10 statistics that show the cost of a data breach to companies
Beyond Identity collected figures and statistics from IBM's 2022 Cost of a Data Breach Report to understand how data breaches impact companies and consumers.
How many businesses are ready to pony up several million in additional expenses this year? If history is any indicator, hundreds of companies will need to face the reality of cleaning up after a data breach before this time next year.
While a data breach costs a company millions on average, the toll can extend even further than just cleanup. Beyond Identity collected figures and statistics from IBM's 2022 Cost of a Data Breach Report to understand how data breaches impacted companies and consumers. For the report, IBM conducted more than 3,000 interviews at 550 organizations that experienced a data breach.
A breach can cost the affected business $4.1 million on average globally. A data breach in the U.S. costs $9.44 million on average—the highest of any country in the world.
Billions of dollars in investments poured into cybersecurity startups in 2020, as companies began allowing employees to work from home for public health reasons. Demand for remote authentication rose as more workers logged in from multiple locations. Investors weren't just betting on a remote work future—the case for heightened IT security had already been made prior to the pandemic.
The number of companies hit by hackers looking to steal data increased significantly during the decade preceding COVID-19's arrival in the U.S.—and that trend is continuing. With less than five months remaining, 2022 is already shaping up to be a marquee year for cyberattacks.
Remediation of servers and IT equipment after a breach can be costly. A data breach can also trigger government fines and legal fees in addition to actual costs. ut businesses also have to quantify the intangible losses to their reputations that could spread from a data breach.
If a thief gets away with intellectual property, the targeted business could lose its competitive edge in the market. The theft could also cause a loss of revenue for months or even years afterward. Data breaches impact a company's brand as well. Minneapolis-based retail giant Target not only had to pay an $18.5 million settlement as a result of its infamous breach of credit card data in 2013, but it also had to worry about the subsequent damage to its reputation that executives pointed to for slumping sales.
The costs that accrue from these attacks are myriad, and companies' vulnerabilities are only increasing as more businesses move operations online and to the cloud. With tensions between the U.S. and countries like Russia, North Korea, and China heating up, threat levels will likely remain heightened. U.S. House Rep. Nancy Pelosi's visit to Taiwan recently triggered cyberattacks said to have originated in China. And Iran and entities related to the Islamic Republic have been conducting ransomware attacks against U.S. organizations since late 2020, according to cybersecurity firm CrowdStrike's latest report on global cyberthreats.
83% of organizations reported more than one data breach
A majority of the organizations that experienced a data breach last year experienced multiple breaches, IBM's latest report reveals, and recurrence of data breaches is likely to increase.
The report also suggests that as workplaces have moved out of the office and into homes, organizations have become more vulnerable to recurring attacks. Tech giants like Yahoo, Amazon, and Facebook have experienced repeated data breaches over the past decade.
Attackers don't just use malware, but also social engineering. In some repeated breaches, vulnerabilities that weren't detected and patched in the initial attack were exploited again. In others, the attacker was able to manipulate workers—if the current or ex-worker isn't the attacker—to gain access to IT systems.
The average cost of a data breach was $4.35 million
The average cost of a data breach has jumped since the turn of the decade. IBM's 2020 report calculated an average cost of $3.86 million—the most current data reflects an increase of 12.7%. The cost was lowest among public sector organizations and highest for health care organizations. Health care businesses have suffered some of the most wide-reaching data breaches exposing millions of peoples' sensitive records, including in some cases Social Security numbers.
The average cost of a ransomware attack was $4.54 million
The average cost globally of a ransomware attack was $4.54 million in 2022, per IBM. The total figure doesn't include the cost of the payment made to the culprits demanding the ransom. The cost of this kind of data breach is just slightly higher than the overall average cost of all data breaches.
A 2022 study by Cyberseason suggests that the majority of companies that suffer ransomware attacks pay a ransom fee to the attacker. Experts deem paying a ransom futile. Most attackers will return demanding a second ransom, because the victim was willing to pay the first time.
The FBI does not condone paying ransom fees, and warns that doing so doesn't guarantee data will be recovered. Even after being paid the ransom, attackers can maintain copies of stolen information, and sell it for additional profit. Unfortunately, a faceless cybercriminal is not beholden to contracts or agreements. A business may not know the data has been sold until user data emerges later or is exploited for further social engineering to steal employee identities.
Data breaches cost the health care industry $10.1 million—the highest of any field
No sector of the U.S. economy is more targeted than the health care industry. And for good reason—the health care industry maintains databases full of sensitive information that can be useful to criminals looking to steal identities. Hospitals are also critical infrastructure, privatized in the U.S., and remain a target for ideologically motivated foreign adversaries looking to disrupt Americans' way of life.
The sector has led the ranking of costliest data breaches for the last 12 years IBM has performed its study. In 2022, there were at least 395 documented attacks on health care institutions in the U.S., according to the U.S. Department of Health and Human Services.
Health systems based in Texas, Arizona, and Massachusetts have suffered data breaches that have impacted millions of consumers.
60% of organizations increased consumer prices due to a data breach
Attacks on private sector businesses aren't just a problem for companies—they're a headache for consumers as well.
Since breaches can be costly to recover from, a majority of businesses say they've raised the price of their product or services, passing a portion of the cost on to their customers. And with government-measured inflation at a 40-year high, consumers are already feeling the squeeze elsewhere in their lives.
On average, it took 207 days to identify a data breach and 70 more to contain it
Data suggests that the quicker a data breach is contained, the cheaper it will be to remediate and recover. The length of time between the breach occurring and when it is identified and contained is referred to as the data breach lifecycle.
An organization can trim nearly $1 million from the costs associated with a data breach if it's contained within 200 days, according to IBM data collected from 2016 to 2022.
Stolen account credentials take the longest time to identify
A breach that involves stolen account credentials took 327 days on average to identify and contain in 2022, according to IBM. Breaches originating this way are also the fourth-most expensive type of data breach to contain and remediate, just behind those that originate from third-party software vulnerabilities, compromised business emails, and phishing attempts.
Breaches cost about $1 million more for companies that had a large share of remote employees
Security comes at a cost. Various companies and services charge top dollar for products advertised to help businesses monitor and remediate cyber intrusions. While some might hesitate at the price for such services, a breach can wind up costing much more. That's especially true for companies that have leaned into the growing trend of remote work, IBM's latest study shows.
The percentage of employees working remotely had an impact on the ultimate costs of data breaches. The cost of a data breach for a company where 1 in 5 workers work remotely averaged $3.99 million in 2022. A data breach at a company where more than 81% of employees work remotely costs $5.1 million on average, according to IBM.
Where there was once a centralized office and office-based network to protect, many organizations now have to think about each home network and device their employees are accessing for their jobs when developing a security plan.
Mega breaches cost between $50 and $387 million on average
A mega breach, or one in which 1 million or more records are compromised, can saddle a company with tens of millions in additional costs.
These massive attacks occur less often and vary widely in cost. A mega breach involving up to 10 million lost documents costs organizations $49 million on average in 2022, down slightly from the previous two years, per IBM's tracking. That figure jumped to $387 million on average in 2022.
Almost 1 in 5 breaches were caused by stolen or compromised logins
Stolen login details are still the most common cause of a data breach. This is when the attacker obtains access to data either by purchasing stolen credentials on the black market or stealing them through phishing schemes or other methods.
Ever wanted to find out whether any of your credentials have been compromised in a breach? There's a free tool for that called "Have I Been Pwned?"
This story originally appeared on Beyond Identity and was produced and distributed in partnership with Stacker Studio.