New IBM Report - The Real Cost of a Data Breach in 2021
You may have heard that cyber-attacks are becoming a regular part of business operations. It takes a lot of time and money to recover from an attack. That’s why many companies are investing in ways to reduce the harm of a potential attack – before it even happens. In this post, we’ll tell you everything you need to know about how much a breach could cost your company, drawing from IBM’s most recent Cost of a Data Breach report. And don’t worry – once we cover the cost of a breach, we’ll leave you with lots of tips and tricks on how to avoid a breach and reduce the cost of one if it does happen.
Table of content
Recent trends in data breaches
If this sounds like a lot of money, you’re not alone. This cost is actually a 10% increase from the cost of a breach in 2020. So, data breaches cost a lot and are getting more expensive every year.
Since data breaches cost businesses so much money, preventing one by maintaining good security practices shouldn’t be underprioritized. But budgets can be tight and getting support for more expenses can be a difficult task. If you’re having trouble getting buy-in for new security measures, letting your organisation know about the high cost of a data breach can help you make the case for investing in more data protection.
Cyber-attacks involving data breaches are becoming more common. The cost of recovering from these attacks is increasing, too.
So, since data breaches are happening more often and costing companies more money, it’s safe to say that we should pay attention to this issue.
Cyber criminals are smart. They know what kinds of businesses have the most to lose from a data breach and who can afford to pay ransom requests.
With this in mind, it makes sense that big organisations such as healthcare companies suffer the highest costs when they experience a data breach. Think about all the personal information about patients that hackers can gain access to. Healthcare organisations need access to patients’ records in order to care for them. Plus, they need to keep their patients’ trust when it comes to their sensitive information. The amount of sensitive data healthcare organisations have and their willingness to pay for control of these records makes healthcare organisations a big target for expensive data breaches.
In fact, the cost of a data breach for a healthcare organisation is more than double the overall average in 2021, at $9.23 million.
Even though larger companies are more obvious targets for cyber criminals, small businesses also suffer from data breaches. According to a Verizon report, 28% of breach victims are small businesses. Sometimes, data breaches can be even more harmful to small businesses because they can lack the institutional resources that big companies have. In the worst cases, small businesses may have to close completely because they are unable to recover financially from the breach.
To reduce the risk of your organisation falling victim to a data breach, you need to know how data breaches occur in the first place. The three most common sources of a data breach in 2021 are:
The most frequent way that hackers get into a company’s system is by getting access to an employee’s account information.
These kinds of attacks are the most common, and unfortunately, they also take the longest amount of time to resolve. In 2021, these breaches took an average of 341 days in total to detect and contain.
To reduce the risk of a breach caused by compromised credentials, it’s important to have strong passwords and be aware of phishing emails. One way to help your employees recognize phishing emails is through phishing training.
Business email compromise is when a high-level employee’s email is either spoofed or compromised by cyber-criminals. Then, the cyber-criminals take advantage of the fact that their emails look like they are coming from a trusted person to request sensitive information or payments. It’s not often used by cyber criminals – only 4% of attacks in 2021 were brought on by business email fraud. So why are we mentioning them?
Well, these kinds of breaches are incredibly expensive and cost an average of $5.01 million per breach.
Phishing is one of the most expensive methods of attack, costing an average of $4.65 million per breach.
This again highlights the importance of aware employees who can spot a phishing email.
Recovering from a data breach involves both direct costs and indirect costs. For example, direct costs can include the need to hire an IT forensic team to investigate the breach and repair damaged systems. One big indirect cost is the reputational harm businesses experience after being victims of a breach. Below you can see the different cost areas involved in a breach.
- 38%: lost business costs - reputational harm
- 29%: detection and escalation of the breach - audits and investigations
- 27%: post breach response - services for victims, e.g., help desk and credit monitoring
- 6%: notification - letting customers and regulators know about the breach via mail, telephone, email, etc.
Let’s dig into the biggest cost area, lost business, a bit further.
Lost business is the largest category of costs associated with breaches – it costs an average of $1.59 million per breach.
Put yourself in a customer’s shoes. As you hear news of the data breach, you begin to lose trust in the business that experienced the cyber-attack. If you are a current customer, you may wish to stop doing business with them. If you are a prospective customer, you might choose a different vendor that provides the same service.
The bottom line is that data breaches are bad for business.
Even after the company recovers all the sensitive data, it can take years for them to regain customers’ trust.
Beyond that, many businesses also suffer lost revenues from the time that their services were down during the breach, leaving customers without access. This is especially the case in ransomware attacks, where the ransomware brings a business “offline” for a period of time.
The total cost of a breach depends mostly on how efficiently an organisation can respond to it. The faster you can react to a breach, the less expensive it will be to manage. A few factors that impact the cost of a breach are:
Existing security and detection practices
How long it takes to find and contain the breach
The amount of information that is compromised
Safeguards the company puts in place after the breach to protect its own data and the people whose information was compromised during the attack
Also, a breach can become more expensive when ransom is involved, which is often the case in ransomware attacks. That’s because the company must recover from the breach itself and potentially pay a ransom to the cyber criminals. Without paying the ransom, the company may have trouble regaining access to its systems and important files. Because of the added cost, ransomware attacks are more expensive to recover from than breaches that do not involve ransomware. In 2021, 7.8% of breaches involved ransomware. Although it can seem like you have to pay the ransom if you are part of a ransomware attack, we do not suggest sending money to the cyber criminals. This is because you might not get your data back in its original condition and your willingness to pay could encourage future attacks.
