According to the latest IBM report data, data breach costs increased by 10% in 2021, to $4.24 million. Is the COVID-19 pandemic the factor that explains the entire trend? ESET experts emphasize that it is necessary to look beyond the obvious.
The context of the COVID-19 pandemic indeed played a relevant role in the expansion of attack surfaces to corporate IT systems and the diversion of resources, and the attention of organizations towards cybersecurity projects. But as tempting as it may seem, blaming the public health crisis doesn’t tell the whole story, emphasize ESET experts.
The cybersecurity firm’s investigators analyzed the recent IBM study to determine the reasons, beyond the pandemic, that explain why the costs associated with data breaches are now the highest ever.
The report details that, in total, data breach costs have increased by 10%, from $3.86 million in 2020 to $4.24 million in 2021. , the average cost amounts to 401 million dollars: a figure that corresponds to an increase of 2% compared to last year, when it was around 392 million dollars.
According to the data, the theft of users’ credentials is the most frequent cause of data breaches. Among the most common types of data exposed, personal customer information (44%) stands out, including passwords and usernames. The situation becomes particularly problematic when we consider that multiple users reuse passwords across multiple accounts, which gives rise to a vicious cycle, in the words of experts, where violated data is used to facilitate intrusions and information theft further.
Between insecure jobs, unsuspecting remote workers, worried IT staff, and telecommuting infrastructures ill-prepared for the challenges of the “new normal” have all led to an increase in data breaches, as well as the cost associated with the incidents.
The IBM report highlights that nearly 20% of organizations surveyed said that telecommuting was actually a factor in these types of cybersecurity incidents, which themselves cost $4.96 million, nearly 15% more than average.
One sector with a clear influence on the pandemic is health, where the highest loss costs were registered. Here, costs have increased at an even higher rate than the average, rising from $7.13 million in 2019 to $9.23 million in 2020, an increase of 29.5%.
Looking deeper into the data, it is possible to see that the costs associated with data breaches have been increasing since 2017. The costs of “mega breaches” follow the trend, increasing significantly over the last three years.
ESET experts indicate that the situation can be explained by organizations’ not betting on improving incident detection and response. In fact, in 2021, it took an average of 287 days to identify and contain a data breach, a full week longer than recorded in the previous report.
Ransomware is another factor that has contributed to the increase in data breach costs. In this context, the trend in recent years has been an increase in the volume of threats, with techniques that use legitimate tools, and are leading to higher success rates for cybercriminals. In all, ransomware attacks cost an average of 4.62 million dollars in 2021.
Citing FBI data, investigators add that attacks targeting corporate email accounts (Business Email Compromise, or BEC) were responsible for more financial losses in 2020 than any other threat. The IBM report reveals that the average cost of a BEC attack amounts to 5.01 million dollars.
To help companies improve their cybersecurity approaches and reduce the costs associated with data breaches, ESET experts provide some key recommendations.
The cybersecurity firm says that organizations should adopt a “zero trust” approach based on the “never trust, always check” principle. The average cost of violations for those who did not adopt such a strategy was $5.04 million. By contrast, for organizations that are in the mature phase of implementing this approach, the costs were $3.28 million.
Encrypting the most sensitive data is critical, reminds ESET. The average cost of an unencrypted data breach was $4.87 million, versus $3.62 million for encrypted data.