Report reveals the cost of data breaches hits record high

IBM Security recently released their annual ‘Cost of Data Breach Report’ revealing that the cost of data breaches has hit a record high at €4.29 million ($4.35 million), an increase of almost 13% over the past two years.

Learning from past cybersecurity incidents can enable an organisation to better withstand and even prevent future attacks. In this blog, we take a look through some of the key revelations outlined in the ‘Cost of Data Breach’ report.

Key findings from the IBM cost of data breach report

• 60% of organisations raised their prices due to a data breach
• 83% of organisations have experienced one or more breach in their lifetime
• 50% of breach costs incurred come over a year after the incident occured
• 62% of organisations said they were not sufficiently staffed to meet their cybersecurity needs

Supply chain attacks

A supply chain attack is a breach resulting from a compromise of a business partner such as a supplier.

This year marks the first year IBM has examined supply chain attacks in more detail as several major attacks have occurred in the past number of years and statistics shows that these attacks are rapidly on the increase.

The report discovered that, of organisations who suffered a cyber security incident, 19% of breaches were supply chain attacks due to a business partner initially being compromised.

Cost of a supply chain attack

The average total cost of a supply chain compromise hit €4.36 million ($4.46m). The cost of which was greater than the overall average cost of a data breach at €4.26 million ($4.35m), an increase in cost of 2.5%.

Number of days to identify a supply chain attack

A supply chain attack took an average of 26 days longer to identify and contain than the global average. In total, it took 303 days to identify and contain a supply chain attack, 235 days to identify the attack and 68 days to contain the breach.

Ransomware

A ransomware attack is malware designed to deny an organisation access to files on a computer or its networks. By encrypting these files, malicious actors will demand a ransom in exchange for a decryption key that will allow them to access the encrypted files.

The report discovered that, of organisations who suffered a cyber security incident, 11% of breaches were ransomware attacks. This was a 41% increase in attacks from the year prior.

Compared to 2020 the average cost of a ransomware attack declined from €4.52 ($4.62m) to €4.44 million ($4.54m). However the frequency of breaches increased from 7.8% in 2020 to 11% in 2021.

In terms of critical infrastructure, 28% of those in the financial services industry, industrial, technology, energy, transportation, communication, healthcare, education and public sector, have experienced a destructive ransomware attack, whilst 17% have experienced a breach due to a business partner being compromised.

Number of days to identify a ransomware attack

A ransomware attack took 49 days longer in 2021 to be identified and contained. In total, it took 326 days, 237 days to identify the ransomware attack and 89 days to contain the breach.

Ransomware payout

The report found that it doesn’t make financial sense to pay ransom to malicious attackers. Those that paid the ransom saw €59,6857 ($610,000) reduction of costs in the attack, not including the cost of the ransom requested.

IT and Human errors

In 2021, breaches caused by human error were responsible for 21% of the total breaches throughout the year.

Human error are any breaches caused unintentionally through negligent actions by an employee or contractor. This could be anything from clicking on a link in a phishing email, process errors or errors in source code.

In comparison, IT failures such as incidents caused by disruption or failure in an organisation's computer systems that lead to a loss of data, were responsible for 24% of breaches. This includes errors in source codes or process failures.

Remote Work

Part of IBMs report examines the effect remote working during the Covid-19 pandemic has had with cybersecurity incidents.

This is the third report published since the pandemic and the results have shown that remote working has had considerable effects on the cost of a data breach to organisations.

For organisations with 81 to 100% of employees working remotely, the average cost of a breach was €4.99 million ($5.1m).

Organisations who have less than 20% of employees working remotely cost the company €3.9 million ($3.99m), €1.08 million ($1.1m) less than organisations with a higher share of remote employees.

In contrast, the average cost of a data breach was €3.93 million ($4.02m) when remote work wasn’t a factor in causing the breach, a difference of €0.95 million ($0.97m) or 21.5%.

When remote work was a factor, the cost was also €0.63 million ($0.64m) more than the overall global average, a difference of 13.7%.

To learn more about how to secure your remote workforce, download our free whitepaper, here.

Healthcare and HSE Attack

Healthcare organisations saw the costliest breaches for the 12th year in a row. An average breach costs organisations within this sector increased by nearly €980,000 ($1m), hitting a record high of €9.88 million ($10.1m).

One of the most prolific cyber security incidents in 2021 was the HSE cyber attack. The attack caused months of disruption to the Health Service Executive and could potentially end up costing €100 million.

An independent review of the attack carried out by PwC found that the HSE was operating on a frail IT system and did not have proper cyber expertise or resources.

Initial attack vectors

An initial attack vector is a method of achieving unauthorised network access to launch a cyber attack such as ransomware or malware attack.

Attack vectors allow cybercriminals to exploit system vulnerabilities to gain access to sensitive data, personally identifiable information (PII), and other valuable information accessible after a data breach.

In the report, 10 initial attack vectors have been recorded ranging from accidental data loss to phishing attacks and insider threats. A breakdown of the costs associated with each attack and their frequency have been noted in the table below.

Attack Vector	Cost (millions)	Frequency (approx)
Social engineering	€ 4.01m ($4.10m)	4%
Accidental data loss or lost device	€3.86m ($3.94m)	5%
System error	€3.74m ($3.82 m)	7%
Business email compromise	€4.78m ($4.89)	7%
Physical Security compromise	€3.87m ($3.96)	9%
Malicious insider	€4.09m ($4.18)	11%
Vulnerability in third party software	€4.45m ($4.55)	13%
Cloud misconfiguration	€4.05m ($4.14)	15%
Phishing	€4.80m ($4.91)	16%
Stolen or compromised credentials	€4.4m ($4.5)	19%

With the cost of data breaches increasing steadily over time, organisations now have a real responsibility to take their cyber security more seriously. Now that the cost of a data breach has reached a record high of €4.29 million ($4.35 million), it's necessary for organisations in all sectors to make the security of their data a strategic priority.

How the experts can help

One of the best ways to reduce the likelihood of a successful data breach is through experience.

Secora offers a wide range of services that are tailored to your organisation's specific requirements:

• We can help you prepare for the worst-case scenario by simulating threats to your organisation.
• We can help improve your cyber security posture, reducing your exposure to a breach.
• We can simulate phishing campaigns to highlight cyber security awareness within your organisation and demonstrate how a breach may occur.

Partner with us today and our experienced penetration testing and cyber security consultants will go the extra mile to ensure your organisation stays secure during these testing times.