IBM recently released its 2021 Cost of a Data Breach report, and the news, not surprisingly, is not good. The average total cost of a data breach rose from $3.86 million to $4.24 million, an increase of 10%. There’s a lot of interesting data in the report, including information on the impact of remote work and Zero Trust mitigation.
The report is based on 537 data breaches that occurred in 2020 in 17 countries and regions, and in 17 different industries. IBM excluded the outliers – very large and very small breaches – to arrive at its numbers.
Calculating the Cost of a Data Breach
The analysis focused on four different categories of data breach costs:
- Detection and escalation
- Post breach response
- Lost business
The greatest cost (38%) was due to lost business. Detection and escalation and post-breach response contributed 29% and 27% to the total cost, respectively. Notification accounted for only 6% of the cost on average.
Cost of Data Breaches by Region and Industry
Underlying the average data breach cost of $4.24 million is a great deal of regional variation. Data breaches were most expensive for US organizations, at an average cost of over $9 million per breach. Breaches in Brazil were the least expensive, at just over $1 million per breach. European countries mostly came in closer to the average — $4.6 million in the UK and $4.89 million in Germany.
For the 11th year in a row, healthcare sector data breaches were most expensive, costing organizations $9.2 million on average. Breaches in the finance sector came in second at $5.7 million. Public sector data breaches “only” cost $1.9 million, on average.
The Impact of Remote Work
Not surprisingly, remote work increased the likelihood of a data breach. And breaches that involved remote work as a factor cost organizations over $1 million more than breaches for which it did not factor in. One of the factors contributing to these higher costs is that it took 58 days longer to identify and contain a breach when a majority of an organization’s workers were remote.
With many companies moving to hybrid office / remote work environments for the long term, it’s especially important that cybersecurity setups are appropriate for both serving and securing remote workers. Moving to cloud-based security solutions can make it easier to secure workers wherever they are located, while providing easy access to the resources they need.
Zero Trust Reduces Data Breach Costs
Organizations of all types are rapidly moving to Zero Trust security solutions. Twenty percent of the organizations covered in the report already have Zero Trust protocols fully deployed, and another 15% are partially deployed. An additional 22% are planning to deploy Zero Trust within the next year, making a solid majority of organizations that either have deployed or are planning to deploy Zero Trust solutions in the near future.
One of the principles of Zero Trust security is to “assume breach” – that is, understanding that despite organizations’ best efforts, cyberattacks succeed. Therefore, it’s important to take steps that would mitigate any damage in the event that a breach occurs. Two of the most important ways to do that are to implement least privilege access, which leverages per-user policies to limit user access to only the apps and data they need to do their jobs, and to microsegment networks to prevent lateral movement, if (or when) a breach does occur.
Significantly, the report found that data breach costs for companies with mature Zero Trust deployments were $1.7 million lower than costs for companies that had not deployed any Zero Trust solutions ($3.3 million vs. $5 million).
These statistics, of course, do not – cannot — account for the greatest advantage of implementing Zero Trust security: the fact that organizations that have are much less likely to fall victim to a data breach in the first place. For example, technologies such as Ericom Remote Browser Isolation, a zero-trust browsing security control, prevent web-borne malware from reaching endpoints and networks and protect against credential theft, stopping incipient breaches before they can begin. Zero Trust security controls can and should be deployed across all of the points where users interact with devices, applications, workloads, and networks.
Benefits of Security AI and Automation
According to the Cost of a Data Breach report, data breach costs for organizations that had fully deployed AI and automation-based security solutions were nearly 80% lower than for organizations without those technologies ($2.9 million versus $6.7 million). Early breach detection is believed to be responsible for the lower costs.
As the cost of data breaches continues to climb, it’s more urgent than ever to move to a Zero Trust network security paradigm, both to prevent data breaches and other cyberattacks and to mitigate damage in the event of a breach.