The global average cost of a data breach decreased slightly in 2020, reaching $3.86 million/breach, down 1.5% from 2019, according to the Cost of a Data Breach report 2020 released by IBM and the Ponemon Institute. Companies in the United States had the highest average total cost at $8.64 million/breach, followed by the Middle East at $6.52 million. Lost business continued to be the biggest contributing cost factor, accounting for 39.4% of the average total cost, and included business disruption and revenue loss from system downtown, loss of existing and new customers as well as reputational damage.
Customers’ personally identifiable information (PII), which falls under the incidence of data protection regulations, was compromised in 80% of all data breaches, making it the type of record most often lost or stolen. Customer PII was also the costliest type of data compromised in a data breach, averaging $150/record. Intellectual property came close behind, costing $147/stolen or lost record.
The average time it took to detect and contain a data breach was 280 days, with over 200 days needed for an organization to identify that a breach had taken place. Germany showed the highest efficiency in dealing with data breaches: it takes a German company only 160 days on average to detect and contain a data breach. Meanwhile, Brazil is on the other end of the spectrum with a staggering 380-day average. It remains to be seen if the coming into force of the Lei Geral de Proteção de Dados (LGPD), Brazil’s answer to the EU’s General Data Protection Regulation (GDPR), will help reduce companies’ reaction time in the coming years.
Covering the period between August 2019 and April 2020, the report does not touch on the full impact of the COVID-19 pandemic and remote work on the cost of a data breach. However, participants in the research were asked about the potential impact of longer-term remote workforces on costs. 70% agreed that working from home would increase the cost of a data breach and 76% said it would extend the time it took to detect and react to a potential data breach, a key factor in reducing data breach costs.
Root Causes of Data Breaches
The report showed that 52% of data breaches were caused by malicious attacks, with system glitches coming in second with 25% and human error being responsible for the remaining 23% of data breaches. For the first time, malicious attacks were broken down by threat vector, giving us a good overview of the most targeted data access points.
Compromised credentials and cloud misconfiguration were at the top of the list, being responsible each for 19% of data breaches. Third-party software vulnerability accounted for another 16%. Social engineering and phishing attacks, that target employees directly, trying to trick them into revealing sensitive information, accounted for 17% and malicious insiders for a further 7%.
When it comes to human error, the Entertainment industry proved to have the most careless employees, with 34% of data breaches in the sector being attributed to them. In the public and consumer products sectors, 28% of data breaches were caused by human error, with healthcare following closely behind with 27%.
Costs by industry
Companies subject to more rigorous regulatory requirements had higher average data breach costs. The healthcare industry continued to average the highest data breach costs of any industry, reaching $7.1 million/breach, a 10.5% increase from 2019. The energy sector overtook the financial industry, reaching the second-highest data breach cost with $6.39 million/breach, registering a worrying 14.1% increase from the previous year. The finance sector came in third, with $5.85 million/breach, recording a small 0.2% decrease from 2019.
The public sector had the lowest average data breach cost with $1.08 million/breach, a 16.3% decrease from last year. However, the success story of 2020 was the media sector that managed to reduce its data breach costs by an impressive 26.3%, reaching an average cost of $1.65 million/breach.
The reaction time to data breaches also varied greatly by industry, with the healthcare sector taking 329 days on average to identify and contain a breach, while the financial sector only took 233 days.
Incident response plans were the biggest cost saver when it came to the average cost of a data breach. Businesses that had appointed an incident response team and extensively tested their incident response plan had an average data breach cost of $3.29 million/breach, while those that didn’t have either of them had an average cost of $5.29 million/breach, an impressive $2 million difference.
Data breaches with a lifecycle of less than 200 days had an average cost of $3.21 million, $1.12 million less than those that take over 200 days to be identified, and contained and cost $4.33 million/breach. Security automation was shown to have a significant impact on the data breach lifecycle, helping to reduce it by as much as 74 days on average.
Data loss prevention is also a key factor in cost-saving, helping companies save on average approximately $165,000/data breach through the direct protection of sensitive data. Extensive encryption can reduce data breach costs by a further $237,000.
No data protection strategy is foolproof and even the strictest cybersecurity framework cannot guarantee that a company will not suffer a data breach. Whether it’s a new vulnerability that hasn’t been discovered and patched yet or a tired employee making a careless mistake, companies can suddenly find themselves having to deal with a data breach and the significant costs that come with it. As shown in the IBM and Ponemon Institute’s Data Breach Report 2020, there are a number of ways organizations can help reduce the costs of data breaches and it all comes down to foresight and the right tools.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.