According to the 2023 Data Breach Cost Report published by IBM and the Ponemon Institute, the average cost associated with a data breach has reached a record high, standing at US$ 4.45 million. This marks a 2% increase compared to the previous year when it was US$ 4.35 million.
The research conducted by the Ponemon Institute and IBM Security encompasses an extensive range of cost components, which include factors like reputational damage, customer turnover, reduced employee productivity, as well as expenses related to legal, regulatory, and technical mitigation measures.
The findings are drawn from a comprehensive dataset, comprising over 3,600 interviews and encompassing 550 data breaches occurring across 17 different countries and 17 various industries.
In this article, we aim to present the primary insights from this research to aid you in aligning your data security and breach prevention strategies with the primary risk factors highlighted in the report.
Data Breach Statistics At A Glance
Average total cost of a data breach in 2023 – USD 4.45 million in 2023
Per-record cost of a data breach – USD 165 per record
Average Data Breach Lifecycle – 227 days in 2023
What Is The Average Total Cost Of A Data Breach?
The global average cost of a data breach reached USD 4.45 million in 2023, reaching an all-time high this year.
When compared to the USD 4.35 million cost in 2022, this implies an increase of 2.3%.
If we look at the average cost over the long run, it has climbed from USD 3.86 million in the 2020 report by 15.3%.
What Is The Cost Of A Data Breach Per-Record?
In 2023, the average cost per record involved in a data breach was USD 165, a small increase from the 2022 average of USD 164.
This is consistent with the minimal growth between 2021 and 2022 when the price only increased by USD 3. The most significant increase in average per-record prices over the last seven years occurred between 2020 and 2021 when the average increased by 10.3% from USD 146 to USD 161.
This study looked at data breaches involving 2,200 to 102,000 records.
What Are Some Extra Costs Of Data Breaches?
According to the study, organizations that didn’t involve law enforcement in a ransomware attack experienced USD 470000 additional costs.
37% of ransomware victims chose not to request law enforcement to assist in the containment of a ransomware incident, although those who did encounter a less expensive ransomware breach in general.
When law enforcement was not involved, the average cost of a ransomware breach was USD 5.11 million versus USD 4.64 million, a difference of 9.6% or USD 470,000.
What Is The Cost Of A Data Breach By Industry?
Healthcare continues to have the largest data breach costs of any industry, rising 8.2% from USD 10.10 million in 2022 to USD 10.93 million in 2023.
Over the last three years, the average cost of a data breach in healthcare has increased by 53.3%, rising by more than USD 3 million to USD 7.13 million in 2020.
The top five most costly data breaches by industry underwent some changes from last year’s rankings. Technology dropped out of the top five, while the industrial sector increased by 5.8%, moving from seventh to fifth place. Manufacturing is the industry most frequently attacked by cybercriminals, according to IBM threat intelligence.
What Is The Cost Of A Data Breach Per Country?
The average total cost of a data breach in the United States was USD 9.48 million, up 0.4% from USD 9.44 million last year.
The Middle East had the second-highest average total cost of a data breach, at USD 8.07 million, up 8.2% from USD 7.46 million the previous year.
The average total cost of a data breach in Canada fell by 9%, from USD 5.64 million to USD 5.13 million.
In Germany, the average cost fell from USD 4.85 million to USD 4.67 million, a 3.7% decrease.
The average in Japan fell slightly, from USD 4.57 million to USD 4.52 million, or 1.1%.
Japan is the only country in this year’s top five that did not appear on the 2022 top five list, moving up from the sixth most expensive spot last year. Last year, the United Kingdom (UK) was also in the top five, with an average data breach cost of USD 5.05 million.
What Is The Cost Of A Data Breach Per Company Size?
The average impact of a data breach increased from USD 2.92 million to USD 3.31 million, or 13.4%, in organizations with fewer than 500 employees.
Those with 500-1,000 employees experienced a 21.4% increase, from USD 2.71 million to USD 3.29 million.
The average cost of a data breach increased by nearly 20% in the 1,000-5,000 employee range, from USD 4.06 million to USD 4.87 million.
Respondents reported an average cost of USD 5.46 million in the 10,001-25,000 range, a 1.8% decrease from the USD 5.56 million reported in 2022.
Organizations with more than 25,000 employees saw their average cost fall from USD 5.56 million in 2022 to USD 5.42 million in 2023, a 2.5% decrease.
Which Data Gets Breached The Most?
Of all record types, customer and employee personal identifiable information (PII) was the costliest and most common type of record to be compromised.
Customer PII such as names and Social Security numbers is expected to cost organizations USD 183 per record in 2023, while employee PII will cost USD 181 per record. Anonymized customer data is the least expensive record type to have been compromised, costing organizations USD 138 per record in 2023.
Customer PII was the most commonly breached record type in 2023, as it was in 2022 and 2021. Customer PII was involved in 52% of all breaches. This is a five-point increase from 2022, when customer PII accounted for 47% of all data compromised.
