IBM Security today released its annual Cost of a Data Breach 2022 Study, which reveals that the cost of a data breach is higher and more consequential than ever before, with the average cost of a data breach reaching a new high of $4.35 million for the companies surveyed.
With the cost of IT security incidents rising nearly 13 percent over the past two years, according to the report, these incidents could also be contributing to rising costs for goods and services. In fact, 60 percent of companies surveyed raised their prices for products or services due to a security incident, at a time when manufacturing costs are already skyrocketing globally due to inflation and supply chain issues.
The steady increase in cyberattacks also demonstrates the “profound impact” data breaches have on businesses. IBM’s study shows that 83 percent of the companies surveyed have experienced more than one security incident during their existence. Another factor that only becomes apparent over time is the aftermath of data security breaches on these companies, long after they have occurred. For example, nearly 50 percent of the cost of a data breach occurs more than a year after the fact.
- Cost of a Data Breach
- Overconfidence in critical infrastructure companies.
- Companies that pay ransom get nothing out of it
- Hybrid cloud advantage
Cost of a Data Breach
The Cost of a Data Breach 2022 Study is based on a comprehensive analysis between March 2021 and March 2022 of real-world security incidents at 550 companies worldwide. The research, funded and analyzed by IBM Security, was conducted by the Ponemon Institute. Several key findings emerged:
Zero trust backlogs in critical infrastructure:
Nearly 80 percent of critical infrastructure organizations surveyed do not employ zero trust strategies, increasing the average cost of data theft to $5.4 million – $1.17 million more compared to those that do employ zero trust. Whereas, 28 percent of data breaches at these companies were ransomware or destructive attacks.
Pay up, don’t pay out:
Ransomware victims from the study who complied with ransomware demands from extortionists averaged only $610,000 lower security incident costs compared to those who did not pay – without taking into account the ransom amount paid. When the high cost of ransomware is taken into account, the financial burden can become even higher, suggesting that paying the ransom alone may not be an effective strategy.
Cloud security vulnerabilities:
43 percent of organizations surveyed are in the early stages of implementing security measures in their cloud environments or have not even begun. This results in an average of more than $660,000 higher cost of a security incident than companies surveyed with mature security in their cloud environments.
AI and automation in security bring cost savings of several million US dollars:
Surveyed companies using AI and automation for security saw an average of $3.05 million less in data breach costs compared to companies not using the technology, the largest cost savings observed in the study.
“Companies need to get ahead of attackers on security issues. It’s time to prevent attackers from achieving their goals and minimize the impact of attacks. The more organizations try to perfect their IT perimeter instead of investing in early detection and response capabilities, the easier it is for security incidents to drive up the cost of living” said Charles Henderson, Global Head of IBM Security X-Force. “This report shows that the right strategies combined with the right technologies make all the difference when organizations are under attack.”
Overconfidence in critical infrastructure companies.
Over the past year, concerns about critical infrastructure as a target for the attack appear to have increased globally, while many government cybersecurity agencies are urging vigilance against disruptive attacks. In fact, IBM’s report shows that ransomware and disruptive attacks accounted for 28 percent of data breaches at the critical infrastructure companies it studied, highlighting how threat actors seek to disrupt the global supply chains that depend on these companies. These include companies in the financial services, industrial, transportation, and healthcare sectors, among others.
Despite the call for caution, and a year after the Biden administration prompted an executive order on cybersecurity focused on using a zero-trust strategy to strengthen national cybersecurity, only 21 percent of critical infrastructure companies surveyed use a zero-trust security model, according to the report. In addition, 17 percent of security incidents at critical infrastructure companies resulted from a business partner being attacked first, highlighting the security risks that an overly trusting environment poses.
Companies that pay ransom get nothing out of it
According to IBM’s 2022 study, companies that complied with extortionists’ ransom demands had only $610,000 lower average costs due to a data breach compared to those that did not pay – not including the ransom paid. When accounting for the average ransom payment, which reached $812,000 in 2021, according to Sophos, companies that chose to pay the ransom were able to absorb higher overall costs. By doing so, they inadvertently funded future ransomware attacks with capital that could be used for remediation and recovery efforts. At the same time, you risked regulatory penalties.
The persistence of ransomware is amplified by the industrialization of cybercrime, despite significant global efforts to stop it. IBM’s Security X-Force found that the duration of ransomware attacks has decreased by 94 percent over the past three years for the organizations it studied – from more than two months to just under four days.
These exponentially shorter attack lifecycles can lead to attacks with greater impact, as cybersecurity incident managers have very short windows of opportunity to detect and contain attacks. With “time to ransom” reduced to a matter of hours, it is important that organizations prioritize rigorous testing of incident response (IR) playbooks in advance. However, the report states that up to 37 percent of organizations surveyed that have incident response plans in place do not test them regularly.
Hybrid cloud advantage
The study also found that hybrid cloud environments are the most prevalent (45 percent) infrastructure among the companies surveyed. With an average $3.8 million cost of a security incident, organizations with a hybrid cloud model recorded lower costs compared to organizations with a pure public or private cloud model, which averaged $5.02 million and $4.24 million, respectively. In fact, the hybrid cloud users studied were able to detect and contain security incidents an average of 15 days earlier than the global average of 277 days per participant.
The report highlights that 45 percent of data breaches investigated occurred in the cloud, underscoring the importance of cloud security. However, 43 percent of reporting organizations said they are in the early stages of security measures to protect their cloud environments or have not even begun.
This results in higher costs of a security incident. Surveyed organizations that have not implemented security procedures in their cloud environments took an average of 108 days more to detect and contain a data breach than organizations that consistently apply security measures across the board.