IBM Security has released a report stating that the average cost of a data breach incident in 2021-22 is $4.35 million per incident, a record high growing 12.7% over the last two years and up 2.6% from last year’s $4.24 million per breach.
Of the 550 organisations surveyed over 17 global markets, 83% had suffered more than one breach between March 2021 and March 2022. 17% suffered their first breaches in the year, and 60% of the companies reported increased pricing for their products and services to compensate for the breaches’ losses.
US organisations suffered the most, with the average cost at $9.44 million, a rise of 4.3%. Next was the Middle East, where breaches cost an average of $7.46 million. Canada, UK and Germany rounded up the top five with average losses of $5.64 million, $5.05 million, and $4.85 million per breach, respectively. It wasn’t bad for all 17 markets, though. Six markets, including France, South Korea and Japan, ended up paying less in average data breach costs.
The report claims that companies took 207 days on average to detect a breach and another 70 days to contain the said breach. These numbers improve over last year’s 212-day average detection time and 75-day containment time.
Stolen credentials, phishing and IT failure are the top causes of data breaches
The most common causes of a data breach were attacks from stolen or compromised credentials, causing around 19% of all incidents. These breaches caused around $4.5 million on average, took 243 days to identify and 84 days to contain, the longest incident response lifecycle.
Next up was phishing, accounting for 16% of all attacks. However, these attacks cost the most, averaging $4.91 million in losses per incident.
Human error accounted for 21% of all data breaches, with IT failures (including errors in source code and process failures) coming in at 24%. Supply chain attacks caused about 19% of the breaches. These supply chain attacks cost around $4.46 million on average and were 26 days longer than the global average of 277 days.
The number of ransomware-related breaches was around 11%. This might not sound alarming in context to other breach sources, but ransomware breaches are up from 7.8% last year and are growing 41% faster. However, the average cost of these attacks dropped to $4.54 million from $4.62 million last year.
Healthcare suffered the most
The healthcare sector suffered the highest losses to data breaches — $10,1 million per incident. The sector’s breach losses have gone up by 41.6% since 2020.
Finance came in second, averaging a loss of $5.97 million per incident, followed by pharmaceuticals, technology, and energy, averaging $5.01 million, $4.97 million, and $4.72 million per incident, respectively.
Organisations running critical infrastructure from sectors including financial services, energy, transport, healthcare, and government suffered $4.82 million in losses, $1 million more than last year.
The incident causes also track here. 28% of all critical infrastructure organisations experienced a ransomware or destructive attack, and 17% were breached by a supply chain attack where a partner was the initial point of compromise.
Security AI and automation helped bring costs down
IBM reports that organisations that deployed AI security systems and automated processes experienced lower losses averaging $3.05 million lower than the rest. The latter also took 74 days longer on average to detect and contain any breaches. More and more organisations are shifting to these tools, as many as 70% in this year’s survey, an increase from 59% in 2020.
80% of critical infrastructure organisations without a zero-trust strategy lost $1.17 million more than those working with a zero-trust framework, averaging $5.4 million in losses per incident. Around 41% of the organisations are now working with such frameworks, up from 35% last year.
Unprotected cloud platforms also turned out to be quite expensive. 44% of the breaches targeted clouds. Hybrid clouds cost $3.8 million per incident, with private and public cloud infrastructures coming in at $4.24 million and $5.02 million, respectively.
43% of the companies that were either in the early stages or had yet to deploy security measures across their cloud platforms saw higher losses of at least $660,000 compared to those with cloud protection measures in place.
XDR technologies used by 44% of the organisations surveyed helped reduce breach lifecycles by around a month on average. Companies that weren’t using such tools took 304 days on average to identify and contain breaches.
Although it’s not advisable to pay ransom in case of a ransomware attack, organisations that decided to pay up suffered $610,000 lower in breach costs (excluding the ransom itself) than those that didn’t.
Most surprising is that 341 companies out of the 550 surveyed (62%) reported that they didn’t have the manpower to support their cybersecurity requirements. Consequently, these companies lost an additional $550,000 in breach costs compared to those with an appropriate cybersecurity team.