Prices are rising everywhere and the cost of a data breach is no exception.
According to the new IBM/Ponemon Cost of a Data Breach report, the average global overall cost of experiencing a data breach is now at an all-time high of $4.35 million, a 13% increase over the past two years.
It’s no surprise that data breaches, like everything else, keep getting more expensive. What is interesting, however, is that IBM suggests that the frequency and high cost of data breaches could be a factor in the rising prices of goods and services. That’s because 60% of organizations surveyed said they raised the price of their goods and services because of their data breach.
Breach costs for ransomware incidents have declined slightly, from $4.62 million in 2021 to $4.54 million this year, but are still higher than the overall average cost of a breach ($4.35 million). Ransomware makes up a greater portion of breaches this year, at 11% as opposed to 7.8% of breaches last year.
Ransomware attacks take longer to identify and contain than the overall average, at 326 days.
An interesting point when it comes to ransomware is that companies who paid the ransom saw only slightly lower overall breach costs than companies who didn’t pay. The difference was just $630,000, which doesn’t include the cost of the ransom payment. Given that ransom payments now commonly approach $1 million, companies should seriously assess whether paying the ransom will be worth it in the end.
Remote work saves orgs money in real estate costs, but it’s associated with higher data breach costs. The greater the percentage of employees working remotely, the higher the data breach costs. Organizations with over 80% of employees working remotely saw breach costs average $5.10 million, while those with 20% or fewer working remotely spent $3.99 million on average in a breach.
The much-publicized cyber skills gap affects orgs’ bottom line when applied to the cost of a data breach. Understaffed organizations report data breach costs of $550,000 more on average, and 62% of orgs say they are not sufficiently staffed.
Cloud migration is necessary for companies to continue to scale, grow and transform for the future, but it is associated with higher breach costs. Companies reporting a high level of cloud migration saw higher breach costs, at $5.63 million on average, compared to companies with a low level of cloud migration ($3.36 million).
This should not scare companies away from the cloud, however. The good news is that companies with high-level cloud migration and mature cloud security saw an average breach cost of just $3.87 million. To sum it up, move to the cloud, but do it securely.
What hasn’t changed:
- For the 12th year running, the US has the highest average data breach cost out of all countries and regions, at $9.44 million.
- Healthcare is still the industry with the highest average data breach cost. And as in 2021, the industries coming in next are financial, pharmaceuticals, technology and energy.
- Like last year, the most common initial attack vectors are compromised credentials (19%), phishing (16%), cloud misconfiguration (15%), and vulnerabilities in third-party software (13%).
Things that did change:
- The average time to identify and contain a breach was reduced to 277, ten days less than last year. This is a pattern reversal from the previous four years of ever-increasing breach life cycles. Hopefully, this is the beginning of a new pattern of shortening breach life cycles.
- For the first time in six years, “lost business” does not account for the largest share of breach costs. Out of four categories of breach costs—lost business, detection and escalation, post-breach response, and notification—the most expensive category is detection and escalation. Lost business is down to $1.42 million, reduced from the previous accounting of $1.59 million of data breach costs. It’s probably too early to say whether this means companies are losing slightly fewer customers after breaches.
- The data confirms the complexity and devastation of supply chain attacks. These attacks take 26 days longer to identify and contain than the global average. They are also more expensive than breaches overall, costing $4.46 million on average.
- Phishing is the costliest initial attack vector, at $4.91 million on average per breach. Business email compromise (BEC) is next at $4.89 million.
- Factors that mitigate the costs of a data breach include using an AI platform, having an incident response team, implementing a DevSecOps approach, and adopting a zero-trust approach.