The average cost to an organization hit with a data breach reached a record high this year, though those companies are split on who they believe should foot the bill, according to a report released today by IBM.
The global average for a breach is $4.45 million, a 2.3% increase from 2022 and a 15.3% jump from three years ago. In addition, the costs to enterprises associated with detection and escalation grew 42% since 2020, “representing the highest portion of breach costs, and indicating a shift towards more complex breach investigations,” IBM wrote in its Cost of a Data Breach Report 2023.
At a time when the number and cost of such breaches–95% of the organizations involved in the port had experienced more than one breach–are rising, a question is, who is going to pay for those costs? About 51% plan to increase the investments they make in cybersecurity.
However, 57% said they were more likely to pass the costs associated with attacks onto consumers rather than grow their security investments. That shouldn’t come as too much of a surprise: In last year’s report, IBM noted that 60% of data breaches led to increases in prices that were passed onto customers.
John Dwyer, head of research for IBM’s X-Force threat intelligence unit, told Security Boulevard that cybersecurity is now part of the cost of doing business, so businesses increasing the price of their goods and services if they’re attacked shouldn’t be unexpected.
“What’s more important is that those funds ultimately get funneled back into investments that can improve their security posture in the long run,” Dwyer said. “Unfortunately, in this case, only half of businesses are planning to take this approach, so we’d definitely like to see that figure grow in the future.”
For this thirteenth edition of the report, the Ponemon Institute studied 553 organizations hit with data breaches between March 2022 and 2023, with IBM analyzing the information.
AI and Automation are Key
IBM’s Dwyer noted that while only half of the companies surveyed said they would increase investments in security tools, the report showed that doing so can significantly reduce data breach costs.
The use of AI is an example. Big Blue found organizations that extensively used AI and automated technologies were rewarded with a shorter breach life cycle–the time between identifying and containing a breach–which in turn cut into the overall cost of the attack.
Companies that use both AI and automation technologies saw an average breach life cycle of 214 days, 108 fewer days than organizations’ average of 322 days, resulting in $1.76 million less in costs.
“Time is the new currency in cybersecurity both for the defenders and the attackers,” Chris McCurdy, general manager of IBM’s Worldwide Security Services, said in a statement. “Security teams must focus on where adversaries are the most successful and concentrate their efforts on stopping them before they achieve their goals. Investments in threat detection and response approaches that accelerate defenders’ speed and efficiency–such as AI and automation–are crucial to shifting this balance.”
Such tools also likely will help reduce the costs of an attack by increasing the number of breaches companies’ own security teams can detect themselves. According to the numbers, only a third of breaches in the report were detected by the companies themselves. About 27% were disclosed by the attack (with the rest identified by a benign third party).
Those attacks identified by the perpetrators cost the targeted organizations almost $1 million more than those detected by the companies’ own security teams.
The difference in the time it took to find and mitigate a breach also influenced the overall financial impact. Those companies that detected a breach in fewer than 200 days sustained an average cost of $3.93 million, $1.02 million less than those that took more than 200 days.
More Ways to Reduce Costs
IBM also identified other steps that helped reduce the costs of data breaches, including the use of DevSecOps (the integrated software security testing methodology lessened the impact of companies that adopted the practice by $1.68 million) and incident reporting planning and testing tools ($1.49 million). That said, a highly complex security system could increase the overall costs.
“Organizations that reported low or no security system complexity experienced an average data breach cost of USD 3.84 million in 2023,” IBM wrote in the report. “Those with high levels of security system complexity reported an average cost of USD 5.28 million, representing an increase of 31.6%.”
Another cost saver? Reporting an incident to law enforcement agencies. Ransomware victims that brought in the authorities after a breach save an average of $470,000 compared with those who didn’t. And yet 37% of ransomware victims in the study didn’t call in the law.
Cloud in the Crosshairs
As enterprises continue to migrate their businesses to the cloud, it should come as no surprise that cybercriminals also are looking in that direction. IBM found that 82% of breaches included data stored in public, private, or–as in 39% of the attacks–multi-cloud environments, where the incurred costs were higher than the overall average, at $4.75 million.
Health care organizations–with the massive amounts of personal and medical data they hold and the large number of connected devices they use–are popular targets of ransomware and other threat groups. In every year of the report, the health care industry reported the most expensive breaches and since 2020, the cost of a health care breach has jumped 53.3% to $10.93 million this year.
Pointing to its 2023 X-Force Threat Intelligence Report, IBM wrote that bad actors are making stolen data more accessible to victims whose data has been compromised.
“With medical records as leverage, threat actors amplify pressure on breached organizations to pay a ransom,” the company wrote. “In fact, across all industries studied, customer personally identifiable information was the most commonly breached record type and the costliest.”