Oct 122021

Data Breaches are More Expensive than Last Year, New IBM Security Report Finds

Kaitie M. Wilson and Colleen Theresa Brown
, , ,

Death, taxes and data breaches. Cybersecurity incidents have grown in frequency, scale and seriousness. As articulated in President Biden’s May 2021 Executive Order, Improving the Nation’s Cybersecurity, “[t]he United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.” These threats lead to direct costs on victims, and these costs have also grown exponentially in recent years, as readers of the famed annual Ponemon data breach report well know.  This year’s report is out, and confirms the continuation of a troubling trend.

Sponsored by IBM Security, the Ponemon Institute studied over 500 data breaches from 17 different countries to provide an insightful look into the costs of data breaches, summarized in the “Cost of a Data Breach Report 2021.” An increase in remote work, combined with a slow uptake of security automation and modernized technologies, increased the overall costs of identifying and containing a data breach. In 2021, the average total cost of a data breach rose to $4.24 million. For the eleventh year in a row, healthcare organizations faced the highest costs of a breach at $9.23 million. The next closest industry was financial at $5.72 million.

The Report also tracks a number of other very interesting metrics. Not only did the average total cost increase, but the average number of days to contain a breach also increased to 287 days, seven days more than last year. Of those 287 days, 212 were spent identifying the breach and 75 were spent containing it. 20% of data breaches in 2021 occurred as a result of compromised credentials, followed closely by phishing (17%) and cloud misconfiguration (15%). While the compromise of business emails represented only 4% of breaches, such breaches were the costliest, at an average of $5.01 million.

This increase in costs could be due to the remote work environment caused by the COVID-19 pandemic. When a breach was caused, at least in part, by remote work, the average cost of a data breach was $1.07 million higher than breaches where remote work was not a factor. This uptick in cost for remote work could be attributed to a lack of needed technology improvements prompted by the pandemic. Companies that did not make such changes in response to the pandemic spent, on average, $750,000 more to respond to a data breach. Remote work had other negative effects. Being remote slowed the time it took to respond to a data breach—if an organization had more than 50% of its workforce working remotely, the organization took almost two months longer to identify and contain the breach.

The report reaffirmed the importance of several technology upgrades and security enhancements that can mitigate costs. The largest cost differential occurred between organizations with a fully deployed security automation system and organizations without any security automation deployed—a difference of $3.81 million, or 80%. As expected, an organization could detect and respond to a breach more quickly and more cheaply if they had fully deployed security AI.

Likewise, deploying zero trust, an approach that continuously validates users and connections based on an assumption that any user accessing the network may be compromised, greatly reduced the cost of an average data breach. Without zero trust deployed, organizations faced an average cost of $5.04 million, compared to $3.28 million for organizations with a mature stage of zero trust deployment. Of the organizations studied, only 35% had partially or fully deployed zero trust. Relatedly, organizations with a hybrid cloud model (as compared to a public or private cloud model) faced lower costs associated with a data breach.

Costs also greatly escalated if an organization failed to comply with regulatory burdens. Between organizations with a high level of compliance failures and organizations with a low level of compliance failures, costs were amplified by over 50%. These added costs included lawsuits and fines due to a lack of compliance.

Based on their findings, the authors of the report highlighted seven recommendations to minimize the costs of a data breach:

  • “Invest in security orchestration, automation and response (SOAR) to help improve detection and response times.”
  • “Adopt a zero trust security model to help prevent unauthorized access to sensitive data.”
  • “Stress test your incident response plan to increase cyber resilience.”
  • “Use tools that help protect and monitor endpoints and remote employees.”
  • “Invest in governance, risk management and compliance programs.”
  • “Embrace an open security architecture and minimize the complexity of IT and security environments.”
  • “Protect sensitive data in cloud environments using policy and encryption.”

Read the full report, more interesting facts, and details on their recommendations here.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Kaitie M. Wilson

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

You might also like
Regulatory Update: National Association of Insurance Commissioners Spring 2024 National Meeting

The National Association of Insurance Commissioners (NAIC) held its Spring 2024 National Meeting (Spring Meeting) March 15 through 18, 2024. This Sidley Update summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Spring Meeting. Highlights include proposed updates to the regulatory review process for affiliated investment management agreements, continued discussion of considerations related to private equity ownership of insurers, and continued development of accounting principles and investment limitations related to certain types of bonds and structured securities.

FinCEN Seeks Input on Banks’ Collecting Partial Social Security Numbers for Customer Identification Programs

On March 28, 2024, the Financial Crimes Enforcement Network (FinCEN), in consultation with the U.S. banking agencies and the National Credit Union Administration, issued a request for information (RFI) regarding the customer identification program (CIP) requirement for depository institutions (referred to herein as banks) to collect tax identification numbers (TINs).Comments are due by May 28, 2024.

Cybersecurity Takeaways From White House Tech Report

On Feb. 26, the White House’s Office of the National Cyber Director (ONCD), released a report on how technology manufacturers and software developers can improve the cybersecurity posture of the U.S. This report, “Back to the Building Blocks: A Path Toward Secure and Measurable Software,” aligns with the Biden administration’s current, intense focus on combatting ever-increasing cyberthreats through software development and software manufacturer accountability. In this article, published by Law360 on March 26, Sidley lawyers Alan Charles Raul, Stephen McInerney and Vishnu Tirumala discuss the ONCD report and provide key take-aways for software developers and manufacturers, their senior management, and boards.