DATA BREACH METRICS FROM 2019 TO 2020: Overall Decrease in Cost, but Increase in Cost for Healthcare
Published by IBM Security, the Ponemon Institute released its 2020 Data Breach Report, which unsurprisingly a marked increase in the frequency data breaches in the USA. New metrics added to the report were: 1) Participants identifying the type of threat actors responsible for the attacks and motivations; and 2) Positive impacts felt by companies that engaged red teams to conduct internal vulnerability and penetration tests.
Please see the excerpted statistic below:
The average cost of a data breach decreased approx. 1.5% from $3.92 million last year to $3.86 million. However, the average total cost of a data breach has increased by 10% since 2014.
Incident response (IR) preparedness was the highest cost saver for businesses. The average total cost of a data breach for companies with an IR team that also had tested an IR plan was $3.29 million, compared to $5.29 million for companies with neither an IR team nor tests of the IR plan — a difference of $2 million. The cost difference between these groups was $1.23 million in the 2019 study.
Red team testing also decreased the cost of a data breach by $243,184.00.
80% of breached organizations stated that customer PII was compromised during the breach, far more than any other type of record. The cost per record of customer PII increased to $175 in breaches caused by a malicious attack.
Anonymized customer data was involved in 24% of breaches in the study, at an average cost of $143 per record, which increased to $171 per record in breaches caused by malicious attacks.
Malicious attacks registered as the most frequent root cause (52% of breaches in the study), versus human error (23%) or system glitches (25%), at an average total cost of $4.27 million.
Malicious breaches took an average of 315 days to identify and contain.
Breaches caused by a system glitch took approximately 244 days to identify and contain.
Breaches caused by human error took 239 days to identify and contain.
Lost business costs accounted for nearly 40% of the average total cost of a data breach, increasing from $1.42 million in the 2019 study to $1.52 million in the 2020 study. Lost business costs included increased customer turnover, lost revenue due to system downtime and the increasing cost of acquiring new business due to diminished reputation.
Breaches caused by Nation-State actors or Advanced Persistent Threats, which accounted for 13% of the reported breaches, were the most expensive types of breaches – costing an average of $200,000 more than the most common type of breach.
53% of breaches were carried out by financially motivated criminals, 13% by hacktivists and 21% remaining unknown.
On average, companies in the 2020 study required 207 days to identify and 73 days to contain a breach in 2019, combining for an average “lifecycle” of 280 days. While the lifecycle of a breach averaged 329 days in the healthcare sector, the average lifecycle was 96 days shorter in the financial sector (233 days).
Fully deployed security automation helped companies reduce the lifecycle of a breach by 74 days compared to companies with no security automation deployment, from 308 to 234 days.
Organizations subject to more rigorous regulatory requirements had higher average data breach costs.
Healthcare, energy, financial services, and pharmaceuticals experienced an average total cost of a data breach significantly higher than less regulated industries such as hospitality, media, and research.
Public sector organizations traditionally have the lowest cost of a data breach in this research because they are unlikely to experience a significant loss of customers following a data breach.
Energy, healthcare, and retail industries experienced the greatest increase in data breach costs.
Healthcare recorded the highest average time to identify and contain a breach at 329 days.
The average cost of a data breach in the health care industry increased by 10% since 2019, to $7,130,000.00.
80% of 2020 healthcare industry breaches included PII records, with each PII record estimated to cost $150.00 per breach.
The financial industry had the slowest industry response time to identify and contain a data breach at 233 days.
The employment of a remote work force increased the average total cost of a data breach of $3.86 million by nearly $137,000.