As the price of milk, gas, and rent went up in 2022, the cost of a data breach rose right alongside them to peak at the global average of $4.35 million, according to analysis out this week in an annual IBM report.

“With breach costs increasing nearly 13 percent over the last two years of the report, the findings suggest these incidents may also be contributing to rising costs of goods and services,” IBM said in a press release on the results of its Cost of a Data Breach Report. “In fact, 60 percent of studied organizations raised their product or services prices due to the breach, when the cost of goods is already soaring worldwide amid inflation and supply chain issues.”

The 2022 report analyzed data breaches from 550 organizations in 17 countries between March 2021 and March 2022. The evaluation found that of the studied organizations, 83 percent of them had experienced more than one data breach in their lifetime.

While the $4.35 million price point was a global average across all industries for data breaches, the report examined different sectors as well: the average cost of a data breach for critical infrastructure organizations was $4.82 million, and for healthcare organizations it was $10.10 million—another record high. Healthcare is a highly regulated industry, making data breaches more costly for the sector compared to others.

Geographically, the United States continues to be the region where data breaches cost the most—tallying an average of $9.44 million—followed by the Middle East at $7.46 million, Canada at $5.64 million, the United Kingdom at $5.05 million, and Germany at $4.85 million. The United States has held the top spot for 12 years.

Data Breach Basics

One bright spot in the 2022 report was that the average time to identify and contain a data breach dropped 10 days, down to 277 from 287 in 2021. That figure, however, is still far above the 2017 average of 257 days. Further analysis also found that—not surprisingly—the longer a data breach lasts, the more it costs.

“A data breach lifecycle of less than 200 days was associated with an average cost of $3.74 million in 2022, compared to $4.86 million for breaches with a lifecycle of greater than 200 days,” according to the report. “This difference represents an average cost savings of $1.12 million, or 26.5 percent, for breaches with the shorter than 200-day lifecycle.”

When asked about the 277-day average for breach identity and containment, John Hendley, head of strategy for IBM Security X-Force, says there are two main factors at play: IT environments for businesses are more complex than ever, and the number of breaches continues to grow significantly while incident response professionals remain in short supply.

"Between 2020 and 2021, IBM X-Force saw a nearly 25 percent increase in incident response engagements, meaning there's just a higher volume of cyberattacks than a finite number of talent is tasked with responding to," he adds. 

For the first time in six years, detection and escalation costs passed lost business costs as a result of a data breach, rising from $1.24 million in 2021 to $1.44 million in 2022. Detection and escalation includes forensic and investigative activities, assessments and auditing, crisis management, and communications to executive leadership.

Along with the costs associated with breaches, the report also assessed how threat actors were breaching organizations in the first place. The most common method—19 percent of breaches—was using stolen or compromised credentials to gain access to targets, followed by phishing (16 percent), cloud misconfigurations (15 percent), and vulnerability from third-party software (13 percent).

Security Measures in Play

What difference does having a security measure in place make in data breach costs? The 2022 report attempted to calculate that, analyzing how 28 different security measures impacted the overall cost of a breach.

“AI platforms, a DevSecOps approach, and use of an incident response (IR) team were the three factors associated with the highest cost decrease compared to the mean cost of a data breach,” the researchers found. Implementing AI platforms, for instance, dropped the average price of a data breach by approximately $300,075. Organizations that had “fully” deployed security AI and automation had an average total cost of $3.15 million for a data breach, compared to $6.20 million for those without these measures in place.

“On the other hand, security system complexity, occurrence of cloud migration when the organization is in the process of migrating to the cloud, and compliance failures were the three factors associated with the highest net increase in the average cost,” according to the report.

The researchers also identified that organizations with mature zero trust deployment had data breach costs $1.5 million lower than organizations that were at the early adoption phase for zero trust.

Zero trust is a framework that businesses can use to build their security strategies, Hendley says, adding that in simple terms it consists of three elements: explicit verification of who and what are on networks and systems; enabling least privilege; and assuming breach. 

"Yes, there can be a lot of technology that goes behind implementing these principles, but fundamentally it requires people and expertise," Hendley adds. "I sometimes see less mature organizations try to buy a piece of technology to check a 'zero trust box.' It just doesn't work. Organizations that are truly mature with zero trust don't just buy the technology, they empower teams to configure, operate, and redesign existing systems in a truly transformative way to meet those three main elements."

Other Findings of Note

Another bright spot in the report was the finding that the cost of ransomware breaches in 2022 was down slightly—from $4.62 million in 2021 to $4.54 million in 2022—despite the frequency of ransomware breaches rising, from 7.8 percent of breaches analyzed in 2021 to 11 percent in 2022.

Not including the ransom itself, the average cost of a ransomware breach was higher for organizations that chose not to pay up. The report based this finding on activities, “such as detection of the attack and loss of business due to system downtime.” Those that chose not to pay the ransom spent an average of $5.12 million to recover, compared to $4.49 million for those who did.

Besides ransomware, supply chain attacks were also a feature in this year’s data set with 19 percent of organizations saying their data breach was the result of a supply chain compromise. These breaches cost an average of $4.46 million and 303 days to identify and contain.

The researchers also took a look at how remote work is impacting data breaches, finding that breaches cost about $1 million more when remote work is a factor. When asked why there was this cost increase, Hendley says there are several possibilities in play.

"For example, these breached organizations may not have proper security measures in place to support a remote/hybrid setup," he explains. "The fact of the matter is that hybrid and remote work is here to stay. Cybersecurity risks aren't going to stop that trend."

Hendley adds that many businesses during the last few years have been on a "sprint to the cloud" to become more agile, which is generally a positive thing. 

"But this is a double-edged sword because increased agility can create more dispersed environments, which can introduce more opportunity for attackers when not secured appropriately," he says.

Those appropriate security measures could also include employees as researchers found that organizations save $550,000 on average when they are sufficiently staffed.

“Only a little more than one-third of organizations had sufficiently staffed security teams,” according to the report. “Just 38 percent of organizations said their security teams were sufficiently staffed to meet their security management needs, while 62 percent said they weren’t sufficiently staffed.”

Next Steps for 2023

Along with highlighting the costs of data breaches in 2022, the report also included recommendations for security practitioners to reduce their risks for 2023. The recommendations fit into five overall categories:

1. Adopt a zero trust model.
   
   
2. Protect sensitive data in the cloud environment through encryption and policy controls.
   
   
3. Invest in XDR and SOAR to reduce response times and improve detection.
   
   
4. Utilize tools to monitor and protect endpoints and remote workers.
   
   
5. Create and test incident response playbooks.

Keeping the increasing number of incidents security teams need to respond to in mind, Hendley adds that companies need to shift their focus away from prevention to detection and response.

"Many are still laser focused on the idea that it's possible to stop an attacker from getting in," he says. "I'm a hacker, and I can tell you there is always a way in. So we need to shift our focus from perfection to detecting and stopping the adversary from completing their objective."

This could involve, for instance, threat hunting, conducting penetration testing and adversary simulation exercises, and regularly testing incident response playbooks.

"A breach shouldn't be the first time you look at your playbook—you should be familiar with the steps you need to take, the stakeholders you need to mobilize, and the protocols you need to activate to quickly and effectively respond to an incident," Hendley says.