Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?



IBM Security: Cost of Data Breach Hitting All-Time Highs

A study commissioned by IBM Security says the global average cost of a data breach reached an all-time high of $4.35 million and warned that the absence of zero trust principles at studied organizations are pushing those costs even higher.

A study commissioned by IBM Security says the global average cost of a data breach reached an all-time high of $4.35 million and warned that the absence of zero trust principles at studied organizations are pushing those costs even higher.

The study, which was conducted in partnership with the Ponemon Institute, notes that global average breach costs have climbed nearly 13% over the last two years with a whopping 83% of organizations experiencing more than a single data breach.

The “Cost of a Data Breach 2022” report studied about 550 businesses impacted by data breaches etween March 2021 and March 2022 and IBM Security said the data covered organizations in 17 countries across the globe.

The report notes that there is a “haunting effect” from the after-effects that linger after breaches with more than half of breach costs adding up more than a year after the compromise.

“With breach costs increasing nearly 13% over the last two years of the report, the findings suggest these incidents may also be contributing to rising costs of goods and services,” IBM Security said, noting that about 60% of the studied organizations “raised their product or services prices due to the breach.”

The study called special attention to costs borne by critical infrastructure organizations with average breach costs reaching $4.82 million, much higher than the average costs for businesses in other industries.

[ READ: Data Breach Costs Rise, Healthcare Industry Hardest Hit ]

The IBM Security study found that companies in the financial services, industrial, technology, energy, transportation, communication, healthcare, education and public sector industries were heavily impacted by ransomware attacks (28% were hit by data theft and extortion breaches).

Advertisement. Scroll to continue reading.

Even worse, the study found that about 20% of critical infrastructure organizations suffered a breach because of a third-party business partner being compromised.

Of the 550 organizations polled for the study, IBM Security said companies with fully deployed security AI and automation systems fared better, which breach costs about $3.05 million less than breaches at organizations with no such defenses. 

“This 65.2% difference in average breach cost – between USD 3.15 million for fully deployed versus USD 6.20 million for not deployed – represented the largest cost savings in the study,” IBM Security said.

“Companies with fully deployed security AI and automation also experienced on average a 74-day shorter time to identify and contain the breach, known as the breach lifecycle, than those without security AI and automation – 249 days versus 323 days. The use of security AI and automation jumped by nearly one-fifth in two years, from 59% in 2020 to 70% in 2022,” it added.

The study also found that companies that implemented zero trust principles were able to better manage costs from data breaches.

[ READ: Vermont Hospital Still Calculating Cost of Ransomare Attack ]

Of the 550 organizations participating in the study, IBM Security said a whopping 60% did not deploy zero trust security measures, pushing up post-breach costs. “The organizations that don’t deploy zero trust incur an average of $1 million in greater breach costs compared to those that do deploy.” 

“Among critical infrastructure organizations, an even higher percentage of 79% doesn’t deploy zero trust. These organizations experienced on average $5.40 million in breach costs, more than $1 million higher than the global average,” the report noted.

For the 12th consecutive year, the study found that the healthcare industry had the highest average cost of a breach (in the range of $10 million). Financial organizations had the second highest costs – averaging $5.97 million — followed by pharmaceuticals at$5.01 million, technology at $4.97 million and energy at $4.72 million.

The study also found that organizations that fell victim to ransomware attacks did not reduce costs significantly, even after paying ransom demands to retrieve valuable data. 

“Ransomware victims in the study that opted to pay threat actors’ ransom demands saw only $610,000 less in average breach costs compared to those that  chose not to pay – not including the cost of the ransom. Factoring in the high cost of ransom payments, the financial toll may rise even higher, suggesting that simply paying the ransom  may not be an effective strategy,” according to the report.

The study also found major gaps in security cloud deployments with about 43% of respondents in the “early stages or have not started applying security practices across their cloud environments.” 

Related: IBM: Average Cost of Data Breach Exceeds $4.2 Million

Related: Average Cost of Data Breach Drops Globally, Rises to $7.35 Million

Related: Data Breach Costs Rise, Healthcare Industry Hardest Hit

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights