Companies lose an average of $3.6 million per data breach, most of which are caused by compromised employee accounts, according to a study.
The study was conducted by IBM Security, the security research wing of the Armonk, New York based technology giant, and Michigan based research firm Ponemon Institute. It recorded data breach analysis of over 500 organisations worldwide and interviewed 32,200 security professionals between August 2019 and September 2020, a statement said.
Over 80% of the data breaches exposed personally identifiable information of customers -- these also had the most financial impact on businesses, the study showed.
Healthcare emerged as the most targeted vertical with the highest average breach cost at $7.13 million, a 10% increase from the numbers reported in a study published in 2019.
Companies that deployed automation technologies, which leveraged artificial intelligence, analytics and automated orchestration, suffered data breach costs of nearly $2.45 million, it said. However, the number is less than half of the $6.03 million loss suffered by firms that don’t deploy these technologies, it added.
“When it comes to businesses’ ability to mitigate the impact of a data breach, we’re beginning to see a clear advantage held by companies that have invested in automated technologies,” Wendi Whitmore, vice president of IBM X-Force Threat Intelligence, said.
As teams are overwhelmed with securing more devices, security automation could help resolve the burden by enabling cost-efficient, faster response rates, Whitmore added.
Data breaches on account of stolen credentials cost a company an average of $4.77 million, nearly a million higher than the $3.6 million average loss caused by weak infrastructure. Incidents where hackers exploited third party vulnerabilities saw companies lose about $4.5 million. State-sponsored attacks, which averaged $4.43 million in data breach costs, caused more damage than cybercriminals and hacktivists, the study said.
Additionally, the report also linked remote working to higher risks of attacks, with 70% of companies that have adopted telework amid the pandemic expecting an exacerbation of data breach costs.
While 46% of respondents blamed chief information and security officers (CISOs) for not doing their jobs, 27% said that the executives were only responsible for security policy and technology decision making, the report showed.
Interestingly, the study made a direct correlation between the appointment of a CISO and cost savings -- a company with a CISO saved $145,000 more from thwarted data breaches compared to a company without such executives.