In 2022, the average cost of a data breach has reached a record high of US$4.35 million, according to the 2022 cost of a data breach report by IBMand the Ponemon institute. However, many experts estimate that average costs could reach $5 million in 2023.
The report by Ponemon Institute and IBM Security takes into account hundreds of cost factors from legal, regulatory, and technical activities, loss of brand equity, customer turnover, and drain on employee productivity. Its findings are based on 550 breaches across 17 countries and 17 industries with data gathered from over 3,600 interviews.
In this post, we summarize the critical findings of the report to help you align your data security and data breach prevention strategies against the key risk factors in 2023.
17 Key Findings of the 2022 IBM Cost of Data Breach Report
The 17th cost of a data breach report by IBM and the Ponemon institute had 13 key findings:
1. Average Total Data Breach Cost Increase By 2.6%
The yearly average data breach cost increased the most between the year's 2020 and 2021 - a spike likely influenced by the COVID-19 pandemic.
The average data breach costs in 2022 is $4.35 million, a 2.6% rise from 2021 amount of $4.24 million.
2. Average Breach Cost was almost USD1 Million Where Remote Work was a Factor
Organizations adopting some form of a remote working model paid an average of US$ 4.99 million for data breach damages, almost US$1 million more than organzations where remote work is not a factor.
3. The Cost of a Data Breach was the Highest in the Healthcare Industry (again)
For the twelfth consecutive year, the healthcare industry has the highest data breach costs. In 2022, the healthcare industry is paying an average of US$ 10.10 million for a data breach, 9.4%more than the figure in 2021.
4. Lost Business Was Not the Primary Factor of Data Breach Costs.
Lost business costs actually decreased for the first time in 6 years, removing this category from its reputable position as the primary factor influencing data breach costs. Lost business costs in 2022 totalled USD1.42 million, compared to USD1.59 million in 2021.
5. Compromised Credentials was the Most Common Initial Attack Vector in 2022
Compromised credentials, such as compromised business emails, facilitated 19% of data breaches. Comparing this data to 2021 results, reveals a concerning upward trend of data breach costs caused by compromised third-party vendors. Data breach costs involving third-party breaches as the initial attack vector rose from US$ 4.33 million in 2021 to US$ 4.55 million The greatest increase was associated with system errors, which increase by $480,000.
Four initial attack vector experienced a decrease in associated breach damage costs - business email compromise, social engineering, accidental data loss, and malicious insider, which experienced the largest cost difference.
Learn more about estimating the financial impacts of cyber risks >
The top 5 most expensive data breach attack vectors in 2021 are:
- Business email compromise - $4.89 million (compared to $5.01 million in 2021).
- Phishing - $4.91 million (compared to $4.65 million in 2021).
- Malicious insiders - $4.18 million (compared to $4.61 million in 2021).
- Social engineering criminal attacks - $4.10 million (compared to $4.47 million in 2021).
- Vulnerabilities in third-party software - $4.55 million (compared to $4.33 million in 2021).
Click here to get a free preliminary evalutaion of your organization's data breach risk.
7. Average Number of Data to Identify and Contain a Breach was 277
The longer a breach remains undetected, the higher the financial impact will be. The new average of 277 days is 10 days less than 2021 results. Note that average data breach costs still increased despite the slight decrease in detection times.
Ransomware breaches are the hardest to detect, taking about 49 days longer; and supply chain breaches took about 26 days longer to detect. The significant impact of threat detection time on data breach damage costs highlights the importance of efficient risk remediation planning.
8. XDRTechnology Reduced the Data Breach Lifecycle to 29 Days
Organizations that deployed an XDRsolution compressed the data breach lifecycle to just 29 days. In other words, With XDRtechnology, organizations can respond to a breach event in less than a month, compared, compared to 10 months (or 304 days) for organizations with XDRtechnology.
9. Mega Breach Damage Costs Decreased
Damage costs across 6 categories of mega breaches decreased compared to 2021 results, with the exception of breaches in the 20 - 30 million record category which increased slightly by US$11 million.
10. Zero Trust Strategies Reduced the Average Cost of a Data Breach by $1.76 Million
Companies that implemented a zero-trust architecture paid an average of US$ 4.15 million for a data breach. Those without zero trust strategies paid $1.76 million more - US$ 5.10 million.
11. Security AI and Automation Controls Reduced Data Breach Costs by 70%
Security AI and automation controls helped businesses detect and contain data breaches much faster, pushing damage costs down. Organizations with fully deployed security and AIautomation paid and average of US$ 3.05 million for data breach damages, US$ 1.3 million less than the global average across all security environments, and they detected breaches faster - 249 days compared to 323 days with no AIand automation solutions.
