Young man in a grey hoodie with his hood up. He is at a computer seemingly entering credit card information, with a pile of credit cards on his desk.

How much does a data breach cost?

Cybersecurity is a vital component in the toolkits of modern businesses. Significant data breaches, breaches that put people at risk, or blue-chip brands being fined record sums make it into mainstream news reporting. However, the reality is that data breaches are happening every day at varying scales.

The Ponemon Institute’s 17th annual Cost of a Data Breach Report, published as usual by IBM Security, lays bare the scale of the problem worldwide.

What costs factor into the report?

One of the most beneficial aspects of the Cost of a Data Breach Reports is that they take a broad view of how a data breach can affect a business.

For example, the reports consider:

  • Lost business
  • Business disruption
  • Regulatory and legal costs, such as fines and compensation paid to those who make a data breach claim
  • Impact on stock valuation for publicly traded companies
  • How a data breach may affect a business’s value if involved in merger or acquisition talks

It is unclear whether sums paid to ransomware attackers or stolen by cybercriminals are included within the calculations.

How much does a data breach cost?

This year’s report found the average cost of a data breach was $4.24 million (£3 million). This is the highest annual average cost ever recorded and represents an increase of nearly 10% on last year’s figures ($3.86 million / £2.8 million).

The report found that businesses in the United States incurred the highest data breach costs ($9.05 million / £6.53 million). The industry that suffered the most costly data breaches was healthcare ($9.23 million / £6.66 million).

What impact has the Covid-19 pandemic had on data breaches?

One interesting finding from the report was that the average cost of a breach where remote working may have been a factor was $4.96 million (£3.59 million).

 Considering many businesses have adopted remote or hybrid working for the foreseeable future, this is hugely significant.

While we may immediately conclude that remote working leaves businesses more vulnerable to data breaches, there is more to it than that.

As well as increasing vulnerability, remote working also affects the speed of response. For example, the report found that businesses with more than half their workforce working away from the office took an average of 316 days to identify and contain data breaches. In contrast, the overall average was 287 days, a difference of just under a month that could make a significant difference.

The biggest thing that stands out from these numbers? That it takes businesses so long to identify there is a problem!

If your data has been leaked as part of a data breach, you may be entitled to compensation. Contact LawPlus today for a FREE assessment of your claim.

What is the most common cause of data breaches?

Perhaps unsurprisingly, compromised credentials were the biggest culprit here.

Such data breaches were responsible for 20% of the total, with an average cost of $4.37 million (£3.16 million).

While we know little about specific cases, this would indicate that businesses either don’t have or are failing to adequately enforce policies around using hard to guess or “crack” passwords. It also seems likely that things like 2-Factor Authentication (2FA) are not being used to their fullest extent and potential.

The next most common cause of data breaches was phishing, coming in at 17%. As phishing typically requires some data input from the recipient of a piece of communication, this, alongside compromised credentials, means that well over a third of data breaches are wholly avoidable!

Report highlights numerous factors that can reduce the impact of data breaches

While the average cost of a data breach hit record levels amidst the pandemic and shift to remote working, the report also highlighted the positive impact of different technologies on preventing and mitigating data breaches.

While the businesses who resist implementing advanced cybersecurity solutions will often cite cost concerns as the reason for doing so, it is far cheaper than dealing with a breach.

What factors can help mitigate the potential and the consequences of data breaches, and to what extent are businesses using them?

Automation and artificial intelligence deployment

According to the report, 65% of businesses were at least partly using AI security tools and automation in the past 12 months. This is an increase from 59% in 2020’s report, likely driven by new adopters being alert to the risks of moving to a remote working model.

However, the starkest finding from the report is the difference utilising automation and AI can have on the cost of a breach when they do occur:

  • For businesses with no cybersecurity automation, the average data breach cost $6.71 million (£4.84 million).
  • In contrast, businesses using cybersecurity automation saw the average data breach cost $2.9 million (£2.09 million).

With a data breach costing more than double when cybersecurity automation and AI is not in place, what possible reasons can there be for not doing so?!

A strict “zero trust” approach

The “zero trust” approach is a concept that means businesses adopt a policy of not assuming any user, device, or connection is trustworthy, internally as well as externally. Companies that adopt a zero trust approach have added security in place that helps to authenticate users, applications, and devices.

If your work email server alerts you to emails sent from someone outside of your organisation, this is an example of zero trust systems at work.

Businesses that utilised a strict zero trust approach may still suffer data breaches. However, according to the report, they cost $1.76 million (£1.27 million) less than those experienced by businesses using no zero trust characteristics.

The use of cloud storage

The report found that businesses who had fully migrated to cloud storage models contained data breaches, on average, 77 days quicker than those that hadn’t.

Data breaches involving hybrid cloud models – where businesses use a combination of public and private cloud platforms – were found to have the lowest costs versus other potential cloud storage models.

Time = Money

The recurring themes throughout the report are costs and the time taken to identify data breaches.

Perhaps unsurprisingly, these two factors are linked, with quick identification and response times leading to far lower data breach costs. The report also found that businesses that could identify and contain a data breach in under 200 days saw costs nearly 30% lower than those that took longer to take action. 

If businesses aren’t doing all they can and should be doing, you could have grounds for a claim!

As the numbers show us, even businesses that put significant mitigation measures in place can fall victim to a data breach. However, at least those businesses are doing what they can to prevent your data from falling into the wrong hands.

If businesses are negligent in handling your data, leading to your data being stolen or otherwise accessed without your permission, you may have grounds for a data breach claim.

If your data has been involved in a breach, contact LawPlus today for a FREE assessment of your claim.