We all know the saying, “time is money.” Seriously though – when it comes to data breaches, every day a breach goes undetected, the cost of resolving it increases.
The reality is that it takes much longer to identify a breach than it takes to contain one, but both processes can be lengthy. In 2021, it took an average of 212 days to identify a breach and 75 days to contain the breach. In other words, an average breach takes about ¾ of a year to recover from. This might seem like a long time, and believe it or not, it’s actually taking us longer to resolve data breaches now than in previous years. Detecting breaches is easier if you use practices such as SIEM and log management.
We all enjoy the flexibility of working from home. However, it can take longer to detect and contain a data breach when large parts of a company are working remotely.
Breaches involving remote work cost an average $1.07 million more than breaches where remote work was not a factor.
The truth is that remote work is a regular part of our work culture today. To maintain data security while working from home, it is important that businesses protect their systems and their remote employees. Security measures like asset management tools can help increase your protection if remote work is common in your organisation.
Customer data is most typically lost or stolen in data breaches. In 2021, customer data was lost or stolen in 72% of breaches. 44% of this was personally identifiable information, or information that can be traced back to a specific person.
Of course, when you see how common it is for customers’ sensitive information to be exposed during a breach, it’s easy to understand why data breaches are so bad for business. When customers’ personal information is compromised while in the care of a company, the customers may bring their business somewhere else.
The loss of personally identifiable information during a data breach is part of what makes data breaches so expensive for businesses. For example, customer personally identifiable information costs the most per record of stolen data. In 2021, it cost an average of $180 per record of this data.
While customer data is most often lost during data breaches, employee data is also targeted.
26% of the data lost during breaches in 2021 was employee personally identifiable information.
With the high amount of customer and employee information that is lost during data breaches, many businesses find themselves offering identity monitoring services to those impacted by the breach. Providing these services to employees and customers is an added cost that companies take on in the aftermath of a cyber-attack.
Personal data of course is a big focus of the GDPR. When personal data could have been compromised in a data breach, the GDPR requires specific actions.
If a data breach happens in your organisation, the GDPR has a few requirements related to notifications you must give. For example, you have to notify the national supervisory authority immediately and no more than 72 hours after you become aware of the breach, unless it is highly unlikely that personal data was compromised during the breach. In this notification, you’ll have to describe the nature of the breach, the type and amount of data compromised, the contact information of your Data Protection Officer, the expected consequences, and the actions you have already taken or plan to take in response. You’ll also have to notify the individuals whose data was impacted by the breach without unnecessary delay if you decide they could be at high risk.
So, we’ve covered how breaches happen and why they’re so expensive. Now, let’s move on to ways you can protect your organisation from breaches and reduce the cost of a breach if it does happen.
It goes without saying that the best way to reduce the cost of a breach is to avoid one in the first place. Preventing data breaches is a big topic, so we won’t go into too much depth on it in this post. We cover a lot of different prevention methods in depth in other blogposts. Some examples of ways you can prevent a breach are:
Make sure the software on all your devices is up to date
Train your staff to be aware of security best practices
Conduct vulnerability assessments
Work with vendors that have high data protection standards
Encrypt personal data
Encourage the use of strong account credentials/passwords
Adopting these practices can strengthen your security culture and make your organisation less vulnerable to a breach.
Hopefully, your organisation will not be a victim of a data breach. But, since data breaches are on the rise, it is likely that your organisation could be the target of a breach.
We’ve learned that our employees are our biggest resource when it comes to preventing and detecting data breaches. One way to reduce the likelihood and cost of a breach occurring in your company is to create a strong cyber security culture. Since many data breaches happen because of human error, like clicking on link in a suspicious email, employees are our first line of defense.
But how can you reduce human error? Aware employees are less likely to make the mistakes that lead to data breaches. That’s why it’s important to create and maintain awareness about cyber security and proper data handling in your organisation. It can be done in many ways, for example through awareness training activities, simulations, and regular exposure to keep your employees sharp. A few ways CyberPilot can help you achieve a stronger security culture are:
- Free best practice posters/digital screensavers to keep in your office
- Awareness training that is quick and pain-free, with new lessons available regularly to keep your employees updated on new security threats they should know about
- Phishing training exposes your employees to simulated phishing attacks, teaching them to recognize a phishing email in a low-stakes scenario
Building a strong security culture does not have to be hard or time consuming. Plus, it can really reduce your risk of a data breach. Aware employees are safe employees, and when it comes to data breaches – that’s a cost you want to avoid
Table: Average costs of different types of breaches
|Different breach numbers||Cost|
|Average total cost||$4.24 million|
|Average cost for a healthcare organisation||$9.23 million|
|Average cost for attacks resulting from business email compromise||$5.01 million|
|Average cost for phishing attacks||$4.65 million|
|Average cost when breach lasts longer than 200 days||$4.87 million|
|Average cost at an organisation where security AI and automation were fully deployed||$2.90 million|
Email is the biggest reason for security breaches. We attach the wrong files. We send it to the wrong contact. Here's all you should know
A new ENISA reports recommends small and medium sized business to take cyber security seriously. They point out 3 areas which need awareness. Here they are
You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.