The average cost of data breaches surged to $4.25 million in 2022, the highest figure on record, according to IBM’s annual 2022 Cost of Data Breach report. The latest figure represents an increase of 2.59% and 12.69% from what data breaches cost organizations in 2021 ($4.24 million) and 2020 ($3.86 million), respectively.
The financial impact of data breaches continued to worsen for the second consecutive year after slightly declining in 2020. This could result from â€œlongtailâ€ costs or the costs that accrue in later years in the aftermath of a data breach.
In highly-regulated industries, an average of 24% of data breach costs were accrued more than two years after the breach occurred. In sectors with a low regulatory environment, 8% of breach-related expenses accumulated more than two years after a breach. The 17th edition of IBM’s Cost of Data Breach report analyzes data breaches that occurred between March 2021 and March 2022.
In this period, the average breach per record cost also climbed to $164. To compensate for losses from these data breaches, IBM discovered that 60% of organizations increased the prices of their products and services.
With $9.44 million, the United States led the rest with the highest average cost of data breaches for the 12th year in a row. Middle Eastern countries ($7.46 million), Canada ($5.64 million), the United Kingdom ($5.05 million) and Germany ($4.85 million) featured among the top five countries where data breaches cost organizations the highest.
However, despite featuring in the top five, the average cost of data breaches in Germany has decreased by 0.81% since 2021. Other countries that saw a reduced average data breach cost are Japan (#6), France (#7), South Korea (#9), Scandinavia (#15) and Turkey (#17).
Industry-wise, healthcare has remained undefeated regarding cybercriminal interest for twelve years in a row. The sector, delineated as critical infrastructure by the U.S. government, recorded the highest total average cost of breaches in 2022 at $10.10 million.Â
Average Cost of Data Breach by Industry Measured in $ Millions | Source: IBM
Healthcare data breach costs have climbed by 41.6% since 2020 and 9.42% since 2021. Compared to last year, the top five industries that averaged the highest costs remained the same in 2022.
And it seems like victim organizations are being re-targeted. Just 17% of the organizations targeted in the study period said it was the first time they suffered a data breach. The remaining 83% were previously victimized by malicious actors.
The average time to identify and contain a data breach in 2022 is 277 days, 10.7% less than 2020’s 280 and 3.7% less than 2021’s 287.Â
Average Time to Identify and Contain a Data Breach | Sources: IBM
The top five initial attack vectors for known data breaches that proved to be the most expensive were phishing, business email compromise (BEC), security vulnerabilities, stolen or compromised credentials, and malicious insiders.
Initial attack vectors by sheer compromise numbers in 2022 include stolen or compromised credentials (19%), phishing (16%), cloud misconfigurations (15%), security vulnerabilities in third-party software (13%), and insider threats (11%).
Average Cost and Frequency of Data Breaches by Initial Attack Vector | Source: IBM
There exists a direct correlation between the cost of the data breach and the data breach lifecycle (time elapsed between the first detection of the breach and its containment). For instance, data breaches through BEC had the second-longest breach lifecycle. BEC was also the second most expensive data breach initial attack vector.
Additionally, IBM assessed that data breach costs dropped by almost 26.5% if the breach lifecycle is less than 200 days.
Besides the data breach lifecycle, there are 28 other factors that IBM measured that influence the average cost of data breaches. Twenty of these could help lower data breach costs, while eight could increase them.
Impact of Key Factors on the Average Total Cost of a Data Breach | Source: IBM
Specifically, leveraging AI and automation to identify and contain incidents and intrusion attempts instead of manual processes can be a key differentiator. Organizations using security AI and automation incurred 65.2% ($3.15 million) less data breach costs compared to those who didn’t ($6.2 million).
IBM said that organizations with fully or partially deployed security AI and automation, which also helps with the breach lifecycle, increased by five percentage points since last year, from 65% to 70%.
Zero trust also helped organizations save nearly $1 million in average breach costs compared to organizations that didn’t have zero trust deployed. A mature zero trust deployment (as opposed to mid- or early stages) was associated with $1.5 million lower breach costs than breaches at organizations with early adoption of zero trust.Â
Similarly, mature cloud security helped organizations cut down the cost of data breaches to $3.87 million compared to early stare ($4.53 million), mid-stage ($4.39 million), and those who haven’t started ($4.39 million).
Other security technologies that, according to IBM, have decreased data breach costs are lifecycle extended detection and response (XDR), incident response, multi-factor authentication, and identity and access management (IAM).
However, organizations with remote working employees had higher data breach costs. The average total cost of a data breach was approximately $1 million higher when remote work was a factor in causing the data breach.
Meanwhile, just 38% of organizations said their security teams were sufficiently staffed to meet their security management needs, leading to a lower-than-average ($4.01 million) cost per data breach. The 62% of respondents who said they weren’t sufficiently staffed suffered $4.51 million in data breach costs.
IBM’s full 2022 Cost of Data Breach report is available hereOpens a new window .
Note: The 2022 Cost of Data Breach report is based on real-world data breaches suffered by 550 organizations engaged in 17 different industries across 17 countries and regions between March 2021 and March 2022. IBM commissioned Ponemon Institute for the research, interviewing 3,600 employees from 550 organizations.