The number, costs and impacts of data breaches all increase in 2021


Last week we looked at new legislation that would require reporting of critical infrastructure data breaches.

But this blog raised many questions and follow-up comments from readers, such as:

  • Are ransomware attacks considered data breaches?
  • Show me the numbers: where are the documented increases and how much did they really cost?
  • How is the United States different from the rest of the world when it comes to data breaches and the associated costs to organizations?


Let’s start by answering the last two questions.

According to a 2021 report from IBM and the Ponemon Institute, the average cost of a data breach among surveyed companies reached $ 4.24 million per incident in 2021, the highest in 17 years. Here are some other compelling data points:

  • Impact of teleworking: The rapid shift to remote operations during the pandemic appears to have led to more costly data breaches. Violations cost over $ 1 million more on average when remote work is listed as a factor in the event, compared to those in this group without this factor ($ 4.96 million vs. $ 3.89 million of dollars.)
  • The costs of healthcare violations have increased: Industries that faced huge operational changes during the pandemic (healthcare, retail, hospitality, and manufacturing / distribution to consumers) also saw a substantial increase in data breach costs year-over-year. ‘other. Healthcare violations cost the most by far, at $ 9.23 million per incident, an increase of $ 2 million from the previous year.
  • Compromised credentials led to compromised data: Stolen user credentials were the most common cause of violations in the study. At the same time, personal customer data (such as name, email address, password) was the most common type of information exposed in data breaches – with 44% of breaches including this type of data. The combination of these factors could cause a spiraling effect, with username / password breaches providing attackers with leverage for further future data breaches.
  • Modern approaches have reduced costs: The adoption of AI, security analytics and encryption were the top three mitigating factors that reduced the cost of a breach, saving businesses between 1.25 and 1 $ 49 million compared to those who did not meaningfully use these tools. For the cloud-based data breaches studied, organizations that implemented a hybrid cloud approach had lower data breach costs ($ 3.61 million) than those that had a primarily public cloud approach ( $ 4.8 million) or mostly private cloud ($ 4.55 million).

To learn a bit more about data breach trends as well as other cyberattacks for Q3 2021, the Identity Theft Resource Center just released a press release with some additional surprising numbers. Here are some of the main highlights:

  • The number of publicly reported data breaches in the United States decreased 9% in Q3 2021 (446 breaches) compared to Q2 2021 (491 breaches). However, the number of data breaches up to September 30, 2021 exceeded the total number of events for the whole of 2020 by 17% (1,291 breaches in 2021 versus 1,108 breaches in 2020).
  • For the third quarter of 2021, the number of data compromise victims (160 million) is higher than the first and second quarter of 2021 combined (121 million). The dramatic increase in the number of victims is mainly due to a series of unsecured cloud databases, not data breaches.
  • The total number of data breaches related to cyberattacks since the beginning of the year (YTD) is up 27% from fiscal 2020. Phishing and ransomware continue to be, by far, the biggest attack vectors.


Which brings us to the first question above, and the simple answer to whether ransomware amounts to a data breach is… it depends. I like this description of the problem and the response from from the start of the year:

“Historically, a difference between a business victim of ransomware and one victim of a hacking intrusion that resulted in data theft was that, in a ransomware attack, the data was not actually stolen, but encrypted so that the victim has to pay a ransom to regain access. Unlike traditional data theft, ransomware – according to theory – didn’t really steal data. It encrypted it so that authorized users cannot access it unless a ransom is paid. As a result, most organizations viewed ransomware attacks as a simple business continuity or disaster recovery response although, a real insult to the business, organizations had to pay for what they already had. Today, nearly half of ransomware attacks steal data before encrypting systems, meaning ransomware is no longer just a business continuity or disaster recovery response; this is a comprehensive response to cybersecurity incidents, as the attack may well constitute a data breach if the stolen records include protected data.

So this raises more questions about the numbers of data breaches coming from multiple sources. Do these figures include records that may have been compromised in the growing number of ransomware attacks?

This YouTube video from “The Breach Report” explains the Kaseya ransomware in more detail and describes some details regarding indicators of compromise, characteristics and attack vectors.


Another related topic that I want to throw in the mix this week. AP News reported last week that the United States is set to prosecute contractors who fail to report cyber breaches:

The Justice Department is set to prosecute contractors from the government and other businesses who receive grants from the U.S. government if they fail to report breaches to their computer systems or misrepresent their cybersecurity practices, said Wednesday. responsible n ° 2 of the ministry.

Deputy Attorney General Lisa Monaco said the department is ready to take action under a law called the False Claims Act which allows the government to sue for embezzled federal funds. The Justice Department will also protect whistleblowers who report these issues, she said. “


In addition to the revolutionary nature of the Colonial Pipeline ransomware attack, which exposed the severity of our global online problems, the increase in data breaches and associated costs to businesses is becoming unsustainable.

Simply put, something has to give in a world where cyber teams are at their peak and even losing staff to competitors. Security teams, especially in the public sector, have many vacancies and are often in constant fire fighting mode.

It remains to be seen what solutions can “stem the tide of rising waters” that currently overwhelms many cyber defense programs.

Source link


About Author

Comments are closed.