With all the cyber threats that made headlines over the past 12 months, there’s one piece of good news that flew under the radar: The average cost of a data breach dipped slightly between 2019 and 2020. For the cybersecurity community, that counts as a win.

A recent IBM and Ponemon Institute study looked at nearly 525 organizations in 17 countries and regions that sustained a breach last year, and found that the average cost of a data breach in 2020 stood at $3.86 million, a 1.5% decline over 2019 (when the cost stood at $3.92 million). 

The report also found that the United States continued to experience the highest data breach costs, averaging $8.64 million per event. The healthcare industry sustained the highest costs, with each data breach incident costing about $7 million to recover from.

In 80 percent of the cases that the researchers examined, customers’ personally identifiable information (PII) was the most frequently compromised type of record, as well as the costliest. While the average cost per lost or stolen record was $146 across all data breaches, those containing customer PII cost businesses $150 per compromised record.

And while some breach numbers improved between 2019 and 2020, the study finished collecting data in April, which means the full impact of COVID-related remote work on security (and security coss) is not fully understood yet.

“We believe the remote workforce will increase the risk of having a data breach—especially through phishing attacks and how these employees will be accessing the sensitive data in the network and through applications,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “Unfortunately, organizations were not prepared to fully secure their data when employees were required to work remotely. Many organizations did not have policies in place and the training needed to reduce the insider risk.”

Ponemon notes that stolen employee credentials and misconfigured cloud services served as the primary threat vectors for the majority of data breaches that happened in 2020. These types of incidents also likely increased over the last year as employees worked from home and required more access to cloud services to continue with their jobs, all while hackers used phishing attacks to steal credentials.

Rita Gurevich, the founder and CEO of security firm Sphere, also suggests that it will take some time to fully understand the long-term effects COVID-19 and work-from-home will have on security. In many ways, organizations are still understanding the consequences that came with moving large portions of the workforce remote.

“To compound this challenge, organizations are likely simply shifting identities and data to the cloud without much-concentrated efforts on pruning access beforehand or reviewing if and how data is being used,” Gurevich told Dice. “This also results in unnecessary costs of moving ‘junk from one attic to another,’ but now it’s not living in your own four walls. While this may have been a short-term necessity, it is critical that companies review and remediate inappropriate access controls in parallel and continue to focus on risk mitigation strategies, as more and more existing and new data has found its home in cloud platforms.”

Breach vs. Ransomware 

The IBM and Ponemon study also found that, while financially motivated hackers still caused the vast amount of data breaches, those incidents involving ransomware and nation-state sponsored threat actors proved the most damaging and difficult to recover from last year.

“It has been consistent in the research that malicious or criminal attacks cause the most data breaches, and are the most costly to remediate,” Larry Ponemon told Dice. “For the first time, we looked at the cost by how the data was compromised. As shown in the research, data held for ransom due to a malicious attack—ransomware—costs companies more than the traditional data breach. So organizations should incorporate planning for a ransomware attack into their incident response plans.”

The IBM and Ponemon report reflect recent findings from the nonprofit Identity Theft Resource Center, which also found that the number of data breaches in the U.S. dropped about 19 percent in 2020, but that threat actors are increasingly turning toward more destructive tactics such as ransomware, which promise a bigger payout for cybercriminals but also cost more for an organization to recover from.

Brandon Hoffman, CISO of security firm Netenrich, noted that ransomware increasingly introduces two levels of cost for organizations, which can then increase the overall cost of a breach. This includes the incident itself, plus any data that is stolen and held for ransom. 

“The reason is that most organizations who suffer a successful ransomware attack may not only be subject to the cost of the breach itself but also potentially paying the ransom as well,” Hoffman told Dice. “In many cases where organizations have paid the ransom, the traditional costs associated with a breach remain. Similar to the notion that if somebody breaks into your house, not only do you have to buy your items back from a pawn shop, but you still have to mend the broken doors and windows.”

In Need of More Skills

In addition to the other findings, the IBM and Ponemon report noted that a lack of security skills continues to contribute to the cost of data breaches.

At organizations with an incident response team that conducted exercises and simulations to plan for a security incident, the average data breach cost $3.29 million, the study concluded. Those enterprises with no incident response team saw the cost of a data breach rise to $5.29 million. The cost difference between these groups was $2 million, up from $1.23 million in the 2019 study.

Dirk Schrader, global vice president at New Net Technologies, notes that the $2 million difference shows how a lack of skill can cost organizations. Now is a good time to rethink a security approach.

“Given the identified root causes of a breach and the necessity that an organization needs to be able to detect an incident to respond to it, the importance for those basic, crucial security controls is documented one more time,” Schrader told Dice. “Make sure your organization is able to withstand the easy attack by checking for any vulnerable system and patching the identified ones according to the criticality of its business processes.”

The IBM and Ponemon report also notes that those organizations that invest in automation, such as security orchestration, automation and response (or SOAR), also saw the average cost of a data breach drop, which means it’s a best practice to find those security professionals who can implement and maintain these types of programs.

“A key takeaway is the difference automation is making in organizations' ability to reduce costs. As more organizations deploy automation, it is having a positive impact on the time to identify the breach,” Larry Ponemon said. “In fact, with automation, the average cost of a breach for organizations is $2.45 million, versus an average cost of $6.03 million in those organizations without automation.”