It seems that more organizations are recognising the security and cost benefits of AImechanisms and automation efforts. Instances of fully deployed AIand automation systems increased from 25%in 2021 to 31% in 2022.
The effectiveness of intelligent Incident Response planning has been further highlighted in the 2022 report. The formation of an IRteam is one of the top three factors minimizing data breach costs - a finding that's further explored in point 15 below.
Click here to get a free preliminary evalutaion of your organization's data breach risk.
12. Data Breaches in Hybrid Cloud Environments Cost $440,000 Million Less than Public, Private, and On-Premise Cloud Models
Hybrid cloud environment data breaches cost an average of US$ 3.80 million, compared to US$4.24 million in a private cloud environment.
13. Organizations with High Compliance Failures Paid an Average of $1.22 Million More for Data Breaches
Both system complexity and degree of compliance failures contributed to the higher cost of data breaches.
Learn more about compliance monitoring >
14. Average Cost of a Ransomware Breach was $4.54 Million
The average cost of a ransomware breach cost more than the average cost of a data breach - US$ 4.54 million compared to $4.35 million.
8%of analyzed breaches in this report were caused by ransomware attacks, compared to 7.8%in 2021.
Learn the difference between a ransomware attack and a data breach >
15. Organizations with an Incident Response Plan Significantly Reduced Data Breach Costs
Organizations with a well designed Incident Response Plan reduced data breach damage costs by 61%, paying a US% 2.66 million less than the global average.
Learn how to design an effective Incident Response Plan >
16. The average costs of a critical infrastructure data breach is $4.82 million
Critical infrastructures pay about US$ 1 million more for a data breach compared to other industries. Ransomware attacks also appear to be increasing in this sector. The report found that 28%of surveyed critical infrastructures suffered a destructive ransomware attack.
Ransomware attacks were responsible for 11%of breaches in the 2022 report.
Click here to get a free preliminary evalutaion of your organization's data breach risk.
17. Supply chain attacks took 26 days longer to identify
Supply chain attacks - breaches that are facilities by a compromised third-party vendor, are becoming a critical problem. For the first time in the history this annual data breach report, supply chain compromise events were considered. it was discovered that almost 20%of all analyzed breaches in this report were caused by compromised third-party vendors in the supply chain.
Due to the increased complexity of these events, supply chain breaches took 26 days longer to detect than the global average data breach lifecycle. They also costs more, US$ 4.46 million compared to the global average of $4.35 million
Learn how to mitigate the impact of a supply chain attack in 2023 >
What was the Biggest Contributor to Data Breach Costs in 2022?
Time was found to be the biggest contributor to data breach costs. This makes sense, the longer a breach remains undetected the more sensitive data can be exfiltrated by cybercriminals.
The negative financial impact of delayed remediation further compounds when business is lost due to system outages and customer turnover.
Organizations should set a breach detection threshold of 200 days. Events that were detected within a 200 day lifecycle had an average damage costs of US$ 3.74 million, compared to US$ 4.86 for events with a lifecycle of more than 200 days.
How Long Do Data Breaches Impact Organizations?
Data breach costs accrue over several years. The 2022 cost of a data breach study found that, on average, 52% of data breach costs were incurred in the first year, 29% in the second year, and 19% more than 2 years after the event.
Organizations in highly regulated industries, such as healthcare organizations and financial services, suffered the worst long-tail costs with the cost of a breach rising in the second and third years compared to low-regulated industries.
High data protection regulatory environments incurred 45% of breach costs in the first year, 31% in the second year, and 24% more than 2 years after a breach.
This is likely driven by new regulatory fines and the introduction of breach notification laws like GDPR.
Learn how to manage regulatory risk in cybersecurity.
How Long was the Average Breach Lifecycle?
A breach lifecycle is the time between a data breach occurring and its containment.
In 2021, it took an average of 212 days to identify a breach and 75 days to contain it; amounting to a 287 day breach lifecycle.
In 2022, the average time to identify a breach is 207 days, and the average time to contain it is 70 days; totalling a 277 day breach lifecycle - a drop of 10 days compared to 2021 data.
The faster a data breach is identified and contained, the lower the damage costs.
Click here to learn how strategic remediation planning can help you lower the data breach lifecycle.
What is the Average Cost of a Data Breach by Country?
Data breaches in the United States continue to be vastly more expensive than other countries, with an average total of US$ 9.44 million (more than double the global average).
The Middle East is the second most expensive region for data breaches, averaging US$ 6.46 million in 2022.
Canada is ranked third with an average data breach cost of US$ 5.64 million in 2022.
