Each year, IBM Security releases its Cost of a Data Breach Report, a leading benchmark report not only in the cybersecurity industry but also of interest for any organization that handles sensitive data and wants to avoid costly breaches.
The primary purpose of the report is to identify trends in the area of cost per data breach, rather than simply total cost of all data breaches worldwide each year.
As for the findings of this year’s report, the results are somewhat alarming. Both the average total cost of a data breach and the cost per compromised record in a data breach experienced their highest levels since IBM began releasing their reports in 2015. This year’s results reflected the largest margin increase for the total cost of a data breach in seven years, and follows the previous year’s findings which actually saw a drop in both total average cost of a data breach and per-record cost.
So, what’s the story? We’ve got our full summary of the IBM cost of data breach report 2021, plus information about the unique connection between remote work and data breach statistics and how IT asset disposition or ITAD and data breach occurrences follow an interesting shared path.
Summary of the IBM Cost of Data Breach Report 2021
This year’s IBM data breach report was loaded with interesting findings that reflect a sea change in the way companies around the world are conducting business and managing their security. From a global pandemic that saw an unprecedented shift to remote work to more advanced tactics that hackers are using to breach company defenses, the key findings of the IBM data breach report show a cybersecurity industry trying to keep up with radical transformations within every industry on the planet.
With that in mind, here is our summary of the key findings of the IBM data breach report and their significance.
Increase in Average Total Cost of a Breach: 10%
From 2020 to 2021, the average cost of a data breach rose from $3.86 million to 4.24 million. That figure reflects not only the largest single-year jump the report has discovered but also the highest average total cost per breach in the report’s history.
Quoting from the report:
Costs were significantly lower for some of the organizations with a more mature security posture, and higher for organizations that lagged in areas such as security AI and automation, zero trust and cloud security.
Consecutive Years with Healthcare Industry Holding Highest Cost per Breach: 11
It has now been 11 straight years of the healthcare industry experiencing the highest average cost of a data breach as well as the highest cost-per-record. Healthcare data breach costs rose from $7.13 million on average in 2020 to 9.23 million in 2021, an astounding increase of +29.5%.
This is in contrast to some industries which saw significantly smaller jumps, and others which actually saw a reduction in cost per breach. Among these were the energy sector (from $6.39 million to $4.65 million).
The largest jump in costs per breach for any industry? The public sector, which saw a 78.7% increase in average total cost, from $1.08 million in 2020 to $1.93 million this year. Lost Business Share of Total Breach Costs: 38% When we talk about the costs of data breaches, what costs are we really talking about? The IBM report broke it down and found that one area results in by-far the largest share of overall costs— lost business.
When a company or series of companies experiences a data breach, they immediately experience a loss of faith in their ability to keep customer data secure. Their name becomes associated with the breach, and PR missteps in its wake often add to the negative press.
The result? 38% of all costs of data breaches result from lost business, an average total cost per-breach of $1.59 million.
Per-record Cost of Personally Identifiable Information: $180
One of IBM’s most important metrics for measuring the cost of data breaches is the per-record cost of personally identifiable information. This refers to the average cost of a single customer’s records being lost to a breach.
This year, that average cost was $1161. That means that each and every record lost or stolen from a company in a data breach cost them an average of $161, but that number varied depending on the type of record stolen.
Personally identifiable information, or PII, was not only the most common type of record lost (included in 44% of breaches) but was also the most costly per-record, with each one costing companies $180.
Share of Breaches Initially Caused by Compromised Credentials: 20%
This is a big one. We’ll get into how issues such as poor asset disposal can lead to compromised credentials later, but for now suffice it to say that 1 in every 5 breaches that occurred throughout the globe in 2021 was caused by compromised credentials. Other high-cost breach causes were phishing, malicious inside parties, social engineering, and business email compromise. Though business email compromise accounted for just 4% of total breaches, it had the highest average total cost of all attack vectors at just over $5 million.
Average Number of Days to Identify and Contain a Data Breach: 287
One of the most striking numbers from IBM’s study is this one— the average number of days to identify and contain a data breach, which in 2021 was 287 days— well over ¾ of a fiscal year.
Here’s some additional context on that number from the IBM study itself:
Data breaches that took longer than 200 days to identify and contain cost on average $4.87 million, compared to $3.61 million for breaches that took less than 200 Days. Overall, it took an average of 287 days to identify and contain a data breach, seven days longer than in the previous report. To put this in perspective, if a breach occurring on January 1 took 287 days to identify and contain, the breach wouldn’t be contained until October 14th.
Cost Multiplier of > 50 Million Records vs. Average Breach: 100x
Let’s unpack this somewhat-confusing statistics from the study with significant implications. It means that on average, if a breach involved 50 million records or more, it would cost 100x more than a breach of less than 50 million records.
The average cost of these ‘mega breaches’ was $401 million, a $9 million increase over the previous year.
