When a data breach occurs, an organization's primary goal is to stop the bleeding of an unauthorized intrusion.
But on average, data breaches usually last 280 days, according to IBM's Cost of a Data Breach report in partnership with Ponemon Institute released Wednesday. The survey included responses from more than 3,200 individuals involved in data breach incidents, across 17 industries and 524 breached organizations.
With every passing day a breach goes undetected or unresolved, costs mount, customers lose patience, and a company earns a reputation of neglect.
Each breach comes with a different price tag based on several conditions, including:
- Cause of the breach
- Actions taken following an incident, including prevention
- If there was a history of data infringements
- What data was compromised or used
- How an organization worked with authorities or regulators
Costs can balloon following a breach, from audits and investigations, consumer notifications, third-party investigations, legal expenses, tarnished reputations, and potential fines.
IBM's report found a 1.5% decrease year-over-year in total average cost a breach, but other costs have increased too. Companies or industries that have lagged in security compliance or innovation face the steepest prices.
Here are key figures to note from IBM's annual report:
$3.9M: Average cost of a data breach
Data breach response, including forensic investigations and lost business, historically reaches millions of dollars for companies suffering a data breach.
If a security system is more complex, "created by the number of enabling technologies and the lack of in-house expertise," breach response will cost almost $292,000 more, according to the report.
Cloud migrations were responsible for "higher than average" costs, raising costs by $267,469. If a breach was caused by a cloud misconfiguration, the total cost of recovery increased to $4.4 million.
As developers and engineers work remotely with off-kilter business hours, the chances of misconfigurations increase. Half of developers and engineers bypass cloud security or compliance policies when deploying updates and products, according to a DivvyCloud report.
But half of data breaches are caused by malicious cyberattacks, which increases the cost of each compromised record. Eight in 10 breaches contain customer personally identifiable information.
On average, it costs $150 per lost or stolen PII record. If the attack was malicious, the price increases to $175 per record.
The value of data varies across sectors too. "When it comes to a manufacturing assembly line to build a widget, the risk of losing PII and [sensitive personal information] is not as high as in the financial sector," Chris Scott, director of Security Innovation and Remediation at IBM, told CIO Dive.
46%: Respondents who think the CISO is responsible for a data breach
While responsibility of a breach might fall on the CISO, overall security is more distributed.
Half of the blame falls squarely on the CISO's shoulders, but only 27% of respondents said the security executive is "most responsible for cybersecurity policy and technology decision-making," according to the report.
One-quarter of respondents said the CIO or CTO carry the burden of security decision-making. "There is an oxymoron there" because only one of the executives is expected to take the heat of a breach, said Scott.
Less than 1% of CISOs are actually fired due to a breach, according to an IDC study. Twelve percent of CISOs who oversaw a breach feel the incident would cause them to let go.
"There's no template or timeline with regard to changes in an organization's structuring post breach," said Scott. "I believe that organizations that suffered a breach need to reflect on the processes, practices as well as culture that led them to the incident … Some organizations do this, some don't."
77%: Data breach expenses incurred within the first year of discovery
Less-regulated industries, including retail and media organizations, pay 77% of breach-related expenses in the first year. But those in highly-regulated fields, such as health, education or pharmaceuticals, paid 44% of their costs in the first year.
"I've been doing this for 20 years, and 20 years ago, there was not a lot of regulation. Only the most sophisticated, most highly funded organizations are capable of really thinking about information security," because their resources and compliance force them to, Andy Riley, executive director of security strategy at Nuspire, told CIO Dive.
IBM analyzed the "longtail costs" of 101 companies that "captured two or more years of data breach costs" and found the first year of a breach accounted for 61% of data breach costs in 2020.
The report concluded lingering legal and regulatory costs lead to a longer tail of breach-related expenses for heavily regulated industries.
"Even today some healthcare providers are still pretty unaware of what the requirements are under HIPAA and fly under the radar, which is pretty shocking," said Riley. However, new regulations, including the California Consumer Privacy Act, upped the ante of penalties, and "raised the consciousness of information security."
280 days: Average time to detect and contain a breach
How long it takes a breached company to respond to an incident depends on its industry, degree of regulation, geography and security capability. Costs are lower among companies with more mature security solutions, including automation and incident response processes.
"The breach cost difference between companies that are all-in on security automation, and those that have yet to deploy it is $3.58 million," which continues to grow by millions annually, said Scott.
It takes companies 315 days to detect and contain breaches rooted in malicious attacks. If a company can respond to a breach in less than 200 days, they stand to save up to $1.1 million, compared to those which take more than 200 days.
"We can't determine based off the report's findings the frequency by which companies struggle to overcome breach costs," said Scott. However, the report indicates that "slowly but steadily" more companies have fully deployed security automation.
76%: Organizations that predict breach response will take longer because of remote work
Organizations expect the "lifecycle" of a breach to extend due to a distributed workforce.
"The saying 'time is money' applies here," said Scott.
Because organizations were accustomed to monitoring security at the edge, a remote workforce turned security on its head. "Data is moving through less controlled environments today," said Scott.
Unregulated data movement requires visibility. Companies should be asking whether their security organization has cloud-based visibility services or if employees have guidelines on how to safeguard sensitive data in remote environments.
"Remote work models can create many new security blind spots if an organization doesn't put the necessary technologies and controls in place," he said.