Average Data Breach Cost Hits All-Time High of $4.4M: IBM

According to IBM's annual Data Breach report, the average cost of a data breach has reached an all-time worldwide high of $4.45 million, up 2.3% from 2022 and 15.3% since 2020.

Source: Advisen | Published on July 25, 2023

Web outages at American Family

According to IBM’s annual Data Breach report, the average cost of a data breach has reached an all-time worldwide high of $4.45 million, up 2.3% from 2022 and 15.3% since 2020.

While the average cost of a breach in the 16 nations included in IBM’s survey of 553 firms this year is $4.45 million, breaches in the United States cost significantly more than the average. According to the research, the average salary in 2023 will be $9.48 million.

The average cost of a breach in the healthcare industry increased 53.3% within the same period, according to IBM’s 2023 research. This is the 13th year in a row that the healthcare industry has recorded the highest average breach cost, which is now $10.93 million.

The average cost per breached record ticked up slightly to a new high as well – up to $165 per record from $164 one year ago. This has jumped from $146 in 2020, IBM noted. The survey assessed breach events with a range of 2,200 to 102,000 records.

In its survey, the firm highlighted breach investigation tactics that could either reduce costs or increase them. For example, organizations that didn’t call in law enforcement during ransomware attacks experienced an extra $470,000 in costs on average and faced longer recovery times.

“While 63% of respondents said they involved law enforcement, the 37% that didn’t also paid 9.6% more and experienced a 33-day longer breach lifecycle,” IBM noted. Longer breaches in general produce higher than average costs – events stretching over 200 high $4.95 million on average while those at fewer than 200 days cost 23% less at $3.93 million.

Threat detection costs appeared to be driving the average breach cost, rising 42% in the last three years, according to the report, suggesting cyber event investigations have become more complex.  Just one in three respondents said their own security teams detected breaches – it was far more likely (67%) for third parties or attackers themselves to reveal intrusions. Organizations also faced nearly $1 million in extra costs when cyber threat actors disclosed breaches.

Cyberattackers also showed increasing preference for infiltrating the cloud – 82% of the breaches evaluated involved cloud data in public, private, or hybrid environments. When threat actors were able to access more than one environment, breach costs skewed even higher, up to an average of $4.75 million.

Despite higher costs, just 51% of organizations said they planned to increase their cybersecurity spend. Instead, more than half (57%) said they would pass the costs through to customers. Nearly all (95%) surveyed organizations had experienced more than one breach.

One area where organizations may want to invest more is in artificial intelligence tools to help detect breaches. Businesses leveraging AI and automation tools extensively in their networks identified and contained breaches, on average, 108 days quicker than their less tech-forward counterparts and saw average costs that were $1.76 million lower than other organizations.

“Time is the new currency in cybersecurity both for the defenders and the attackers. As the report shows, early detection and fast response can significantly reduce the impact of a breach,” said Chris McCurdy, general manager, worldwide, IBM Security Services, in a statement. “Security teams must focus on where adversaries are the most successful and concentrate their efforts on stopping them before they achieve their goals. Investments in threat detection and response approaches that accelerate defenders speed and efficiency – such as AI and automation – are crucial to shifting this balance.”