A new report on costs of data breach to enterprises has confirmed what we knew all along. That these costs were, on an average, highest in the United States, followed by the Middle East, Canada, the United Kingdom and Germany. Of course, at a global level the cost of data breach averaged $4.35 million in 2022 compared to $4.24 million last year.
For enterprises in the United States, the cost of data breach stood at $9.44 million while those in the Middle East averaged $7.46 million followed by Canada with $5.64 million, the United Kingdom with $5.05 million and Germany 4.85 million. From an Indian point of view, this number stood at $4.35 million, with the breach costs rising by as much as 13% over two years.
Some salient numbers
The report, jointly created by IBM and Ponemon Research says 83% of organizations surveyed have experienced more than one data breach, and just 17% said this was their first data breach. Sixty percent of organizations studied stated that they increased the price of their services or products because of the data breach.
The average cost of a data breach for critical infrastructure organizations is $4.82 million — $1 million more than the average cost for organizations in other industries. Critical infrastructure organizations included those in the financial services, industrial, technology, energy, transportation, communication, healthcare, education and public sector industries. Twenty-eight percent experienced a destructive or ransomware attack, while 17% experienced a breach because of a business partner being compromised.
To AI or Not to AI is the Question
Breaches at organizations with fully deployed security AI and automation cost $3.05 million less than breaches at organizations with no security AI and automation deployed. This 65.2% difference in average breach cost — between $3.15 million for fully deployed versus $6.20 million for not deployed — represented the largest cost savings in the study.
Companies with fully deployed security AI and automation also experienced on average a 74-day shorter time to identify and contain the breach, known as the breach lifecycle, than those without security AI and automation — 249 days versus 323 days. The use of security AI and automation jumped by nearly one-fifth in two years, from 59% in 2020 to 70% in 2022.
Ransomware and stolen credentials
Eleven percent of breaches in the study were ransomware attacks, an increase from 2021, when 7.8% of breaches were ransomware, for a growth rate of 41%. The average cost of a ransomware attack went down slightly, from USD 4.62 million in 2021 to USD 4.54 million in 2022. This cost was slightly higher than the overall average total cost of a data breach, USD 4.35 million.
Use of stolen or compromised credentials remains the most common cause of a data breach. Stolen or compromised credentials were the primary attack vector in 19% of breaches in the 2022 study and also the top attack vector in the 2021 study, having caused 20% of breaches. Breaches caused by stolen or compromised credentials had an average cost of USD 4.50 million. These breaches had the longest lifecycle — 243 days to identify the breach, and another 84 days to contain the breach. Phishing was the second most common cause of a breach at 16% and also the costliest, averaging USD 4.91 million in breach costs.
Remote working and the Cloud
When remote working was a factor in causing the breach, costs were an average of nearly USD 1 million greater than in breaches where remote working wasn’t a factor — USD 4.99 million versus USD 4.02 million. Remote work-related breaches cost on average about USD 600,000 more compared to the global average.
Another factor that could raise a few eyebrows is that 45% of breaches occurred in the cloud. Yet breaches that happened in a hybrid cloud environment cost an average of USD 3.80 million, compared to USD 4.24 million for breaches in private clouds and USD 5.02 million for breaches in public clouds. The cost difference was 27.6% between hybrid cloud breaches and public cloud breaches. Organizations with a hybrid cloud model also had shorter breach lifecycles than organizations that solely adopted a public or private cloud model.
In conclusion
Healthcare breach costs hit a new record high. The average breach in healthcare increased by nearly USD 1 million to reach USD 10.10 million. Healthcare breach costs have been the most expensive industry for 12 years running, increasing by 41.6% since the 2020 report. Financial organizations had the second highest costs — averaging USD 5.97 million — followed by pharmaceuticals at USD 5.01 million, technology at USD 4.97 million and energy at USD 4.72 million.
To calculate the average cost of a data breach, this research excluded very small and very large breaches. Data breaches examined in the 2022 study ranged in size between 2,200 and 102,000 compromised records. The study used activity-based costing, which identifies activities and assigns a cost according to actual use.
