IBM report finds data breach costs are at a ‘record high’

30 Jul 2021

Image: © Nmedia/

IBM said the rapid shift to remote working and operations during the pandemic has had an impact on the average cost of a data breach.

Data breaches now cost companies an average of $4.2m per incident, according to the latest IBM Security report. This is the highest figure in the report’s 17-year history.

It also marks a 10pc increase on the 2020 findings, when the average cost of a data breach incident was found to be $3.86m. This rise can be attributed to unprecedented operational shifts during the pandemic, the report said.

The study, sponsored and analysed by IBM Security, is based on research conducted by the US-based Ponemon Institute. It analysed real-world data breaches experienced by more than 500 organisations.

Businesses were forced to quickly adapt their tech approaches last year, with many companies encouraging or requiring employees to work from home. The report found that 60pc of organisations moved further into cloud-based activities during the pandemic.

But organisations with more advanced security paid a significantly lower price for data breaches than those that had not adopted AI, automation, zero-trust and cloud security, the report noted.

It suggested that security may have lagged behind rapid IT changes, hindering organisations’ ability to respond to data breaches.

“Higher data breach costs are yet another added expense for businesses in the wake of rapid technology shifts during the pandemic,” said Chris McCurdy, vice-president and general manager of IBM Security.

“While data breach costs reached a record high over the past year, the report also showed positive signs about the impact of modern security tactics, such as AI, automation and the adoption of a zero-trust approach – which may pay off in reducing the cost of these incidents further down the line.”

Remote work and operational shifts

The pandemic-induced pivot to remote work for most companies stood out as a key cause for an increase in the cost of data breaches.

Remote work was identified as a factor behind data breaches for nearly 20pc of the companies studied. When remote work was a factor, the report found that the average cost was about $1m more than the cost of breaches where remote work was not a factor.

For organisations that had more than 50pc of their workforce working remotely, the report found that it took 58 days longer to identify and contain breaches than those with less than half of employees working remotely.

Industries such as healthcare, retail, hospitality and manufacturing that underwent significant operational changes also saw data breach costs skyrocket.

Healthcare organisations paid the highest price for breaches, the report found, at $9.23m per incident. This is an increase of $2m compared to the previous year.

Stolen user credentials were the most common cause of breaches in the study and consumer data was a major victim, with 44pc of breaches exposing this type of data.

The report said that this could cause a “spiral effect”, with breached usernames or passwords potentially providing criminals with leverage for future data breaches.

The cost of not modernising

Organisation that did not update their security systems during the pandemic paid a higher price than those that quickly went through digital transformations to fortify security.

Data breach costs were $750,000 higher than average at organisations that had not undergone any digital transformation due to Covid-19, the report found. It also found that companies that adopted a zero-trust security approach were better positioned to deal with data breaches.

“This approach operates on the assumption that user identities or the network itself may already be compromised, and instead relies on AI and analytics to continuously validate connections between users, data and resources,” the report stated.

“Organisations with a mature zero-trust strategy had an average data breach cost of $3.28m, which was $1.76m lower than those who had not deployed this approach at all.”

An F-Secure report earlier this year showed how data breaches can put individuals at risk of cybercrime and gave tips on how people can protect themselves online.

Meanwhile, a report from DLA Piper highlighted some of the largest GDPR fines that were issued in Europe last year, including a €450,000 fine for Twitter for a data breach discovered in 2018 and a €35m fine for H&M in Germany for storing and exposing employees’ personal information.

Vish Gain is a journalist with Silicon Republic