What Is The Average Data Breach Lifecycle?
The average data breach lifecycle for 2023 was 277 days.
In IIt is important to understand the following metrics to understand what the data breach lifecycle is:
Data breach lifecycle: It refers to the period from when the breach is first discovered to when it is effectively controlled and contained.
Time to identify: Time to identify” describes the time, in days, it takes to discover an incident.
Time to contain: Time to contain refers to the time, in days, it takes for an organization to resolve the situation and restore service after the breach has been detected.
A shorter data breach lifecycle of less than 200 days costs an average of USD 3.93 million, while a longer lifecycle of more than 200 days costs an average of USD 4.95 million. This represents a 23% difference and USD 1.02 million cost savings for the shorter lifecycle.
Looking back over the previous years, the average cost of a data breach based on the 200-day lifecycle has remained relatively consistent, although changing incrementally.
The 2023 value of USD 3.93 million increased by 5.1% from the previous year’s average cost of USD 3.74 million for a data breach lifecycle of less than 200 days.
For a data breach lifecycle of fewer than 200 days, the 2023 value of USD 3.93 million grew 5.1% from the previous year’s average cost of USD 3.74 million.
The 2023 value of USD 4.95 million for a data breach lifecycle of more than 200 days increased 1.9% from the previous year’s average cost of USD 4.86 million.
What Are The Most Common Causes Of Data Breaches?
Phishing and stolen or compromised credentials were the two most common initial causes of data breaches.
Phishing and stolen or compromised credentials were responsible for 16% and 15% of breaches, respectively, with phishing surpassing stolen credentials as the most common vector in the 2022 report.
The initial vector for 11% of attacks was cloud misconfiguration, followed by business email compromise at 9%.
How To Lessen The Impact of Data Breaches?
According to IBM’s 2023 Cost Of A Data Breach Study, organizations that showed high levels of DevSecOps adoption experienced cost savings of USD 1.68M.
In 2023, integrated security testing in the software development process (DevSecOps) demonstrated a significant ROI. When compared to organizations with low or no DevSecOps adoption, those with high adoption saved USD 1.68 million. DevSecOps demonstrated the greatest cost savings when compared to other cost-cutting factors.
Additionally, those organizations that showed high levels of Incident Response (IR) planning and testing achieved cost savings of USD 1.49M and they also identified breaches 54 days faster than organizations that didn’t have Incident Response planning and testing measures.
In that sense, Incident Response planning and testing has emerged as a highly effective tactic for containing the cost of a data breach, in addition to being a priority investment for organizations.
Does AI Help Detect Data Breaches?
The study found that the use of extensive security AI and automation use delivered cost savings of nearly USD 1.8 million.
Organizations that used security AI and automation extensively displayed the greatest cost savings, with an average cost of a data breach of USD 3.60 million, which was USD 1.76 million less and a 39.3% difference compared to no use.
Even firms with modest use of security AI and automation saw an average cost of a data breach of USD 4.04 million, which was USD 1.32 million less or 28.1% less than no use.
Organizations that did not utilize security AI and automation, on the other hand, paid an average of USD 5.36 million for a data breach. This is 18.6% higher than the average cost of a data breach in 2023, which is USD 4.45 million.
What’s New In This Report?
For the first time, the study looked at how collaborating with an MSSP affected the time it took to detect and contain a breach. MSSPs can assist organizations in improving their security posture without increasing headcount or investing in internal resource training.
According to the 2023 report, organizations with an MSSP were able to detect and contain breaches 80% faster than those without.
Organizations that worked with an MSSP identified breaches 16 days faster, or 8.2% faster, than the global average of 204 days reported in 2023. Those who did not partner with an MSSP took 28 days, or 12.8% longer.
Recommendations To Help Lessen The Impact Of A Data Breach
In this age of advanced technology and complex software, it’s crucial to keep your data safe from potential breaches. Here are some simple steps you can take:
Integrate Security into Software Development
– Ensure that security is a top priority during the development of any software.
– Regularly test the software to identify and fix potential vulnerabilities.
Embrace DevSecOps Approach
– DevSecOps is a modern approach that focuses on integrating security into the development process.
– It’s a cost-effective way to protect your organization from data breaches.
Prioritize Security in Off-the-Shelf Software
– Don’t overlook the security of commercial off-the-shelf software that you use.
– Make sure it meets the necessary security standards.
Secure by Design and Secure by Default
– Ensure that security is considered right from the start of any digital transformation project.
– Don’t wait to address security issues after the fact.
Apply Security Principles to Cloud Environments
– If you use cloud services, apply the same security principles to protect user data and minimize risks.
Regular Application Testing
– Conduct testing from an attacker’s perspective to identify vulnerabilities.
– Fix any vulnerabilities to prevent potential breaches.
Remember that no software can ever be completely secure, and adding new features can introduce new risks. Regular testing is essential to stay ahead of potential threats and keep your data safe.