The average cost of a data breach continues to climb, according to IBM’s 17th annual global study of the cost to an organization of of a security incident.
For the 537 breaches that occurred during the 12 month period ending in March, participants estimated data breaches cost their companies an average of $4.24 million (all figures in US dollars) per incident, said the report issued Wednesday. That’s the highest cost in the survey’s history.
The report’s author, the Ponemon Institute, also says there’s evidence security incidents became more costly and harder to contain because the COVID-19 pandemic forced staff at many organizations to work from home. Many weren’t using protected corporate computers, nor were they protected by corporate cybersecurity defences.
Breaches cost on average over $1 million more when remote work was a factor in a data breach, said the report, compared to those where remote work wasn’t a factor.
The survey included nearly 3,500 interviews, and looked at data from 17 countries and regions and 17 different industries. Participants estimated their direct costs.
Canadian results
Among the 26 Canadian organizations studied, the average cost was $5.35 million. That was up slightly from the 2020 study. The average number of records exposed in this group was 24,400.
“While it’s not a surprise that data breach costs rose to their highest level during the pandemic, it should be a stark reminder for businesses to not let security lag behind as they accelerate their digital transformation,” Ray Boisvert, an IBM Canada associate partner for security strategy, said in a statement.
“For Canadian financial and technology companies in particular, who are digitizing faster than others in the country and paying more per lost or stolen record, investment in data security, AI and encryption should go hand in hand with cloud migration.”
Data breach costs include detection of an incident and escalation (such as forensic analysis, crisis management and audit services), notifying regulators and victims, post-breach response (help desk costs, credit monitoring for victims), and lost business.
Other findings of the 26 Canadian data breaches studied include
·Financial industry breaches cost the most by far, at $383 per lost or stolen record;
·Stolen user credentials were the most common method used as an entry point by attackers both globally (20 per cent of breaches) and for Canadian organizations;
·The use of AI, encryption and employee training were the top three mitigating factors shown to reduce the cost of a breach globally and in Canada. The report estimates Canadian firms using these three strategies saved themselves around $1.2 million compared to those who did not make significant use of these tools;
·While the average time to identify a data breach improved in Canada last year, from 168 to 164 days, the average time to contain a data breach slowed, from 58 to 60 days. The global average among firms studied to detect and contain a data breach was 287 days (212 to detect, 75 to contain).
Mitigating factors
Globally, those organizations studied that had incident response teams and plans also had lower data breach costs than those that didn’t. Companies with an incident response team that also tested their incident response plan had an average breach cost of $3.25 million, while those that had neither in place experienced an average cost of $5.71 million.
Another interesting nugget was the impact of zero-trust security strategies among the firms studied. Broadly speaking, zero trust requires all users to be authenticated, authorized, and continuously validated for security configuration and posture before being granted access to applications and data. Of the global group studied, only 35 per cent had implemented a zero-trust security approach. However, those in the mature stage of their zero trust deployment had an average breach cost that was $1.76 million less than organizations without zero trust.
The report is available here. Registration required.