Serg Nvns - Fotolia

IBM: Compromised credentials led to higher data breach costs

The average total cost of a data breach is $3.86 million, according to new research from IBM and the Ponemon Institute, and compromised credentials are the biggest reason why.

The average cost of a data breach has fallen slightly, according to new research from IBM and the Ponemon Institute, but there are concerning -- and costly -- trends for enterprises.

The average total cost of a data breach is $3.86 million, according to IBM and the Ponemon Institute in their "Cost of a Data Breach Report 2020" released Wednesday. That number is down slightly from the 2019 report, which found the average data breach cost $3.92 million.

IBM and Ponemon gathered the report's data by analyzing 524 breached organizations between August 2019 and April 2020 and interviewing more than 3,200 individuals across 17 countries and regions as well as 17 industries. According to the study, loss of business accounted for 3.94% of the total data breach cost, followed by detection and escalation (28.8%), ex-post response (25.6%) and notification (6.2%).

As for what type of breach costs the most, compromised credentials lead the pack. The report found that one out of five organizations suffered a breach through stolen credentials, and those breaches were an average of $1 million more expensive than the rest. In an interview with SearchSecurity, Charles DeBeck, senior cyber threat intelligence analyst of IBM X-Force IRIS, said there are plenty of resources on the dark web where threat actors can access or purchase stolen credentials and use them to infiltrate an organization.

"It's a very successful medium for threat actors to get into an organization," he said. "And then pair that with the fact that we saw malicious threat actors and financial threat actors being a major source of data breaches over the course of the past year, and then pair that with the fact that there's such a broad smattering of targeting that they're able to really get into a lot of different types of organizations and provide an extensive compromise."

The report noted the total cost of breaches was lower for more "mature" companies, while the total cost was higher for less mature companies that don't have good incident response processes or security automation. DeBeck emphasized the importance of incident response and security automation.

"We looked at a couple different components to determine which methods or which investments we're seeing paid off the most effectively for the cost of a data breach. And I think the two that stick out in my mind are security automation and incident response," DeBeck said. "My idealized organization is an organization that has a high degree of security automation in place so they're detecting faster, they're responding faster and they're generally containing breaches faster. And they've also got a skilled incident response team that they've trained and tested so the incident response team knows how to respond effectively."

DeBeck said organizations that can't react quickly to detect, contain and remediate a breach are going to pay much higher costs. "By contrast, the organizations that don't have the sort of tested, tried and true process in place for incident response or security automation, that's where you're going to start to see this longer time, this longer incident lifecycle, which leads to a higher cost on average."

The 2020 report found it takes an average of 280 days to identify and contain a data breach. DeBeck said the big factor here was "security complexity within the environment."

"Being able to respond quickly depends a lot on how complex your security is as an organization as well as how much an organization has tested their incident response capability."

DeBeck added that security automation can be a key way for organizations to reduce the amount of time it takes to detect a breach.

"I think one huge benefit of security automation is that it can reduce the time to detect and contain a breach pretty significantly," he said. "We saw a 27% decrease in the time it took to identify and contain a breach in organizations that had high-quality security automation in place."

Healthcare leads the pack

The United States was the country with the highest average data breach cost, while healthcare had the highest cost among vertical industries -- a first-place title it has held for the past decade. The reason for this is that things in healthcare are just more complicated, DeBeck said.

"Healthcare is interesting because it has a very high regulatory regime. And the records associated with healthcare in my experience have a lot of requirements on them and that can lead to a lot of additional costs. A lot of regulatory costs, a lot of notification costs that other industries might not have to deal with quite as much," DeBeck said. "There's also a lot of complexity within the healthcare environment and increased complexity leads to increased overall costs."

Lastly, cloud misconfiguration was also a leading cause of data breaches.

In fact, according to the report, "Alongside stolen or compromised credentials, misconfigured cloud servers tied for the most frequent initial threat vector in breaches caused by malicious attacks, at 19%. Breaches due to cloud misconfigurations resulted in the average cost of a breach increasing by more than half a million dollars to $4.41 million."

Next Steps

T-Mobile breach exposes data for more than 40M people

Dig Deeper on Data security and privacy