The answer, according to the Ponemon Institute’s ‘Cost of a Data Breach Report 2020’ is $3.86 million.

Now in its 15th year, the 2020 report, commissioned by IBM, surveyed 3,200 people from 524 organisations in 17 industries across 17 countries and regions and revealed that the average total cost of a data breach has actually declined by 1.5% as compared to the 2019 report which found the average cost to be $3.92 million.

Nearly 40% of the average total cost of $3.86 million was accounted for by lost business, that is, customers who don’t come back. Increasing from $1.42 million in 2019 to $1.52 million in 2020, other lost business costs included increased customer turnover, lost revenue down to system downtime and the increasing cost of acquiring new business owing to a damaged reputation.

Is prevention better than the cure? A growing divergence

Despite the nominal decrease from $3.92 million in 2019 to $3.86 million in 2020, there is an increasing divergence in the costs faced by those organisations who have invested in cyber security automation technologies, and those who have not. Defined as the use of artificial intelligence platforms and automated breach orchestration, the share of businesses who have fully deployed these capabilities has increased from just 15% in 2018 to 21% in the latest findings.

It would seem there is a good reason for doing so: according to the 2020 report’s findings, businesses that had not invested in and deployed security automation saw an average total cost of $6.03 million, more than double the average cost of a data breach of $2.45 million for those organisations with fully deployed security automation capabilities. Having fully deployed automation capabilities also helped organisations reduce the lifecycle of a breach by 74 days compared to companies with no security automation deployment, from 308 to 234 days. 

The savings in average breach costs of $3.58 million has increased from savings of $1.55 million in 2018. The gap is widening at an exponential rate, and will likely continue to do so.

Customer PII: most popular and most expensive

Of the organisations and breaches surveyed, the most sought-after record type was customers’ personally identifiable information (PII). 80% of breached organisations reported that customer PII was compromised, far more than any other type of record. As well as being the most popular with would-be attackers, customer PII is also the most costly record type. According to the report, the average cost per lost or stolen record is $146 across all data breaches. For each record containing personal customer information, the cost to the business increased to $150 per record.

That cost grew further to $175 in breaches caused by a malicious attack. Nearly a quarter of breaches included in the Ponemon Institute's research involved anonymised customer data, at an average cost of $143 per compromised record. Again, in instances where the breach was caused by a malicious attack, the cost per record to the business increased, in this case to $171 per record. 

Mega breaches

Through analysis of some significant data breaches, the report found that organisations who exposed more than one million records suffered costs far in excess of the overall average. Breaches of 1 million to 10 million records cost an average of $50 million, over 25 times the average cost of $3.86 million for breaches of less than 100,000 records. Breaches involving more than 50 million records were found to cost in excess of 100 times the average, at a staggering $392 million. 

Breaches caused by nation states

Whilst financially-motivated cyber criminals accounted for over half (53%) of malicious breaches in the 2020 study, those caused by nation state actors were found to be the costliest for organisations. Although far less frequent, accounting for 13% of the breaches studied, the presumed state-sponsored breaches cost an average of $4.43 million, compared to $4.23 million in the case of financially motivated cyber criminals. 

The impact of COVID-19

Although the research for IBM’s report began before the widespread impacts of the COVID-19 pandemic had taken effect, the researchers asked participants to answer supplementary research questions about the potential impact of having a remote workforce, brought about due to the pandemic. 

COVID-19 has, of course, changed the way many organisations operate, with the vast majority of employees now working remotely from the comfort of their own homes. Remote working on such a massive scale presented, in many cases, unique challenges for the IT and security teams tasked with implementing and subsequently securing this new way of working. 

In the Ponemon Institute’s report, 76% of respondents to the supplementary research questions said that having a remote workforce would increase the time to identify and contain a potential data breach and 70% predicted that remote work would increase the cost of a data breach.

This was indeed found to be the case: having a remote workforce was found to increase the average total cost of a data breach of $3.86 million by nearly $137,000, for an adjusted average total cost of $4 million.

About the author

David Atkinson, Founder and CEO, Senseon

Before moving into the cyber security industry, David spent over 15 years working within the UK’s specialist military units where he was the first cyber operative. His combined experience and technical abilities gained from his background in military, government and the private sector has led him to challenge the current approaches to cyber security and to create Senseon.