Healthcare institutions continue to incur the highest average breach costs in 2020 at $7.13 million, representing a 10.5 percent increase compared to last year’s study, according to a new report from IBM Security.
This is the 10th year in a row that healthcare organizations—defined as hospitals and clinics—had the highest cost of a data breach, compared with 16 other industries. IBM Security recently announced the results of a global study examining the financial impact of data breaches, revealing that these incidents cost companies that were studied $3.86 million per breach on average, and that compromised employee accounts were the most expensive root cause.
Based on an in-depth analysis of data breaches experienced by more than 500 organizations worldwide, spanning across various sectors, 80 percent of these incidents resulted in the exposure of customers' personally identifiable information (PII). Out of all types of data exposed in these breaches, customer PII was also the costliest to businesses studied.
Sponsored by IBM Security and conducted by the Ponemon Institute, the 2020 Cost of a Data Breach Report is based on interviews with more than 3,200 security professional in organizations that suffered a data breach over the past year. Some of the top findings from this year's report include:
- While the lifecycle of a breach averaged 329 days in the healthcare sector, the average lifecycle was 96 days shorter in the financial sector (233 days).
- Companies that had fully deployed security automation technologies (which leverage AI, analytics and automated orchestration to identify and respond to security events) experienced less than half the data breach costs compared to those who didn't have these tools deployed—$2.45 million vs. $6.03 million on average.
- In incidents where attackers accessed corporate networks through the use of stolen or compromised credentials, studied businesses saw nearly $1 million higher data breach costs compared to the global average—reaching $4.77 million per data breach. Exploiting third-party vulnerabilities was the second costliest root cause of malicious breaches ($4.5 million) for this group.
- Breaches wherein over 50 million records were compromised saw costs jump to $392 million from $388 million the previous year. Breaches where 40 to 50 million records were exposed cost studied companies $364 million on average, a cost increase of $19 million compared to the 2019 report.
- Data breaches believed to originate from nation state attacks were the costliest, compared to other threat actors examined in the report. State-sponsored attacks averaged $4.43 million in data breach costs, surpassing both financially motivated cybercriminals and hacktivists.
- Forty-six percent of respondents said the CISO/CSO is ultimately held responsible for the breach, despite only 27 percent stating the CISO/CSO is the security policy and technology decision-maker. The report found that appointing a CISO was associated with $145,000 cost savings versus the average cost of a breach.
- Breaches at studied organizations with cyber insurance cost on average nearly $200,000 less than the global average of $3.86 million
- While studied companies in the U.S. continued to experience the highest data breach costs in the world, at $8.64 million on average, those studied in Scandinavia experienced the biggest year over year increase in breach costs, observing a nearly 13 percent rise.
Stolen or compromised credentials and cloud misconfigurations were the most common causes of a malicious breach for companies in the report, representing nearly 40 percent of malicious incidents. According to the researchers, companies' struggle with security complexity is likely contributing to cloud misconfigurations becoming a growing security challenge. The 2020 report revealed that attackers used cloud misconfigurations to breach networks nearly 20 percent of the time, increasing breach costs by more than half a million dollars to $4.41 million on average, making it the third most expensive initial infection vector examined in the report.
"When it comes to businesses' ability to mitigate the impact of a data breach, we're beginning to see a clear advantage held by companies that have invested in automated technologies," Wendi Whitmore, vice president, IBM X-Force Threat Intelligence, said in a statement. "At a time when businesses are expanding their digital footprint at an accelerated pace and the security industry's talent shortage persists, teams can be overwhelmed securing more devices, systems and data. Security automation can help resolve this burden, not only supporting a faster breach response but a more cost-efficient one as well."
