2023 set a high record with the global average data breach cost reaching $4.45 million. Learn more about the main trends related to data breach cost
The global average data breach cost has set a new high record according to IBM’s Cost of a Data Breach report. This year, the average breach expenses reached $4.45 million, which is 2.3% higher than in 2022 and 15.3% higher compared to 2020. This increase is associated with various factors including the increasing number of data breaches security system complexity, a shortage of security skills, and noncompliance with regulations.
Let’s uncover some of the main points regarding data breach costs along with the recommendations for reducing these costs.
The Healthcare sector continues to have the highest data breach costs among all industries. In 2023, the average data breach cost in Healthcare reached $10.93 million which surpasses Finance ($5,9m), Pharmaceutics ($4,82m), Energy ($4,78m), and Industrial ($4,73m). Surprisingly, Technology is no longer in the top five as it was in 2022.
The ~ $11m average data breach cost in Healthcare marks an 8.2% increase from 2022 and a 53,3% increase since 2020. One of the reasons is that healthcare is a heavily regulated industry with high security and compliance demands, so data breaches lead to more serious financial and reputational damages.
Phishing and compromised credentials are responsible for 16% and 15% of data breaches respectively, which makes them the most common attack vectors. Cloud misconfigurations caused 11% of the attacks, while business email compromises accounted for 9%.
This year, for the first time, the report examined both zero-day vulnerabilities and unpatched vulnerabilities as the common attack vectors. It found that more than 5% of the breaches studied originated from known vulnerabilities that had yet to be patched. Although relatively rare, at 6% of occurrences, attacks initiated by malicious insiders were the costliest, at an average of $4.90 million.
Out of all breaches reported, 40% were detected by a non-harmful (benign) third party or an external entity. The internal teams spotted 33% of breaches. An additional 27% of breaches were brought to light by the attackers themselves, typically in the context of a ransomware attack.
Breach disclosures initiated by attackers, as seen in ransomware incidents, incurred notably higher costs. These attacks had an average cost of $5.23 million, which amounted to a difference of 19.5% compared to the average cost of breaches identified through internal security teams (or tools). In contrast, breaches identified by an organization’s own security teams and tools were significantly less costly, resulting in almost $1 million less in expenses than incidents revealed by attackers.
Finally, data breaches revealed by the attacker also had the lengthiest detection and containment periods. On average, respondents took almost a year (320 days) to identify and contain breaches disclosed by the attacker. This timeframe is 28.2% longer compared to breaches that were internally identified.
This year, ransomware and destructive attacks (those rendering systems inoperable and challenging reconstitution) accounted for 24% and 25% of malicious attacks, respectively. Ransomware and destructive attacks proved to be the most costly forms of data breaches, with an average price tag of $5.11 million. These types of attacks can be exceptionally damaging, leading to data loss, disruptions in business operations, and the payment of ransom demands.
Notably, organizations that chose not to enlist the help of law enforcement during a ransomware attack experienced increased expenses. The study reveals that despite 63% of participants seeking law enforcement assistance in such situations, the remaining 37% who decided against involving them encountered a 9.6% rise in costs, along with a breach containment duration that extended by 33 days.
The average cost of a data breach depends on various factors, including the security technologies and practices used within an organization. The most significant factors that increased data breach costs are the security systems’ complexity, a shortage of security skills, and noncompliance with regulations. For instance, organizations grappling with complex security systems experienced an average cost of approximately $4.69 million, which is 5.4% higher than the 2023 average cost.
Conversely, the three most effective factors in reducing data breach costs are the implementation of a DevSecOps approach, employee training, and incident response (IR) planning and testing. For instance, organizations that adopted a DevSecOps approach had an average cost of around $4.20 million for data breaches, which is 5.5% lower than the 2023 average cost.
Security AI, machine learning, and automation have a substantial impact on data breach costs. These tools augment or replace human intervention in the detection and investigation of threats as well as the response and containment process.
According to IBM Research, 61% of organizations employ some level of security AI and automation. Organizations with extensive use of security AI and automation demonstrated the highest cost savings with an average cost of a data breach at $3.60 million. Even organizations with limited AI and automation use experienced a 28.1% decrease in data breach costs compared to those with no usage of AI technologies. Organizations that did not use security AI and automation reported an average data breach cost of $5.36 million. This is 39.9% higher than those who used AI and automated technologies and 18.6% higher than the 2023 average data breach cost of $4.45 million.
Furthermore, participants from companies that heavily relied on security AI and automation managed to detect and control breaches within 214 days, which was 108 days faster than those who didn’t employ these technologies.
Despite the rise in the global cost of data breaches, research participants are not in a rush to increase security investments following such incidents. Specifically, only 51% of respondents allocated additional funds for security after experiencing a breach.
Out of the 51% of organizations that raised their spending following a breach, the most prevalent area of investment was in incident response (IR) planning chosen by 50% of organizations. Employee training was second at 46%, while threat detection and response technologies were third at 38%. Interestingly, insurance protection was the least frequent post-breach investment, selected by only 18% of respondents.
IBM Research provides guidance on actions organizations can take to minimize the financial and reputational consequences of a data breach. These suggestions encompass effective security strategies linked to decreased expenses and include:
Also, see the Planet 9 step-by-step guide How Does The Good Data Breach Response Looks Like to be able to provide a quick and decisive data breach response.
To stay updated on recent cybersecurity and compliance-related topics, keep reading our blog. Feel free to contact the Planet 9 team for help with your security and compliance challenges. We’ll be happy to assist!