IBM Cost of a Data Breach Report 2022 Comes to Shocking Conclusion

IBM Cost of a Data Breach Report 2022 Comes to Shocking Conclusion

Each year IBM works with Ponemon Institute to research breaches across several sectors of the economy. For the 12th consecutive year, healthcare breaches had the highest price tag. According to the IBM Cost of a Data Breach Report 2022, the average cost of a healthcare data breach has skyrocketed to $10.1 million. This is an increase of 9.4% from 2021 and an astronomical increase of 41.6% compared to 2020.

IBM Cost of a Data Breach Report 2022

How did the Cost of a Data Breach Report 2022 draw its conclusions? The conclusions drawn by the report were based on a study that surveyed 550 organizations across 17 industries. These organizations suffered data breaches between March 2021 and March 2022.

Of the organizations surveyed, 83% had experienced multiple breaches. To deal with the costs associated with these breaches, 60% of organizations had to increase the price of their product or service.

Costs Associated with Breaches

While there are many costs associated with breaches, the following contributed to the highest costs:

  • Detection and escalation: $1.44 million
  • Lost business: $1.42 million
  • Post-breach response: $1.18 million
  • Notification costs: $0.31 million

Many organizations fail to realize that the costs of recovering from a data breach can be ongoing. This is especially true In highly regulated industries such as healthcare. According to the report, 45% of costs for healthcare businesses are incurred in the first year, 31% in the second, and 24% beyond two years. This cost over time can be attributed to legal and regulatory costs in healthcare (HIPAA).

Cost by Type of Incident

There were several types of incidents explored in the study. Phishing attacks had the highest breach cost at $4.91 million and accounted for 16% of incidents. While the most common type of incident resulted from stolen login credentials, accounting for 19% of incidents and costing an average of $4.5 million.

  • Ransomware attacks: cost $4.54 million (not including the cost of the ransom payment) and accounted for 11% of breaches 
  • Business email compromise attacks: cost $4.89 million and accounted for 6% of breaches
  • Cloud misconfigurations: cost $4.14 million and accounted for 15% of breaches
  • Vulnerabilities in third-party software: cost $4.55 million and accounted for 13% of breaches

A large portion of breached organizations reported that the incidents occurred in the cloud (45%). Organizations that used a public cloud, rather than a hybrid cloud, saw higher breach costs. 43% of organizations reported that they were still migrating their data to the cloud and therefore had not implemented security measures to secure their data. Organizations further along in cloud adoption reported $0.66 million less in breach costs than those in the early stages of cloud adoption.

Breach Detection and Response

Quick breach detection and response are crucial to limiting the damage and costs associated with breaches. While the average time it took to detect a breach decreased in 2022 (207 days compared to 212 days in 2021), organizations can still do better. The time it took to contain a breach also decreased in 2022, taking on average 277 days.

However, data breaches with shorter lifecycles can cost an organization significantly less. Breach lifecycles shorter than 200 days ultimately equate to a 26.5% reduction in cost, or $1.12 million less.

What Contributed to Lower Costs?

There are several ways in which an organization can lower the costs associated with breaches. One of the most significant reductions was seen by organizations that had adopted a zero trust security strategy. These organizations paid an average of $1.17 million in breach costs. However, more than half of surveyed organizations (59%) had not implemented a zero trust security strategy.

Other ways organizations can lower breach costs include:

  • Deploying security automation and AI: saving $3.05 million
  • Implementing incident response teams with a tested plan: saving $2.66 million
  • Using mature cloud security practices: saving $720,000
  • Being fully staffed: saving $550,000
  • Using extended detection and response technology: reducing response time by 29 days

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics