IBM has released its 17th annual Cost of a Data Breach report, providing security professionals with some valuable insight that can help mitigate the rising cost of data breaches.
The research was conducted independently by the Ponemon Institute and analyzed and published by IBM Security. Participating in the study were 550 organizations that experienced a data breach between March 2021 and March 2022, spanning 17 countries and regions in 17 industries. More than 3,600 interviews were conducted with individuals from these organizations.
With each annual release of this report, IBM aims to improve upon past research and keep up with new trends in technology and events. Specifically, this year's edition takes a broader look into some of the leading contributors to higher data breach costs, including the effects of supply chain compromises and the cybersecurity skills gap.
The global average cost of a data breach reached a new all-time high of $4.35 million, with breach costs increasing 13% over the last two years. The research also notes that 60% of organizations studied raised the prices of their products or services because of a breach, a troubling trend as the cost of goods is rapidly increasing worldwide due to inflation and supply chain issues.
IBM provides several eye-opening statistics in the report, such as 83% of organizations experienced more than one data breach and the average time to identify and contain a breach was 277 days.
But the tech giant highlighted seven key findings from the report, which are:
Critical Infrastructure Lags in Zero Trust — Almost 80% of critical infrastructure organizations studied don't adopt Zero Trust strategies, seeing average breach costs rise to $5.4 million—a $1.17 million increase compared to those that do. All while 28% of breaches amongst these organizations were ransomware or destructive attacks.
It Doesn't Pay to Pay — Ransomware victims in the study that opted to pay threat actors' ransom demands saw only $610,000 less in average breach costs compared to those that chose not to pay—not including the cost of the ransom. Factoring in the high cost of ransom payments, the financial toll may rise even higher, suggesting that simply paying the ransom may not be an effective strategy.
Security Immaturity in Clouds — Forty-three percent of studied organizations are in the early stages or have not started applying security practices across their cloud environments, observing over $660,000 on average in higher breach costs than studied organizations with mature security across their cloud environments.
Security AI and Automation Leads as Multi-Million Dollar Cost Saver — Participating organizations fully deploying security AI and automation incurred $3.05 million less on average in breach costs compared to studied organizations that have not deployed the technology—the biggest cost saver observed in the study.
Phishing Becomes Costliest Breach Cause — While compromised credentials continued to reign as the most common cause of a breach (19%), phishing was the second (16%) and the costliest cause, leading to $4.91 million in average breach costs for responding organizations.
Healthcare Breach Costs Hit Double Digits for First Time Ever — For the twelfth year in a row, healthcare participants saw the costliest breaches amongst industries with average breach costs in healthcare increasing by nearly $1 million to reach a record high of $10.1 million.
Insufficient Security Staffing — Sixty-two percent of studied organizations stated they are not sufficiently staffed to meet their security needs, averaging $550,000 more in breach costs than those that state they are sufficiently staffed.
IBM's 59-page report contains plenty of useful information, but it can be a lot to sift through and absorb. Which is one of the reasons why SecureWorld News provides some professional insight to reports and other news stories. Here are some thoughts from security experts regarding the Cost of a Data Breach report.
Hank Schless, Senior Manager of Security Solutions at Lookout, shared this:
"Each year IBM releases their report, the average cost of a breach increases. The value of sensitive data is increasing, and as a byproduct of that the long-term damage to a company that experiences a breach is getting ever more costly. The numbers found in this report should be a wakeup call to anyone who thinks data security and infrastructure integrity can take a back seat to other priorities.
The findings in this report show how challenging it is for organizations to keep their security practices up with the speed of cloud adoption. This pain is only aggravated for organizations who weren't born in the cloud and need to go through a massive infrastructure transformation to move their data from legacy on-premises servers to the cloud.
The migration process can take years, which makes it important to be able to secure data that is both on-prem and in the cloud. Security platforms that can provide both Zero Trust Network Access (ZTNA) and Cloud Access Security Broker (CASB) solutions are invaluable in securing the migration process while ensuring data protection and compliance practices don’t slip up at any point."
Tim Mackey, Principal Security Strategist at Synopsys, provides some additional context:
"Since President Biden elevated the risks associated with software supply chains in his Executive Order on Cybersecurity in 2021, it was interesting to look at the IBM Data Breach Report through that lens.
If we take the average time to identify and contain a data breach as our baseline, we find that addressing third-party vulnerabilities and addressing supply chain breaches both take longer than the already excessive 277 day average with supply chain breaches taking almost a full month longer to address. Considering that 19% of breaches related to supply chain attacks, and that 13% of the attack vectors included a third-party vulnerability, the importance of understanding the risks present in your software supply chains and developing risk mitigation strategies can't be understated.
If your organization can't identify the source for all the software and services it depends upon, effectively your software suppliers, and doesn't have a current threat response plan identifying the risks present in those suppliers, then remediating that lack of risk visibility should be your main take-away from this report."