Cost of a Data Breach Report 2020 shows costs have gone up

The Cost of a Data Breach Report 2020 conducted by the Ponemon Institute and sponsored as well as published by IBM Security has found that it takes an average of 280 days, or over nine months, to identify and contain a data breach.

Overall, the report found that:

- More than half (52%) of all breaches are caused by malicious attacks, at an average cost of US$4.27 million. Other breaches are caused by human error (23%) and system glitches (25%).

- Of the malicious breaches, nearly four in 10 are due to human error, through compromised credentials (19%) and cloud misconfiguration (also 19%).

- Nation state attackers are responsible for malicious breaches that cost an average cost of US$4.43 million. In contrast, hacktivists were responsible for malicious breaches that cost an average of US$4.28 million, while breaches caused by financially-motivated cybercriminals cost an average of US$4.23 million.

- Destructive/wiper-style attacks (average cost of US$4.52 million) and ransomware attacks (US$4.44 million) are malicious attacks that destroy data. They were more expensive than the average malicious breach (US$4.27 million) or the average data breach (US$3.86 million).

Source: Cost of a Data Breach Report 2020. Figure 9. Average total cost of a data breach by country or region*.

Average total cost went up in APME*

The average total cost of a data breach increased in 12 of 16 countries studied. The research found that organisations in the US had the highest average total cost at US$8.64 million, followed by the Middle East at US$6.52 million.

In terms of the percentage change in average total cost from 2019 to 2020, in local currency, Australia saw an upswing of 9.8% in costs, the highest change in percentage, followed by Japan at 9.5% and India and the Middle East tied at 9.4% respectively. The ASEAN region was next with an 8.2% change, followed by South Korea at 7%.

APME root cause highlights

The Middle East and Australia had some of the highest percentage of breaches caused by malicious attacks at 59% and 57% respectively. ASEAN had some of the highest percentage of data breaches caused by human error (30%). 

At the IBM Security Virtual Summit 2020 ASEAN, Wendi Whitmore, VP, IBM Security X-Force, shared that 48% of data breaches in ASEAN are caused by malicious attacks, while 22% of them are due to system glitches. She also shared that the average cost per lost or stolen record in 2020 was S$201, an increase of 14.2% compared to 2019.

 

The verticals that did best
 
The healthcare, energy, financial services and pharmaceutical verticals experienced an average total cost of a data breach significantly higher than less-regulated industries such as hospitality, media and research. According to the report, public sector organisations traditionally have the lowest cost of a data breach because they are unlikely to experience a significant loss of customers as a result of the data breach. Energy, healthcare and retail experienced the highest increases in the average total cost, while the public sector, education and media had the greatest decreases.

Large organisations improved

Organisations with more than 25,000 employees experienced a drop in average total costs from US$5.11 million in 2019 to US$4.25 million in 2020, a 16.8% decrease. For mid-sized organisations, with 5,001 to 10,000 employees, total breach costs increased from an average of US$4.41 million in 2019 to US$4.72 million in 2020, a 7% increase. Smaller organisations, with 1,000 employees or fewer, had higher average costs per employee.

Whitmore said that phishing using 'coronavirus' as a lure increased 6,000% in Q120, but that this is decreasing. "Even the attackers are kind of getting bored of the same lures, the same scams related to coronavirus phishing or coronavirus scams," she said. "More and more organisations are getting pretty accustomed to working from home.

"None of us know how long this is going to last, but it appears that this is going to last longer than most of us had hoped for."

She added that ransomware is trending up, with 'human-powered ransomware' or ransomware-as-a-service becoming common. "There's a lot of public naming and shaming and new extortion techniques," she noted.

She also said that ransomware attacks are targeting organisations working on COVID-19 vaccines along the supply chain, from biopharma firms to device manufacturers and global logistics companies. Details:

Read the Cost of a Data Breach Report 2020

*The Middle East region reports results from companies located in KSA and the UAE. ASEAN results come from companies in Singapore, Indonesia, Philippines, Malaysia, Thailand and Vietnam.