- The average cost of a data breach has risen 12% over the past 5 years and is now $3.92M.
- U.S.-based breaches average $8.19M in losses, leading all nations.
- Not integrating mobile phone platforms and protecting them with a Zero Trust Security framework can add up to $240K to the cost of a breach.
- Companies that fully deploy security automation technologies experience around half the cost of a breach ($2.65M on average) compared to those that do not deploy these technologies ($5.16M on average).
These and many other fascinating insights are from the 14th annual IBM Security Cost of a Data Breach Report, 2019. IBM is making a copy of the report available here for download (76 pp., PDF, opt-in). IBM and Ponemon Institute collaborated on the report, recruiting 507 organizations that have experienced a breach in the last year and interviewing more than 3,211 individuals who are knowledgeable about the data breach incident in their organizations. A total of 16 countries and 17 industries were included in the scope of the study. For additional details regarding the methodology, please see pages 71 – 75 of the report.
Key insights from the report include the following:
- Lost business costs are 36.2% of the total cost of an average breach, making it the single largest loss component of all. Detection and escalation costs are second at 31.1%, as it can take up to 206 days to first identify a breach after it occurs and an additional 73 days to contain the breach. IBM found the average breach lasts 279 days. Breaches take a heavy toll on the time resources of any organization as well, eating up 76% of an entire year before being discovered and contained.
- U.S.-based breaches average $8.19M in losses, leading all nations with the highest country average. The cost of U.S.-based breaches far outdistance all other countries and regions of the world due to the value and volume of data exfiltrated from enterprise IT systems based in North America. North American enterprises are also often the most likely to rely on mobile devices to enable greater communication and collaboration, further exposing that threat surface. The Middle East has the second-highest average breach loss of $5.97M. In contrast, Indian and Brazilian organizations had the lowest total average cost at $1.83M and $1.35M, respectively.
- Data breach costs increase quickly in integration-intensive corporate IT environments, especially where there is a proliferation of disconnected mobile platforms. The study found the highest contributing costs associated with a data breach are caused by third parties, compliance failures, extensive cloud migration, system complexity, and extensive IoT, mobile and OT environments. This reinforces that organizations need to adopt a Zero Trust Security (ZTS) framework to secure the multiple endpoints, apps, networks, clouds, and operating systems across perimeter-less enterprises. Mobile devices are enterprises’ fasting growing threat surfaces, making them one of the highest priorities for implementing ZTS frameworks. Companies to watch in this area include MobileIron, which has created a mobile-centric, zero-trust enterprise security framework. The framework is built on the foundation of unified endpoint management (UEM) and additional zero trust-enabling technologies, including zero sign-on (ZSO), multi-factor authentication (MFA), and mobile threat detection (MTD). This approach to securing access and protect data across the perimeter-less enterprise is helping to alleviate the high cost of data breaches, as shown in the graphic below.
- Accidental, inadvertent breaches from human error and system glitches are still the root cause for nearly half (49%) of the data breaches. And phishing attacks on mobile devices that are lost, stolen or comprised in workplaces are a leading cause of breaches due to human error. While less expensive than malicious attacks, which cost an average of $4.45M, system glitches and the human error still result in costly breaches, with an average loss of $3.24M and $3.5M respectively. To establish complete control over data, wherever it lives, organizations need to adopt Zero Trust Security (ZTS) frameworks that are determined by “never trust, always verify.”. For example, MobileIron’s mobile-centric zero-trust approach validates the device, establishes user context, checks app authorization, verifies the network, and detects and remediates threats before granting secure access to a device or user. This zero-trust security framework is designed to stop accidental, inadvertent and maliciously-driven, intentional breaches. The following graphic compares the total cost for three data breach root causes:
Lost business is the single largest cost component of any breach, and it takes years to fully recover from one. IBM found that 67% of the costs of a breach accrue in the first year, 22% accrue in the second year and 11% in the third. The more regulated a company’s business, the longer a breach will accrue costs and impact operations. Compounding this is the need for a more Zero Trust-based approach to securing every endpoint across an organization.
Not integrating mobile phone platforms and protecting them with a Zero Trust Security (ZTS) framework can add up to $240K to the cost of a breach. Companies working to bridge the gap between the need for securing mobile devices with ZTS frameworks include MobileIron, which has created a mobile-centric, zero-trust enterprise security framework. There’s a significant amount of innovation happening with Identity Access Management that thwarts privileged account abuse, which is the leading cause of breaches today. Centrify’s most recent survey, Privileged Access Management in the Modern Threatscape, found that 74% of all breaches involved access to a privileged account. Privileged access credentials are hackers’ most popular technique for initiating a breach to exfiltrate valuable data from enterprise systems and sell it on the Dark Web.