IBM Data Breach Report shows costs are rising

Back door to a building.
Courtesy: Brett Sayles

Cybersecurity insights

  • The 2021 IBM Security Data Breach Report outlines key factors contributing to the rising costs of data breaches for industries all over the world. Health care has continued to be the most affected industry, and the United States remains the region with the highest costs. A data breach can cost millions depending on how many records are compromised.
  • Digital transformation is one of many mitigation tactics organizations have started to use to lower both the cost and the chances of a threat actor infiltrating a system. Digital transformation also has the capability to shorten the lifecycle of a breach, lowering overall costs.

The 2021 annual IBM Security Data Breach Report indicates various factors, specifically in comparison to 2020, have increased or mitigated the cost of data breaches globally for organizations across multiple industries. In 2021, there was a 10% spike in the average cost of data breaches, increasing from $3.86 million in 2020 to $4.24 million. This is the largest single-year increase in the last seven years and in the history of the IBM Data Breach Report, which considers information from 537 organizations, 17 countries and regions, and 17 industries.

A data breach compromises an organization’s secure records and other sensitive data including medical and financial records and personally identifiable information (PII). Data breaches leave company and employee information vulnerable to hackers, resulting in major damages and subsequent costs. The rising costs of data breaches and mega breaches (breaches of 50 million to 65 million records) continue to ravage industries across the board. However, taking certain steps and precautions has helped some companies mitigate their total losses over time compared to companies taking no preventive measures.

Data Breach Report costs

Health care has had the highest industry cost of data breaches for 11 consecutive years with a total cost in 2021 of $9.23 million, a significant increase compared to the total cost in 2020 of $7.13 million. Due to the value of the data, lack of security investments and the degree of connectivity between systems, the health care industry is more susceptible to hackers. Behind health care is the financial industry with a total cost of $5.72 million, pharmaceuticals at $5.04 million, and technology and energy, both of which experienced significant decreases in costs from 2020 to 2021.

Since 2015, there has been an 11.3% increase in the total cost of data breaches. The United States tops the list with a total cost of $9.05 million, followed by the Middle East, Canada and Germany. However, Latin America experienced a 52.4% increase from 2020 to 2021, making it the biggest increase found in the regions included in this report.

Customer PII was the most common type of record compromised and accounted for 44% of compromised data in 2021. It also had the highest cost per record increase, surging from $150 per record in 2020 to $180 per record in 2021. Anonymized customer data accounted for 28% of compromised records, intellectual property for 27%, employee PII for 26% and other data for 12%. The average cost per record increased 10.3% from 2020 to 2021.

Destructive and ransomware attacks, such as lost business, tend to be costlier. Lost business refers to the loss of revenue a company would have gained during a breach. Other than loss of revenue, lost business also refers to increased customer turnover and increased cost of new business due to diminished reputation. Ransomware attacks cost an average of $4.62 million, with lost business attributing to $1.59 million, or 38%, of total costs. This was a slight increase compared to findings from 2020.

The benefits of digital transformation

The rising costs of data breaches have influenced many organizations to implement a digital transformation to help prevent cyberattacks and mitigate costs. The COVID-19 pandemic and its resulting influx of remote work remain a factor in the cost of data breaches. The U.S. Bureau of Labor Statistics reports that 33% of establishments increased remote work, leading to the increased risk of a breach. On average, there was a $1.07 million increase in environments where remote work was a factor.

Implementing a digital transformation has proven beneficial to organizations experiencing a data breach compared to those who did not implement any preventive measures. Organizations that established an incident response (IR) team and plans to mitigate costs were found to have 42.1% less in damages than organizations with no IR team. The average cost of breach for organizations with an IR team in 2021 was $3.25 million, a slight decrease from $3.32 million in 2020. With no IR, the average cost was $5.71 million in 2021 and $5.09 million in 2020.

The cost of a mega breach, which typically includes 1 million or more compromised records, has also increased since 2018. The average cost of a data breach with 50 million to 65 million records compromised was $401 million. Data breaches with this many records were 100 times costlier than data breaches with under one million records compromised. The more records lost, the higher the cost.

Aside from diminishing the total cost of a data breach, implementing a digital transformation also helped to lower the lifecycle of a breach, or the time it takes to detect and contain it. In 2021, the average time to detect a breach was 212 days, and the average time to contain it was 75 days, making the average lifecycle of a breach equal to 287 days. This is higher than the average of 280 days in 2020. However, companies with more than 50% of the workforce working remotely, on average, still took 58 days longer to detect and contain a breach in comparison to companies with less than 50% working remotely.

The longer it takes to detect and contain a breach, the higher the cost of the data breach. Breaches that took longer than 200 days to identify and contain had costs of $4.87 million, whereas breaches that took less than 200 days cost $3.71 million.

Compromised credentials took the longest to detect and contain, with an average of 250 days to detect and 91 to contain, a total of 341 days. Business email compromise (BEC) followed closely behind with a total lifecycle of 317 days. The lowest lifecycles were cloud misconfiguration at 250 days and other technical misconfigurations at 223 days.

Ways to mitigate data breach costs

In 2021, IBM took a closer look for the first time at breaches in the cloud or in cloud migration. Extensive cloud migration was the third highest cost-amplifying factor and took, on average, 252 days to identify and contain at the mature stage of cloud migration.

Implementing a zero-trust model was also a significant factor in mitigating costs. Zero trust allows IT to identify and validate every user, device and application, meaning that even if there are valid credentials, a user could still be denied access if the device cannot be verified. Zero trust prevents hackers from moving through a network and can help stop a cyberattack in advance. There was a $1.76 million, or 2.3%, cost difference between organizations with a mature zero-trust policy versus no zero trust. The average cost with a mature zero trust deployed in 2021 was $3.28 million compared to a total of $5.04 million with no zero trust deployed.

Along with zero trust, companies have benefited from utilizing strong encryption and security artificial intelligence (AI) and automation. A strong encryption was also a top mitigating cost factor, with studies revealing that a high standard encryption mitigated costs to $3.62 million, a $1.62 million, or 29.4%, cost difference from those with no or low encryption. Security and AI refers to enabling security technologies that replace human intervention by identifying incidents and intrusion attempts using tools including machine learning and analytics. Organizations with a fully deployed security and AI system had an average cost of $2.9 million, organizations with a partially deployed system had an average cost of $3.85 million, and the highest average cost was $6.71 million for organizations with no security and AI system deployed.

Despite any form of digital transformation, nearly all findings of the 2021 data breach report showed an overall increase in the cost of a data breach in contrast with previous years. However, findings still show implementing certain preventive measures can effectively reduce costs. IBM encourages:

  • Risk quantification through the implementation of a zero-trust model
  • Investing in security orchestration, automation and response (SOAR)
  • Stress tests carried out by an IR team
  • Using tools to monitor and protect remote workers
  • Investing in governance, risk management and compliance programs
  • Utilizing policy and encryption to protect sensitive data
  • Embracing an open security architecture
  • Minimizing IT and security complexity.



Keep your finger on the pulse of top industry news