were only $2.9 million compared to $6.71 million for those without, or 80% lower. These solutions were also associated with a shorter time to identify and contain the breach.
- Companies with mature Zero Trust Access deployed (such as Barracuda CloudGen Access) also saw costs that were more than 50% lower than those without Zero Trust, saving $1.76 million. This matches another data point, that the largest percentage, 20% of breaches, were initially caused by compromised credentials.
- Compared to public cloud, private cloud, and on-premises environments, breaches in hybrid cloud environments entailed the lowest cost, by 28.3%. Companies in the midst of large cloud migrations saw higher breach costs, whereas those further along on their cloud journey spotted and contained breaches 77 days earlier than early-stage cloud adopters.
Steps to minimize risk
The reputational costs and potential business impacts of a data breach are clearly severe. But by implementing high-impact security solutions, you can not only reduce the chances that your organization will fall victim to a data breach, but also significantly lower the total cost in case an attacker still succeeds in breaching your data.
As you migrate to the cloud, it’s especially important to ensure that your security strategies are able to extend comprehensive protection across your entire infrastructure. Barracuda’s cloud-first solutions work together to secure email, defend networks and apps, enforce zero trust access controls, and protect data wherever it’s deployed.
Tony Burgess is a twenty-year veteran of the IT security industry and is Barracuda’s Senior Copywriter for Content and Customer Marketing. In this role, he researches complex technical subjects and translates findings into clear, useful, human-readable prose.
You can connect with Tony on LinkedIn here.