According to IBM’s Cost of a Data Breach report, 2023 set an all-time high record with the global average data breach cost reaching $4.45 million, a 2.3% increase from 2022 and a 15.3% from 2020.
The 2023 research, conducted independently by Ponemon Institute and sponsored, analyzed and published by IBM Security, studied 553 organizations impacted by data breaches that occurred between March 2022 and March 2023.
The results indicate organizations are going to have to spend money on security to save money on cyberattacks.
When breaches were detected by an organization’s own security teams or tools, it saved money and limited damage. Only one-third of companies surveyed discovered the data breach through their own security teams. About 67% of breaches were reported by a benign third party or by attackers. When attackers disclosed a breach, it cost organizations nearly $1 million more per incident than internal detection. Identifying and containing a breach disclosed by an attacker required a mean time of 320 days, 80 additional days compared to breaches identified internally and 47 days longer than breaches identified by a benign third party.
Involving law enforcement in a ransomware attack also saved money and shortened the lifecycle of the breach. Organizations that didn’t involve law enforcement in a ransomware attack incurred an additional $470,000 in expenses on average. About 63% of respondents said they involved law enforcement. The 37% that didn’t involve law enforcement paid 9.6% more and experienced a 33-day longer breach lifecycle.
Artificial intelligence can also help reduce cyberattack costs. Organizations that used security AI and automation capabilities extensively within their approach experienced, on average, a 108-day shorter time to identify and contain the breach. These organizations also reported $1.76 million lower data breach costs compared to organizations that didn’t use security AI and automation capabilities.
While greater security and detection save money and limit exposure, only 51% of organizations surveyed plan to increase security investments following a breach, focusing on incident response (IR) planning and testing, employee training, and threat detection and response technologies. Organizations that reported high levels of IR planning and testing saved $1.49 million over the year compared to those reporting low levels.
Despite the growing overall expense of cyberattacks, lost business costs hit a five-year low. In 2022 and 2023, detection and escalation costs were the costliest category of data breach expenses, increasing from $1.44 million in 2022 to $1.58 million in 2023. These detections and escalation expenses indicate a shift toward more extended and complex breach investigations, including forensic and investigative activities, assessment and audit services, crisis management and communications to executives and boards.
Cloud environments were frequent targets for cyber attackers in 2023, comprising 82% of reported attacks in public, private, or multiple environments, with 39% of breaches spanning multiple environments and incurring a higher-than-average cost of $4.75 million.
In the end, it’s customers and consumers who pay the price. The majority (57%) of respondents indicated that data breaches led to increased pricing of their business offerings, passing on costs to consumers. In the 2022 report, 60% of respondents said they increased prices to offset cyberattack expenses.