In 2022, we explored the biggest takeaways from the IBM “Cost of a Data Breach” report for 2022. Among other findings, we noted that the cost of a data breach in 2022 was a record $4.35m per incident, an increase of 2.6% from 2021. This year’s report demonstrates another increase in this cost, and highlights some other trends for organizations to be wary of in 2023.
Here are some of the main points from IBM’s Cost of a Data Breach report for 2023:
1. A record-breaking cost
The worldwide average data breach cost escalated to $4.45m, marking a USD 100,000 surge from 2022, a 2.3% uptick from the previous year’s average cost of $4.35m. From 2020, when the average overall cost of a data breach stood at $3.86m, there’s been a substantial 15.3% rise in the average total cost. This increase is due to several factors, including the rising cost of data breaches in certain industries, the increasing complexity of data breaches, and the growing number of data breaches worldwide.
2. Healthcare in need of a cyber security cure
Healthcare remains the industry with the most expensive data breach costs, escalating from $10.10m in 2022 to $10.93m in 2023, marking an 8.2% growth. In the last three years, the average cost of a data breach in the healthcare sector has surged by 53.3%, adding more than $3m to the average cost of $7.13m in 2020. Owing to the high level of industry regulation and its designation as critical infrastructure by the US government, healthcare has seen a significant increase in average data breach costs, especially since the onset of the COVID-19 pandemic.
3. Familiar attack vectors among the biggest
Phishing attacks and compromised credentials were behind 16% and 15% of breaches respectively, with phishing slightly overtaking compromised credentials, which led the 2022 report. Cloud misconfigurations were the initial point of 11% of attacks, followed by business email compromise at 9%. For the first time, the report scrutinized both unknown (zero-day) vulnerabilities and known yet unpatched vulnerabilities as the breach source, revealing over 5% of studied breaches originated from known, unaddressed vulnerabilities.
Though less frequent at 6%, breaches instigated by malicious insiders proved to be the most expensive, averaging $4.90m, 9.6% above the global average cost of $4.45m per breach. Phishing was not only the most common attack method but also the second most costly, at $4.76m on average. Meanwhile, breaches due to system errors were the least expensive, with an average cost of $3.96m, and the least common, representing 5% of incidents.
4. Slow response time leaves organizations at risk
The average time to identify and contain a data breach was 277 days, a figure that has remained consistent throughout recent years of the report. This is a significant amount of time, and it highlights the importance of having a strong incident response plan in place to detect and contain data breaches as quickly as possible.
5. The business impact of a data breach
In last year’s report, detection and escalation expenses became the most significant component of data breach costs, signaling a move towards more prolonged and complex breach investigations. This trend continued this year, with these costs rising from USD 1.44 million to USD 1.58 million, marking a 9.7% increase. Other significant areas of data breach costs—lost business, post-breach response, and notification—also saw changes from 2022. Lost business costs decreased by 8.5%, while notification costs saw a 19.4% increase. Post-breach response costs had a modest increase of USD 20,000.
To summarize, companies are seeing a continuous increase in costs for detecting and managing data breaches. While some areas like lost business costs are seeing a decrease, others like notification costs are on the rise, emphasizing the complex financial impact of data breaches.
6. Ransomware the costliest threat
Ransomware and destructive attacks were the most expensive types of data breaches, with an average cost of $5.11m. These types of attacks can be particularly damaging, as they can result in the loss of data, the disruption of business operations, and the payment of ransom demands.
An interesting point here is that organizations that refrained from involving law enforcement during a ransomware attack encountered increased expenses. The study reveals that despite 63% of participants engaging law enforcement in such scenarios, the remaining 37% that opted not to involve them, faced a 9.6% surge in costs and a breach lifecycle extended by 33 days.
7. The need for an incident response plan
Companies that had an incident response team and plan in place were able to identify breaches 54 days faster than those that did not. This highlights the importance of having a strong incident response plan in place to detect and contain data breaches as quickly as possible.
8. Automation and AI to the rescue
The use of security automation and artificial intelligence technologies can help reduce the cost of a data breach to $3.6m. These technologies can help detect and prevent data breaches more quickly and effectively than manual processes, reducing the overall cost of a data breach.
While we’ve covered the risk to security posed by AI in the past, it’s important to consider the ways this technology can support security teams in mitigating vulnerability risk more effectively. As with most new tools, it’s how you use it that counts.
9. Training and DevSecOps a worthwhile investment
Regular security training for employees can help reduce the cost of a data breach by an average of $232,867. This is because employees are often the weakest link in an organization’s security posture, and they can inadvertently cause data breaches through actions such as clicking on phishing emails or using weak passwords.
Meanwhile, incorporating security testing into the software development process (DevSecOps) manifested significant returns on investment (ROI) in 2023. Organizations that highly adopted DevSecOps saved $1.68 million in comparison to those with low or non-existent adoption. Relative to other cost-reducing measures, DevSecOps yielded the most substantial savings.
10. The clear benefits of risk-based vulnerability management
In contrast to the average cost of a data breach, the cost for organizations with a risk-based approach to vulnerability management was substantially lower.
36% of organizations depended exclusively on CVE scoring to rank vulnerabilities. In contrast, the majority, about 64%, implemented a more comprehensive risk-based analysis. The 2023 research revealed a substantial cost disparity in data breaches between these two groups. Organizations utilizing a more in-depth, risk-based analysis saw an average data breach cost of $3.98m, an 18.3% reduction compared to the $4.78m incurred by organizations relying solely on CVE scores.
Similar to last year, the takeaway from this year’s report is clear. Organizations today need to take proactive control of their cyber risk landscape, and must deploy a robust risk-based vulnerability solution to consolidate, correlate, prioritize and mitigate cyber risk across all the technologies that make up their attack surface. Alongside better training and awareness of security priorities, organizations can improve their security posture and greatly lessen the impact of future breaches.