The average cost of a data security breach has hit another record-high of $4.35 million per incident, growing 12.7% over the past two years. And some businesses are passing the buck to customers, even as the cost of products and services has climbed amidst inflation and supply chain constraints.
This year’s figure was up 2.6% from last year’s $4.24 million per breach, according to IBM’s 2022 Cost of Data Breach report, which further revealed that 83% of companies surveyed had experienced more than one data breach. Conducted by Ponemon Institute, the report analysed 550 organisations across 17 global markets that were impacted by data breaches between March 2021 and March 2022.
Just 17% said this was their first breach. In addition, 60% said they increased the price tag on their products and services due to losses suffered from the data breach. They also continued to chalk up losses long after the breach, where almost half of such costs were incurred more than a year after the incident.
Organisations in the US saw the highest average cost of a breach, which climbed 4.3% to $9.44 million, followed by the Middle East region where the average cost clocked at $7.46 million this year, up from $6.93 million in 2021. Canada, the UK, and Germany rounded up the top five pack, chalking at average losses of $5.64 million, $5.05 million, and $4.85 million per breach, respectively.
Six markets, including Japan, South Korea, and France, amongst the 17 markets analysed saw a dip in their respective average breach cost.
Supply chains, user credentials fuel attacks
Across the board, companies took an average of 207 days to identify the breach and 70 days to contain it, down overall from last year’s average of 212 days to identify and 75 days to contain the breach.
Some 19% of breaches were the result of supply chain attacks, costing an average $4.46 million and clocking a lifecycle of 26 days longer than the global average of 277 days, which measured the combined time to identify and contain a data breach. Supply chain breaches were due to a business partner being the initial point of compromise.
Human errors, which encompassed negligent actions of employees or external contractors, accounted for 21% of incidents, while IT failures–the result of disruption or failure in a company’s IT systems that led to data loss–were behind 24% of breaches. The latter included errors in source codes or process failures, such as automated communication errors.
Some 11% of breaches were ransomware attacks, up from 7.8% last year and at a growth rate of 41%, but the average cost of such attacks dropped slightly to $4.54 million from $4.62 million in 2021.
Attacks from stolen or compromised credentials remained the most common cause of a data breach, accounting for 19% of all incidents this year, the report found. Breaches from stolen or compromised credentials cost an average $4.5 million per incident and had the longest lifecycle of 243 days to identify and 84 days to contain the breach.
Phishing was the second-most common cause of a data breach, accounting for 16% for overall attacks, but the costliest with an average $4.91 million in losses.
Amongst sectors, healthcare suffered a record-high average breach cost of $10.1 million, up almost $1 million from 2021 and sealing its ranking as the most expensive industry. In fact, the sector’s breach costs had climbed 41.6% since 2020.
The financial services sector recorded the second-highest average breach cost of $5.97 million, followed by pharmaceuticals, technology, and energy at $5.01 million, $4.97 million, and $4.72 million, respectively.
The average breach cost for organisations running critical infrastructures was $4.82 million, which was $1 million more than the average cost for organisations in other sectors. Critical infrastructure companies were from sectors that included financial services, energy, transport, healthcare, and government.
Amongst these organisations, 28% experienced a destructive or ransomware attack and 17% pointed to a compromised supply chain partner.
Mitigating losses with touted security strategies
The IBM study also studied differences in the impact of a data breach amongst companies that had and had not adopted security strategies and technologies, such as zero trust, extended detection and response (XDR), and artificial intelligence (AI).
The report noted that nearly 80% of critical infrastructure organisations without a zero trust strategy saw a higher average breach cost of $5.4 million, or $1.17 million more than those that adopted zero trust frameworks. Across the board, 41% of organisations said they had deployed a zero trust security framework, up from 35% last year, and the remaining 59% had not done likewise.
In addition, those that deployed security AI and automation tools saw lower breach costs that were $3.05 million lower than their peers that did not implement any of such tools. They also took 74 days longer to identify and contain a breach than those that adopted security AI and automation technologies.
The number of organisations that used such tools hit 70% this year, up from 59% in 2020.
In addition, 43% of companies that were in the early stages or had yet to deploy security practices across their cloud platforms saw higher losses of at least $660,000 on average than those that had mature cloud security environments.
Some 44% of breaches in the study happened in the cloud, with those occurring in a hybrid cloud environment costing an average $3.8 million, compared to $4.24 million for breaches in private clouds and $5.02 million in public clouds.
At $4.99 million per incident, remote work-related breaches also cost almost $1 million more on average than breaches where remote work was not a factor.
Some 44% of companies had implemented XDR technologies and they saw shorter breach lifecycles of about a month, on average, compared to their peers that had not deployed such tools who took 304 days to identify and contain a breach.
Amongst organisations that suffered ransomware attacks, those that paid up clocked $610,000 lower breach costs–excluding cost of ransom–compared to those that chose not to pay.
In addition, 62% of companies that said they were insufficiently staffed to support their cybersecurity needs saw an average $550,000 higher breach costs than those that were adequately staffed.