Global data theft costs rise to $4.2m a breach

The US continued to top the list, with an average data intrusion cost of $9.05m

epa07294580 (FILE) - ILLUSTRATION - A person sits in front of a computer screen in Moers, Germany, 04 January 2019 (reissued 19 Jauary 2019). Media reports on 17 January 2019 state that a record with numerous stolen user data has been published on the Internet. The collection named Collection #1 contained almost 773 million different email addresses, more than 21 million different passwords and more than a billion combinations of credentials, according to a Australian IT security expert. Internet users shall be affected worldwide.  EPA/SASCHA STEINBACH
Powered by automated translation

The average global cost of a data breach rose by about 10 per cent a year to $4.2 million over the past 12 months, according to IBM.

Remote working and rapid digital transformation due to the Covid-19 pandemic were behind the increase, the technology company said in its annual Cost of a data breach report 2021.

Healthcare organisations had the highest average costs for the 11th year in a row.

The rapid adoption of digitisation in the Middle East has made the region an attractive target for a wide array of cyber threats and this has also been intensified by the pandemic
Hossam El Din, IBM's general manager for the Middle East and Pakistan

The average cost was $1.07m higher in organisations where remote work was more prevalent.

“Organisations that had more than 50 per cent of their workforce working remotely took 58 days longer to identify and contain breaches than those with less working remotely,” the report said.

“IT [information technology] changes such as cloud migration and remote work increased costs, yet organisations that did not implement any digital transformation changes as a result of Covid-19 experienced $750,000 higher costs compared to the global average.”

The IBM study, which was independently conducted by Washington's Ponemon Institute, is based on an analysis of more than 537 real-world breaches that occurred over the past year in 17 different industries across 17 regions and countries.

The US continued to top the list, with average costs of $9.05m, up from $8.6m a year ago. It was followed by Saudi Arabia and the UAE ($6.9m), Canada ($5.4m), Germany ($4.9) and Japan ($4.7m).

Lost business accounted for average total costs of $1.6m. It included higher customer turnover, lost revenue due to system downtime and the growing cost of acquiring new business when a company's reputation has been damaged.

Customers' personal information made up the most common type of record lost, with 44 per cent of cases. It was also the costliest, at $180 per lost or stolen record.

The compromise of business emails accounted for only 4 per cent of breaches but had the highest average total cost of the 10 top attack vectors in the study, at $5.01m.

The second costliest was phishing ($4.7m), followed by malicious insiders threats ($4.6m), social engineering ($4.5m) and compromised credentials ($4.4m).

“The rapid adoption of digitisation in the Middle East has made the region an attractive target for a wide array of cyber threats and this has also been intensified by the pandemic,” said Hossam El Din, IBM's general manager for the Middle East and Pakistan.

The average total cost of healthcare breaches rose by 29.5 per cent to $9.2m this year, compared with 2020. The energy sector dropped from second to fifth place this year, with the cost of attack at an average $4.7m.

Other industries that had large average cost increases included services ($4.7m), communications ($3.6m), consumer ($3.7m), retail ($3.3m) and hospitality ($3m).

Overall, it took an average of 287 days to identify and contain a data breach – broken down into 212 days to identify the intrusion and 75 days to stop it. That means if a breach occurred on January 1, it would not be contained until October 14.

In 2021, about a quarter of respondents said they had made full use of security automation while 40 per cent had partially done so and 35 per cent had not.

Organisations with no security automation had data breach costs of $6.7m on average this year versus $2.9m for companies with the full security toolkit.

“Organisations with fully deployed security AI and automation were able to detect and contain a breach more quickly [247 days] than organisations with no security deployed,” IBM said.

Updated: August 08, 2021, 8:50 AM