Average Cost of a Breach in Hybrid Cloud Environments: $3.61m
Good news for companies operating on hybrid cloud environments— these environments had the lowest average total cost of a data breach compared to public, private, and on-premise cloud models.
Data breaches in hybrid cloud environments cost an average of $3.61 million, $1.19 million less than public cloud breaches, or a difference of 28.3%. While companies that were in the midst of a large cloud migration experienced higher breach costs, those that were further along in their cloud modernization maturity were able to identify and contain breaches 77 days faster than those in the early stages of modernization.
Cost Differences for Breaches with High vs. Low-Level of Compliance Failures: $2.30m
It turns out that being compliant with security measures doesn’t just help reduce the likelihood that your company will experience a breach— it also dramatically decreases the cost if a breach does occur.
On average, breaches with low-level compliance failures leading to the breach cost $2.3 million less than those caused by high-level compliance failures.
Interestingly, organizations with a high level of system complexity had an average cost of a breach $2.15 million higher than those with low levels of complexity.
Average Total Cost of a Data Breach: $4.24m
Back to the magic number— $4.24 million, the average cost of a data breach in 2021.
That figure was determined by combining results found by 537 organizations in 17 industries and across 17 countries/regions.
However, here at Transpere those numbers aren’t the ones that stand out to us the most. In fact, even the $4.24 million average cost of a data breach fades to the background in favor of another number, one that speaks to an issue that we’re extremely passionate about here at Transpere.
Cost Difference Where Remote Work Was a Factor in Breach: $1.07m
In 2021, more people moved to remote work than at any time in history. The COVID-19 pandemic led to more digital transformation between 2020 and 2021 than ever, with many companies going fully or at least partially remote around the globe.
The result? Breaches where remote work was a factor led to $1.07 million more in losses than breaches that didn’t involve remote work.
What does that mean? It means that companies around the globe who have more remote workers than before should begin taking their cybersecurity more seriously.
How Does Remote Work Impact Data Breaches?
Remember earlier when we mentioned that the complexity of a company’s security system had a direct correlation to total cost of a breach, with less-complex systems being less costly in breaches than more complex systems?
An IT/cybersecurity system that deals with remote employees and their work devices scattered across the map is a decidedly more complex system than a unified location where workers are all on a single, secure network.
Managing IT devices— particularly when it’s time to dispose of or recycle them— is a central but often-underestimated aspect of cybersecurity, particularly when it comes to the industries where breaches are the most costly.
Healthcare Industry Tops the List Again
That’s right, after an already decade-long run as the costliest industry to experience a data breach, healthcare added another notch as the highest industry cost of a breach by far.
Because the healthcare industry is so heavily regulated (HIPAA, anyone?) it can be assumed that a large portion of the healthcare data breaches and their associated costs come from failure to be compliant with industry and government regulations.
Left Out of the IBM Report— The Cost of Poor Hardware Retirement
It’s no surprise that IBM failed to address the gravity of a frequently underestimated and ignored aspect of cybersecurity— asset disposition. The way organizations throw away, destroy, recycle, or reuse their devices can often mean the difference between secure data and a major, devastatingly costly breach.
Remember how the healthcare industry was by far the costliest industry in which to experience a data breach? This is often the result of poor data destruction, which leaves sensitive data or credentials available to any hacker who happens to be paying attention and has the chance to grab a discarded laptop from a dumpster..
That’s why we offer HIPAA-compliant data destruction as one of our services to the healthcare industry, ensuring that all IT assets are safely and securely destroyed.
That said, the healthcare industry isn’t the only one that suffers from poor ITAD (IT asset disposition) strategies.
In 2020, Morgan Stanley famously became the subject of multiple lawsuits after failing to fully wipe some discarded devices containing unencrypted data and personal information.
As a result, they will now have to pay for two years of credit monitoring for its customers whose data may have been breached, plus ‘identity restoration’ services that may be required if a client’s information is compromised—not to mention the lawsuits filed by multiple clients.
Want to avoid this fate and the fate of the many companies that lost millions, outlined in the IMB report? Your best course of action is to hire a dedicated, secure ITAD company like Transpere.
At Transpere, we cover the entire process of secure asset disposition to ensure that your assets are retired securely, efficiently, and inexpensively so that you can focus on running your business and keeping your clients happy.
Ready to learn more? Contact us today!
How can we help you?
IT Asset Disposition
- Secure Data Erasure & Drive Destruction
- Chain of Custody Management
- De-installation & Asset Removal
- Asset Processing
- Value Recovery
Managed IT Services
- Data Center Services
- Migration Services
- Cloud Services
- Platform as a Service (PaaS) Solutions
- Procurement, Deployment, and Managed Services
- Data Destruction and Erasure
- Onsite Data Erasure
- Mobile Hard Drive Destruction
- Remote Data Erasure
- Sensitive Data Destruction
- Data Center Decommisssioning
- Onsite Data Wiping
- Fully Traceable Chain of Custody