IBM has released its annual “Cost of a Data Breach Report” for the 17th time. As in previous years, the data was collected independently by the market researchers at the Ponemon Institute. In over 3,600 interviews, employees at more than 550 companies were surveyed on data breaches occurring between March 2021 and March 2022 – in 17 countries and across 17 sectors.
According to the report, the average cost of a data breach in 2022 reached an all-time high of USD 4.35 million, an increase of almost 3% over the previous year (2021: USD 4.24 million). Compared with the report from 2020 (USD 3.86 million), the average cost has risen substantially by 12.7%. By the way: As many as 60 percent of the companies stated that they had passed on the increased costs incurred due to data breaches to their customers by raising the price of their products or services, while 83 percent of the companies suffered multiple data breaches.
The survey also reveals that the average cost of a data breach at companies providing critical infrastructure was even higher at USD 4.82 million – almost a million dollars more than the average cost in other sectors. Critical infrastructure includes financial services, industrial, technology, energy, transportation, communication, healthcare, education, and public sector industries. While 28 percent of these organizations reported experiencing a destructive or ransomware attack, 17 percent suffered a data breach as a direct result of a business partner being compromised.
Phishing attacks most expensive
The most common cause of data breaches remains stolen or compromised login credentials. In the latest survey, it was the attack vector most often employed – in 19 percent of all cases (2021: 20 %). The breach costs resulting from such attacks amounted to an average of USD 4.5 million. At the same time, these breaches had the longest life cycle. On average, 243 days passed before each breach was discovered and it took another 84 days to contain it. The second most common cause for a breach was phishing, playing a role in 16 percent of all breaches. Phishing breaches were also the most expensive, setting companies back USD 4.91 million on average. This again underlines just how crucial it is for an organization to safeguard its business-critical communication as securely as technically possible – for instance with Retarus’ Secure Email Platform – as well as carrying out cyber security awareness training.
One of the more recent trends in the field of IT security is the adoption of zero trust architecture. Only 41 percent of the companies participating in the study said they had deployed a zero trust approach to security. However, the survey shows that it indeed pays off. On average, those employing a zero trust architecture forked out USD 1 million less in the event of a breach than the 59 percent who didn’t. When it comes to critical infrastructure organizations, an even higher proportion of companies (79 percent) are yet to start employing a zero trust approach. These organizations incurred breach costs of USD 5.40 million on average, also over USD 1 million higher than the global average.
Remote working represents a cost risk
When remote working played a role in causing a data breach, the costs to the organization were almost a million dollars higher than for breaches in which working remotely wasn’t a factor — USD 4.99 million as opposed to USD 4.02 million. Breaches in which remote work featured cost on average about USD 600,000 more than the global average.
Of the breaches recorded in the report, 45 percent took place in the cloud. The least expensive data breaches, comparatively speaking, were breaches occurring in hybrid cloud environments with an average cost of USD 3.80 million, while breaches in private clouds amounted to USD 4.24 million and those in public clouds setting organization back an average of USD 5.02 million per breach. Not only were the costs lower for hybrid cloud users (27.6 percent compared with public cloud), but the breach lifecycles were shorter than for companies using either private or public clouds exclusively.
Healthcare data breaches reach record heights
Considering the sensitive data the sector deals with, it comes as no surprise that healthcare remains the sector in which data breaches are most costly on average for the twelfth year running. Here, the average cost of a breach was USD 10.1 million, a rise of almost a million US dollars over the previous year and 41.6 percent higher than reported in 2021. Breaches in the financial sector were the second most costly at USD 5.97 million, followed by the pharmaceutical industry (USD 5.01 million), technology (USD 4.97 million) and energy (USD 4.72 million).
From a geographical perspective, data breaches in the United States were most expensive, averaging USD 9.44 million. Lining up behind the US are the Middle East (USD 7.46 million), Canada (USD 5.64 million), the United Kingdom (USD 5.05 million) and Germany (USD 4.85 million). Just like the healthcare sector, the United States has topped the list for 12 years in succession. The country with the fastest growth in costs over last year was Brazil, however, which recorded a 27.8% increase from USD 1.08 million to USD 1.38 million.
The full new “Cost of Data Breach Report”, including a wide range of additional details, explanations, and comments on the survey methodology, can be downloaded from the IBM website after registering.
