The global average cost of a data breach increased by a worrying 10% in 2021, reaching $4.24 million, up from $3.86 million in 2020, according to the Cost of a Data Breach Report 2021 released by IBM and the Ponemon Institute. It was the highest average cost of a data breach recorded by the report in the 17 years since it has been published annually.
Companies in the United States had the highest average cost at $9.05 million/breach, followed by the Middle East at $6.93 million. Lost business continued to be the biggest contributing cost factor, accounting for 38% of the average total cost, and included business disruption and revenue loss from system downtown, loss of existing and new customers, as well as reputational damage. The average time it took companies to detect and contain a data breach was 287 days, with 212 days needed on average for an organization to identify that a breach had taken place.
Customers’ personally identifiable information (PII), which falls under the incidence of data protection regulations, was compromised in 44% of all data breaches, making it the type of record most often lost or stolen. Customer PII was also the costliest type of data compromised in a data breach, averaging $180/record. Intellectual property, meanwhile, has cost $169/stolen or lost record.
The report also looked at the impact of remote work on data breaches that occurred during the pandemic. Incidents where remote work was a factor in the breach resulted in a total cost of $4.96 million, 24.2% more than when remote work did not play a role in the breach.
Initial attack vectors in data breaches
This year, IBM and the Ponemon institute categorized data breaches into ten initial attack vectors and dispensed with the bigger general root causes it used in previous years. The most common initial attack vector in 2021 was compromised credentials, accounting for 20% of breaches, followed closely by phishing with 17% and cloud misconfiguration with 15%.
Business email compromise was responsible for only 4% of data breaches but caused the highest average total cost of an attack vector, $5.01 million/breach. Phishing was both a popular attack vector and an expensive one for companies; it averaged the second highest cost at $4.65 million/breach. Malicious insiders, which accounted for 8% of all data breaches, scored the third highest average total cost, $4.61 million.
By falling victims to phishing and social engineering attacks, turning malicious, or through accidents resulting in data loss, insiders accounted for 33% of all data breaches in 2021.
Costs by industry
In 2021, the healthcare industry continued to average the highest average total cost of any industry, reaching $9.23 million/data breach, a 29.5% increase from 2020. Healthcare has now been the top industry in average total cost for eleven years in a row. Financial institutions followed it with $5.72 million/data breach and pharmaceuticals companies with 5.04$ million/data breach. Both industries reduced their overall costs from 2020 by a very small margin.
2021 also saw a shocking increase in data breach costs for several industries. The media industry nearly doubled its total average cost, reaching $3.17 million/breach, a 92.1% increase from 2020. The public sector saw a 78.7% increase, reaching $1.93 million/breach, and hospitality jumped 76.2% from 2020, averaging $3.03 million/breach.
However, the year was not without its success stories. The energy industry managed to curb its data breach costs and reduced its total average cost by 27.2% from 2020, reaching $4.65 million in 2021.
The costs of noncompliance
The report looked at costs associated with compliance failure for the first time. Out of a selection of 25 cost factors associated with data breach costs, compliance failures proved to be the number one cost amplifying factor, showing the increasing importance data protection laws such as GDPR, CCPA and HIPAA have begun to play in data breach costs.
Organizations that suffered high-level compliance failures that resulted in fines, penalties, and lawsuits experienced an average cost of $5.65 million/breach, while organizations with low levels of compliance failures faced costs of $3.35/breach, 51.1% less.
The report also showed that companies in stricter regulatory environments continued to accrue costs in later years following a data breach. In less regulated industries, 68% of costs were incurred in the first 12 months, while in highly regulated industries it was only 46%. The bulk of costs in highly regulated industries was spread out in the second year and later as regulatory bodies issued fines and lawsuits were filed and settled.
As the pandemic weakened security responses and regulatory bodies followed up on their enforcement of data protection laws, many industries have faced a staggering increase in data breach costs in 2021. As we head into 2022, it’s clear companies must make cybersecurity and data protection a priority not only to avoid business disruption but to limit the impact security incidents can have on their bottom line.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.