Average breach costs have once again hit a new record, up 15.3% just from 2020. Yet only 51% of organizations that have suffered a breach plan to increase security spending and just one out of three incidents are first discovered by internal security teams, according to the most recent IBM Cost of Data Breach report.
61% of organizations now say that they are using some sort of security AI and automation, but only 28% report “extensive” use of it at present. The numbers gathered by IBM point to security automation having a profound effect on mitigation and recovery, as does involving law enforcement as early as possible.
Average cost of data breach up to $4.45 million
While the cost of data breaches once again broke an all-time record this year, it is up just 2.3% from the record set in the previous year. The real jumps in cost have been cumulative since 2020, when the average was at $3.86 million.
As other research has found, experiencing a breach does not necessarily prompt organizations to spend more on cybersecurity; in fact, it’s basically a coin flip. When they do opt to increase spending, organizations tend to favor incident response preparation, employee training and threat detection/response technologies.
Though security technology does not appear to be an overwhelming priority for respondents, the report finds that the average cost of data breach reduction is $1.76 million for those that implement some form of AI and automation along with a breach containment time reduction of 108 days (down from an average of 277).
Between reported spending and detection numbers, one might get the impression that a lot of organizations have simply given up. Only one in three of organizations report that their own security team was first to detect a breach. It is much more common for either some third-party security researcher to come across it, or for the attackers to simply disclose it themselves once they are done rummaging around on company servers. The report finds that organizations average a savings of $1 million if their internal teams detect an attack while it is in progress.
Law enforcement is also a factor in the cost of data breaches. Organizations that do not involve the authorities tend to pay $470,000 more on average, contrary to the common belief that paying off a ransomware attacker is the cheapest way to deal with the problem. It is not necessarily faster either, as the 37% of respondents that said they kept law enforcement out of the loop also tended to experience a breach cycle that was about a month longer.
Attackers are also overwhelmingly focusing on cloud assets now. 82% of the breaches reported to researchers involved cloud data, with 39% spanning multiple environments. These types of incidents bump the average cost of data breaches up to $4.75 million.
Cost of data breach can vary greatly by region, industry
The US has been the leading global target for cyber attacks for some time now, and unsurprisingly it leads the cost of data breach chart with an average of $9.48 million. The Middle East is the only other region that is close, at $8.07 million. From there it is Canada, a number of European nations, Latin America, Japan, South Korea and the ASEAN region sitting between about $3 million and $5 million.
Certain industries are also suffering more than others. At one time health care was an afterthought for ransomware operators, due to perceptions of poor funding. But the industry is now increasingly targeted, and its cost of data breach numbers are by far the highest at $10.93 million on average. The lowest is the public sector, at $2.60 million.
And while larger businesses still end up paying larger amounts, smaller businesses are taking higher proportional damage as the years go on. All of the business categories from 5,001 employees and up saw something of a reduction in what they pay per data breach, but all businesses under 5,000 employees saw the amount go up. Businesses with 1,000 to 5,000 employees actually paid substantially more per breach incident than those with 5,000 to 10,000 employees.
The type of data compromised plays a significant role in cost of data breach totals. One of the main reasons that health care data breaches are so expensive is that customer personally identifiable information costs victims the most, followed closely by employee information. When data is anonymized and non-personally identifiable, it costs almost $50 million less per breach.
IBM’s prescriptions for remedying data breach issues naturally align with its business interests, but are also solid recommendations in their own right: institute “security by design” principles in software development, modernize data protection across hybrid cloud systems, and implement some manner of security and AI automation.