IBM’s Cost of a Data Breach Report 2022 (IBM Report) was recently released, and suggests that the cost of data breaches continued to rise to an all-time high—in fact, the average total cost of a data breach was USD 4.35 million in the past year of the study (March 2021–March 2022). The IBM Report highlights findings where 550 organizations that were impacted by data breaches were interviewed (there were 3,600 interviews) across 17 countries and regions, and in 17 different industries. In a nutshell, the main finding can be described in this manner: “companies experience more breaches and costs continue to climb.” Below are some of the main findings and suggestions for how to enhance an organization’s cybersecurity posture.
Here are some of the main findings that come out of the IBM Report:
- The average total cost of a data breach was USD 4.35 million: this represented an all-time high, and a 2.6% increase from last year.
- 83% had more than one data breach: in fact, only 17% stated that this was their first data breach. Also, 60% of organizations stated that they increased the prices of their products or services because of the breach.
- The average cost of a critical infrastructure data breach was USD 4.82 million: it is important to note that critical infrastructure organizations included those in the financial services, industrial, technology, energy, transportation, communication, healthcare, education and public sector industries.
- The average cost savings associated with fully deployed security AI and automation was USD 3.05 million: this means that breaches at organizations with fully deployed security AI and automation cost USD 3.05 million less than breaches at organizations that deployed no security AI and automation. Essentially, the deployment of security AI and automation amounted to a 65.2% difference in average breach cost, and represented the largest cost savings in the study.
- The average cost of a ransomware attack (not including the cost of the actual ransom) was USD 4.54 million: the growth rate from last year was a troubling 41%.
- The frequency of breaches that were caused by stolen or compromised credentials was 19%: this remained the most common cause of a data breach. That is, stolen or compromised credentials were the primary attack vector in 19% of breaches in the 2022 study and also the top attack vector in the 2021 study. These types of breaches had an average cost of USD 4.50 million.
- 59% of organizations did not deploy Zero Trust: this means that only 41% of organizations in the study said that they deployed a Zero Trust security architecture. Additionally, organizations that did not deploy Zero Trust incurred an average of USD 1 million in greater breach costs compared to those that did deploy Zero Trust.
- The average difference in cost where remote work was a factor in causing the breach was USD 1 million: this means that when remote working was a factor in causing the breach, costs were an average of nearly USD 1 million greater than in breaches where remote working was not a factor (USD 4.99 million versus USD 4.02 million). And remote work-related breaches cost on average about USD 600,000 more compared to the global average.
- 45% of breaches occurred in the cloud: interestingly, breaches that took place in a hybrid cloud environment cost an average of USD 3.80 million, compared to USD 4.24 million for breaches in private clouds, and USD 5.02 million for breaches taking place in public clouds.
- The average cost savings associated with an incident response (IR) team and regularly tested IR plan was USD 2.66 million: this means that having an IR team and an IR plan that was regularly tested led to significant cost savings. In particular, businesses with an IR team that tested its IR plan had an average of USD 2.66 million lower breach costs than organizations without an IR team and that did not test an IR plan (the difference was USD 3.26 million versus USD 5.92 million—a 58% cost savings).
- The savings in response time for those with extended detection and response (XDR) technologies was 29 days: this means that the organizations that implemented XDR technologies (44% of organizations) had considerable advantages in response times, shortening the breach lifecycle by about a month on average. More specifically, organizations took 275 days to identify and contain a breach with XDR technologies deployed (versus 304 days without the use of XDR technologies). This represented a 10% difference in response times.
- Lastly, the average cost of a breach occurred in the United States: this represented the highest of any country, and the United States has topped the list for 12 consecutive years. In fact, the top five countries and regions for the highest average cost of a data breach were the (i) the United States at USD 9.44 million; (ii) the Middle East at USD 7.46 million; (iii) Canada at USD 5.64 million; (iv) the United Kingdom at USD 5.05 million; and (v) Germany at USD 4.85 million. Moreover, the country with the fastest growth rate was Brazil with a 27.8% increase from USD 1.08 million to USD 1.38 million.
What can we take from the report?
IBM made some recommendations at the end of its report to help minimize the financial impacts of a data breach:
- Adopt a Zero Trust security model to help prevent unauthorized access to sensitive data
- Protect sensitive data in cloud environments using policy and encryption
- Invest in security orchestration, automation and response (SOAR) and XDR to help improve detection and response times
- Use tools that help protect and monitor endpoints and remote employees
- Create and test incident response playbooks to increase cyber resilience
Given that this marks the end of Cybersecurity Awareness month, it is highly recommended that going forward, organizations review the reports, review policies and procedures, and improve any processes that might need some updating. And NIST recommends focusing on the following four actions to bolster cybersecurity posture:
- Enabling multi-factor authentication
- Using strong passwords and a password manager
- Updating software
- Recognizing and reporting phishing