The Cost of a Data Breach Is Increasing
The average cost of a corporate data breach jumped 10 percent year-over-year to $4.88 million. The total expenditures include operational downtime, lost customers, and post-breach costs such as additional customer service expenses and fines.
The finding comes from IBM's 2024 Cost of a Data Breach Report, which was released Tuesday and examines breaches experienced by 604 companies between March 2023 and February 2024. IBM has been conducting this analysis for 19 years.
Some of the high-level findings:
- $9.36 million—that’s the cost of a data breach in the United States, which was the most expensive of the countries and regions in the study, though it does represent a small decrease compared to 2023. Rounding out the top five areas with the most expensive data breach averages are the Middle East ($8.75 million); Benelux (Belgium, The Netherlands, Luxembourg; $5.9 million); Germany ($5.31 million); and Italy ($4.73 million).
- 35 percent—the percent of breaches that involved shadow data. Shadow data is corporate data that is stored in an area outside of a company’s IT centralized and secured data management framework. Shadow data usually exists when workers, whether benignly or maliciously, save data to unauthorized applications, storage devices, or cloud storage. Breaches involving shadow data lasted longer and led to greater costs.
- 292 days—the length of time it took on average to identify and contain breaches that involved compromised credentials, which is the type of breach that took the longest to rectify. Other similar attacks that took the longest to contain include phishing attacks (261 days) and social engineering attacks (257 days).
- $1 million—the cost savings when companies involved law enforcement in ransomware attacks. In addition, two-thirds of organizations that involved law enforcement when affected by ransomware ended up not paying a ransom. Involving law enforcement also decreased the time to identify and contain breaches from 297 days to 281 days.
- $9.77 million—that’s the cost of a data breach in the healthcare space, the highest among the sectors studied. But this does represent a decrease compared to $10.93 million in the 2023 study. Other sectors with the highest breach cost included financial ($6.08 million), industrial ($5.56 million), and technology ($5.45 million).
Other Findings of Note
In addition to taking the longest to identify and contain, breaches leveraging compromised credentials were the most prevalent root cause attack vector, accounting for 16 percent of data breaches. When combined with phishing attacks and social engineering, that jumps to 37 percent.
Another concerning attack vector was the malicious insider, which took the second-longest amount of time to rectify at 287 days, and, at $4.99 million per incident, was the most costly type of attack.
The speed with which an attack is identified and contained makes a huge difference in the cost. Breaches that had lifecycles longer than 200 days cost 33 percent more than those with lifecycles under 200 days.
Overall, most data breaches are the result of malicious or criminal activity (55 percent). IT failures, such as zero-day vulnerabilities, unpatched systems, or misconfigured cloud systems, accounted for 23 percent, with the remaining 22 percent caused by human error.
Next Steps for Security Practitioners
The report made the following recommendations to decrease the number and severity of data breaches.
Know your information landscape. Organization data storage continues to grow more complex, and often involves a variety of environments, including internal data storage, private cloud storage, and public cloud storage. IT departments often have an incomplete picture of where data is stored. This complicates detection and slows incident response.
In addition, understanding the organization's shadow data situation is important—both training staff on IT security policies, but also understanding when and why workers may be using shadow storage so IT can respond appropriately.
Strengthen prevention strategies with AI and automation. Generative AI (gen AI) models, third-party applications, software-as-a-service, and Internet-connected systems have significantly expanded the attack surface.
Applying AI and automation in attack service management, red teaming, and posture management was the single biggest way AI use contributed to decrease data breach costs according to the study. (Note: IBM, the backer of the study, has several AI solutions.)
Take a security-first approach to generative AI. According to a different IBM report, only 24 percent of organizations are securing their gen AI initiatives.
As gen AI applications continue to increase in use cases and complexity, organizations need to implement policies and procedures to govern what data sources can be used to train gen AI.
The prevalence of shadow data storage practices from workers presents additional challenges—workers could be inadvertently exposing corporate data to gen AI if they save data to a location that is using mass data to train a gen AI model. Using services or developing ways to scan gen AI models to see if sensitive corporate data has been compromised can help addresss this issue.
Level up cyber response training. “How an organization reacts and communicates during and after a breach—with business leadership, regulators and customers—matters more than ever,” according to the IBM report. “To enhance their ability to handle high impact attacks, organizations can build up their muscle memory for breach responses by participating in cyber range crisis simulation exercises.”