The global average cost of a data breach for affected organisations has risen to an all-time high of $4.35m, with breach costs having risen 13% over the past two years, according to IBM Security‘s annual Cost of a Data Breach Report.
The study also found that breaches may be contributing to the rising costs of goods and services as 60% of studied organisations raised their product or services prices due to a breach, compounding already rampant inflation and supply chain issues worldwide.
The vast majority of organisations (83%) have experienced more than one data breach in their lifetime, and nearly 50% of costs are incurred more than a year after the breach. Some 550 organisations globally were questioned between March 2021 and March 2022 for the report, which was conducted by the Ponemon Institute.
The report also found that almost 80% of critical infrastructure organisations studied don’t adopt ‘zero trust’ strategies, and see an average breach cost of $5.4m — $1.17m more than groups that do — and 28% of breaches at these organisations are ransomware or destructive attacks.
Ransomware victims that paid the actors’ ransom demands pay only $610,000 less on average than those that hold out, not including the cost of the ransom (which was $812,000 on average last year), so the financial toll may even be higher.
Around 43% of studied organisations are in the early stages of or have not started to apply security practices across their cloud environments and pay on average $660,000 more in breach costs than studied organisations with mature cloud security.
Elsewhere, participating organisations fully deploying security AI and automation incurred $3.05 million less on average in breach costs compared to studied organisations that have not deployed the technology – the biggest cost saver observed in the study.
“Businesses need to put their security defences on the offence and beat attackers to the punch. It’s time to stop the adversary from achieving their objectives and start to minimise the impact of attacks. The more businesses try to perfect their perimeter instead of investing in detection and response, the more breaches can fuel cost of living increases.” said Charles Henderson, global head of IBM Security X-Force.
“This report shows that the right strategies coupled with the right technologies can help make all the difference when businesses are attacked.”
The report also noted that ransomware and destructive attacks represented 28% of breaches amongst critical infrastructure organisations studied, highlighting how threat actors are seeking to fracture the global supply chains that rely on these organisations across financial services, industrial, transportation and healthcare.
The duration of studied enterprise ransomware attacks shows a drop of 94% over the past three years – from over two months to just under four days — meaning organisations have a very short window of opportunity to detect and contain attacks.
IBM Security said it’s essential that businesses prioritise rigorous testing of incident response (IR) playbooks ahead of time, but the report states that as many as 37% of organisations studied that have incident response plans don’t test them regularly.
Averaging $3.8m in breach costs, businesses that adopted a hybrid cloud model observed lower breach costs compared to businesses with a solely public or private cloud model, which experienced $5.02m and $4.24m on average respectively.
In fact, hybrid cloud adopters studied were able to identify and contain data breaches 15 days faster on average than the global average of 277 days for participants.
The report highlights that 45% of studied breaches occurred in the cloud, emphasising the importance of cloud security. However, a significant 43% of reporting organisations stated they are just in the early stages or have not started implementing security practices to protect their cloud environments, observing higher breach costs.
Businesses studied that did not implement security practices across their cloud environments required an average 108 more days to identify and contain a data breach than those consistently applying security practices across all their domains.
Compromised credentials remain the most common cause of a breach at 19%, ahead of phishing (16%), which was also the costliest with an average cost of $4.91m. Healthcare saw the most expensive breaches, rising nearly $1m to $10.1m.
Finally, 62% of studied organisations stated they are not sufficiently staffed to meet their security needs, averaging $550,000 more in breach costs than those that state they are sufficiently staffed.
(Pic: Getty Images)