The average cost of a data breach has increased 10% year-over-year, according to the IBM Security 2021 Cost of a Data Breach Report. Data breach costs have reached record levels and are higher than at any other point in the past 17 years that IBM Security has been analyzing data breach costs.
The average cost of a data breach has increased from $3.86 million last year to $4.24 million in 2021, with healthcare data breaches the most expensive, costing an average of $9.23 million to resolve. The average healthcare data breach cost has increased by more than $2 million year-over-year.
The data for the report come from a survey conducted by the Ponemon Institute and analyses of data breaches between May 2020 and March 2021 by IBM Security at 500 companies worldwide. Those data breaches involved between 2,000 and 101,000 records. IBM Security researchers studied various factors that influence the cost of data breaches, with the breach costs taking into account downtime, lost business, increased customer turnover, legal costs, regulatory fines, lost productivity, and brand damage. Lost business is the largest part of the breach cost, typically accounting for around 38% of the total cost or $1.6 million.
IBM Security separately analyzed several “mega” data breaches for the report. These breaches involved the exposure or theft of between 50 million and 65 million records. These data breaches cost more than 100 times as much as breaches of between 1,000 and 100,000 records, with an average cost of $401 million per breach.
Ransomware attacks increased during the period of study and accounted for 8% of the breaches studied for the report. The cost of those attacks was higher than average, costing $4.62 million to resolve. The most common root cause of data breaches is compromised credentials, which was the cause of 20% of data breaches.
Data breaches often result in the exposure or theft of personally identifiable information (PII) such as names, email addresses, passwords, and health data. PII was compromised in 44% of the analyzed breaches, and when PII was involved, breach costs were higher. The average cost per record of a PII breach was $180, whereas the overall average cost per record was $161. Last year the average cost per record was $146 across all industry sectors.
IBM Security researchers identified several factors that can reduce the cost of a data breach. The pandemic forced businesses to rapidly change to a largely remote workforce, which hampered attempts to contain data breaches. The average time to identify and contain a breach was 287 days overall, broken down as 212 days to identify a breach and 75 days to contain it. Businesses that had more than half of their employees working remotely took 58 days longer to contain a breach than those with less than half their workforce working remotely.
When AI, security analytics, and encryption are implemented, data breach costs are lower. These three mitigating measures resulted in cost savings of between $1.25 million and $1.49 million per breach. Having a fully deployed security automation strategy also significantly reduces data breach costs. The average cost of a data breach at a business with no security automation was $6.71 million compared to $2.90 million at businesses with a fully deployed security automation strategy.
The ability to respond quickly to a breach can significantly reduce breach costs. Businesses that have an incident response team and a tested incident response plan had average breach costs of $3.25 million, with the average cost with neither 54.9% higher at $5.71 million per breach.
Implementing zero-trust also lowers breach costs. Businesses that had taken a zero-trust approach to security had an average breach cost of $3.28 million, whereas those that did not paid $1.76 more.
Cloud-based data breach costs were the highest for organizations with a primarily public cloud ($4.80 million), followed by those with a private cloud strategy ($4.55 million), and were cheapest at businesses that had adopted a hybrid cloud strategy ($3.61 million). The further along the cloud migration journey a business has gone, the faster it is to identify and contain a breach. Businesses at the early stage of their cloud migration journey took 77 more days to identify and contain a breach than those that that were at an advanced stage of cloud migration.