Security Experts:

Connect with us

Hi, what are you looking for?



IBM Security: Cost of Data Breach Hitting All-Time Highs

A study commissioned by IBM Security says the global average cost of a data breach reached an all-time high of $4.35 million and warned that the absence of zero trust principles at studied organizations are pushing those costs even higher.

A study commissioned by IBM Security says the global average cost of a data breach reached an all-time high of $4.35 million and warned that the absence of zero trust principles at studied organizations are pushing those costs even higher.

The study, which was conducted in partnership with the Ponemon Institute, notes that global average breach costs have climbed nearly 13% over the last two years with a whopping 83% of organizations experiencing more than a single data breach.

The “Cost of a Data Breach 2022” report studied about 550 businesses impacted by data breaches etween March 2021 and March 2022 and IBM Security said the data covered organizations in 17 countries across the globe.

The report notes that there is a “haunting effect” from the after-effects that linger after breaches with more than half of breach costs adding up more than a year after the compromise.

“With breach costs increasing nearly 13% over the last two years of the report, the findings suggest these incidents may also be contributing to rising costs of goods and services,” IBM Security said, noting that about 60% of the studied organizations “raised their product or services prices due to the breach.”

The study called special attention to costs borne by critical infrastructure organizations with average breach costs reaching $4.82 million, much higher than the average costs for businesses in other industries.

[ READ: Data Breach Costs Rise, Healthcare Industry Hardest Hit ]

The IBM Security study found that companies in the financial services, industrial, technology, energy, transportation, communication, healthcare, education and public sector industries were heavily impacted by ransomware attacks (28% were hit by data theft and extortion breaches).

Even worse, the study found that about 20% of critical infrastructure organizations suffered a breach because of a third-party business partner being compromised.

Of the 550 organizations polled for the study, IBM Security said companies with fully deployed security AI and automation systems fared better, which breach costs about $3.05 million less than breaches at organizations with no such defenses. 

“This 65.2% difference in average breach cost – between USD 3.15 million for fully deployed versus USD 6.20 million for not deployed – represented the largest cost savings in the study,” IBM Security said.

“Companies with fully deployed security AI and automation also experienced on average a 74-day shorter time to identify and contain the breach, known as the breach lifecycle, than those without security AI and automation – 249 days versus 323 days. The use of security AI and automation jumped by nearly one-fifth in two years, from 59% in 2020 to 70% in 2022,” it added.

The study also found that companies that implemented zero trust principles were able to better manage costs from data breaches.

[ READ: Vermont Hospital Still Calculating Cost of Ransomare Attack ]

Of the 550 organizations participating in the study, IBM Security said a whopping 60% did not deploy zero trust security measures, pushing up post-breach costs. “The organizations that don’t deploy zero trust incur an average of $1 million in greater breach costs compared to those that do deploy.” 

“Among critical infrastructure organizations, an even higher percentage of 79% doesn’t deploy zero trust. These organizations experienced on average $5.40 million in breach costs, more than $1 million higher than the global average,” the report noted.

For the 12th consecutive year, the study found that the healthcare industry had the highest average cost of a breach (in the range of $10 million). Financial organizations had the second highest costs – averaging $5.97 million — followed by pharmaceuticals at$5.01 million, technology at $4.97 million and energy at $4.72 million.

The study also found that organizations that fell victim to ransomware attacks did not reduce costs significantly, even after paying ransom demands to retrieve valuable data. 

“Ransomware victims in the study that opted to pay threat actors’ ransom demands saw only $610,000 less in average breach costs compared to those that  chose not to pay – not including the cost of the ransom. Factoring in the high cost of ransom payments, the financial toll may rise even higher, suggesting that simply paying the ransom  may not be an effective strategy,” according to the report.

The study also found major gaps in security cloud deployments with about 43% of respondents in the “early stages or have not started applying security practices across their cloud environments.” 

Related: IBM: Average Cost of Data Breach Exceeds $4.2 Million

Related: Average Cost of Data Breach Drops Globally, Rises to $7.35 Million

Related: Data Breach Costs Rise, Healthcare Industry Hardest Hit

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.