Security Experts:

IBM Security: Cost of Data Breach Hitting All-Time Highs

A study commissioned by IBM Security says the global average cost of a data breach reached an all-time high of $4.35 million and warned that the absence of zero trust principles at studied organizations are pushing those costs even higher.

The study, which was conducted in partnership with the Ponemon Institute, notes that global average breach costs have climbed nearly 13% over the last two years with a whopping 83% of organizations experiencing more than a single data breach.

The "Cost of a Data Breach 2022" report studied about 550 businesses impacted by data breaches etween March 2021 and March 2022 and IBM Security said the data covered organizations in 17 countries across the globe.

The report notes that there is a "haunting effect" from the after-effects that linger after breaches with more than half of breach costs adding up more than a year after the compromise.

"With breach costs increasing nearly 13% over the last two years of the report, the findings suggest these incidents may also be contributing to rising costs of goods and services," IBM Security said, noting that about 60% of the studied organizations "raised their product or services prices due to the breach."

The study called special attention to costs borne by critical infrastructure organizations with average breach costs reaching $4.82 million, much higher than the average costs for businesses in other industries.

[ READ: Data Breach Costs Rise, Healthcare Industry Hardest Hit ]

The IBM Security study found that companies in the financial services, industrial, technology, energy, transportation, communication, healthcare, education and public sector industries were heavily impacted by ransomware attacks (28% were hit by data theft and extortion breaches).

Even worse, the study found that about 20% of critical infrastructure organizations suffered a breach because of a third-party business partner being compromised.

Of the 550 organizations polled for the study, IBM Security said companies with fully deployed security AI and automation systems fared better, which breach costs about $3.05 million less than breaches at organizations with no such defenses. 

"This 65.2% difference in average breach cost – between USD 3.15 million for fully deployed versus USD 6.20 million for not deployed – represented the largest cost savings in the study," IBM Security said.

"Companies with fully deployed security AI and automation also experienced on average a 74-day shorter time to identify and contain the breach, known as the breach lifecycle, than those without security AI and automation – 249 days versus 323 days. The use of security AI and automation jumped by nearly one-fifth in two years, from 59% in 2020 to 70% in 2022," it added.

The study also found that companies that implemented zero trust principles were able to better manage costs from data breaches.

[ READ: Vermont Hospital Still Calculating Cost of Ransomare Attack ]

Of the 550 organizations participating in the study, IBM Security said a whopping 60% did not deploy zero trust security measures, pushing up post-breach costs. "The organizations that don't deploy zero trust incur an average of $1 million in greater breach costs compared to those that do deploy." 

"Among critical infrastructure organizations, an even higher percentage of 79% doesn’t deploy zero trust. These organizations experienced on average $5.40 million in breach costs, more than $1 million higher than the global average," the report noted.

For the 12th consecutive year, the study found that the healthcare industry had the highest average cost of a breach (in the range of $10 million). Financial organizations had the second highest costs – averaging $5.97 million — followed by pharmaceuticals at$5.01 million, technology at $4.97 million and energy at $4.72 million.

The study also found that organizations that fell victim to ransomware attacks did not reduce costs significantly, even after paying ransom demands to retrieve valuable data. 

"Ransomware victims in the study that opted to pay threat actors' ransom demands saw only $610,000 less in average breach costs compared to those that  chose not to pay – not including the cost of the ransom. Factoring in the high cost of ransom payments, the financial toll may rise even higher, suggesting that simply paying the ransom  may not be an effective strategy," according to the report.

The study also found major gaps in security cloud deployments with about 43% of respondents in the "early stages or have not started applying security practices across their cloud environments." 

Related: IBM: Average Cost of Data Breach Exceeds $4.2 Million

Related: Average Cost of Data Breach Drops Globally, Rises to $7.35 Million

Related: Data Breach Costs Rise, Healthcare Industry Hardest Hit

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a veteran cybersecurity strategist who has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and Kaspersky GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's past career as a security journalist included bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Ryan is a director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world. Follow Ryan on Twitter @ryanaraine.