Phishing-Driven Data Breaches Cost $4.65M on Average, Finds IBM

lock hooked on a fishing hook

Data breaches that used phishing as their initial attack vector cost organizations an average of $4.65 million, according to IBM.

Overall Costs of a Data Breach

In early July, IBM announced the results of its Cost of a Data Breach Report 2021.

Conducted by the Ponemon Institute, this year’s report shares IBM Security’s analysis of 537 data breaches that occurred across 17 countries and in 17 different industries.

It also draws on nearly 3,500 interviews to better understand those security incidents including their financial impact on organizations.

Over the course of its analysis, IBM observed that the average cost of a data breach increased from $3.86 million in 2020 to $4.24 million a year later. Not only is that the highest average total cost of a data breach in the history of the report, but it’s also the largest single-year cost increase of $0.38 million or about 9.8%.

IBM decided to dig deeper into that overall price tag. In doing so, it discovered some notable contributing factors. For instance, it learned that lost business accounted for the largest share of data breach costs at $1.59 million—approximately 38% of the overall average. Lost business in this case included damages such as customer turnover and lost revenue resulting from downtime.

The report also found that the data breach lifecycle grew by a week in 2021. Breaches in 2021 took organizations an average of 212 days to identify and 75 days to contain. That’s an overall lifecycle of 287 days. (To put this finding into perspective, organizations wouldn’t finish identifying and containing a data breach that occurred on January 1st until October 14th.)

Size and Industry

Small businesses may believe they are out of scope for being targeted, but the report findings saw a 26.8% increase in the cost of a data breach – putting their total cost at $2.98 million dollars in 2021.

Healthcare remains the top industry in total average cost, holding on to this position for its 11th consecutive year, with a 29.5% cost increase since last year. This is followed by financial services and pharmaceuticals.

Not All Data Breaches Are Created the Same

Even so, IBM found that several factors caused variations in the overall cost of a data breach. Organizations’ embrace of zero trust, security automation, and analytics played a part. So too did the initial attack vector used in each data breach.

IBM analyzed a total of 10 initial attack vectors over the course of compiling its report. It found that four of those entry routes—system error, accidental data loss/lost device, physical security compromise, and cloud misconfiguration—resulted in security incidents that fell below the average of $4.24 million. The rest caused security incidents whose cost exceeded that average.

Take phishing as an example. Phishing was the second most-frequent initial attack vector analyzed in the report, accounting for 17% of data breaches. It was also the second costliest initial attack vector at $4.65 million per security incident on average.

Compromised credentials were the most frequent initial attack vector analyzed, as they were responsible for 20% of data breaches. But the cost of an incident that began with compromised credentials cost only $4.37 million—less than a phishing-driven breach. By contrast, data breaches that involved a business email compromise (BEC) cost organizations $5.01 million. It was the most expensive initial attack vector despite accounting for only 4% of breaches and despite taking 317 days to identify and contain, a period which fell short of the 341-day average for stolen and compromised credentials.

Aside from initial attack vectors, IBM found that overall costs varied across different kinds of data breaches. It found that ransomware attacks, a common threat delivered by email, cost organizations an average of $4.62 million, for instance. Those costs included lost business, response, and other damages, but they didn’t include paying the ransom.

How to Minimize the Costs of a Data Breach

IBM’s findings highlight the need for organizations to prevent data breaches that begin with a phishing attack or BEC scam as well as those that deliver ransomware. To do that, organizations can invest in their ability to scan incoming email for threat indicators while allowing legitimate correspondence to reach its intended destination. Learn how Zix | AppRiver can help.