The global average cost of data breaches reached an all-time high of US$4.35 million in 2022 compared with $4.24 million in 2021, according to a new IBM Security report. About 60 per cent of the breached organisations raised product and services prices due to the breaches.
The annual report, conducted by Ponemon Institute and analysed and sponsored by IBM Security, is based on the analysis of real-world data breaches experienced by 550 organisations globally between March 2021 and March 2022.
According to the report, about 83 per cent of the organisations have experienced more than one breach in their lifetime, with nearly half of the costs reported to be incurred more than a year after the breach.
Cloud and critical infrastructure remain at high risk
The report revealed that ransomware and destructive attacks represented 28 per cent of breaches among critical infrastructure organisations studied, indicating threat actors specifically targeting the sector for disrupting global supply chain. The critical infrastructure sector includes financial services, industrial, transportation, and healthcare companies.
The report also noted that in the US, even a year after the Biden administration issued a cyber security executive order mandating federal agencies to adopt a zero-trust security model, only 21 per cent of critical infrastructure organisations surveyed have done so, raising costs by $1.17 million for those who did not. Seventeen per cent of the critical infrastructure breaches were caused due to a business partner being initially compromised.
Cloud computing infrastructure is an even easier target because of the security immaturity it suffers, according to the report.
“Forty-three per cent of studied organisations are in the early stages or have not started applying security practices across their cloud environments, observing over $660,000 on average in higher breach costs than studied organisations with mature security across their cloud environments,” it added.
Hybrid cloud, however, has offered a silver lining in digital transformation as organisations adopting hybrid clouds (45 per cent) have witnessed lower breach costs than the ones with a solely public or private cloud model, according to the report.
While the breach cost for hybrid cloud averaged $3.8 million, public clouds recorded $5.02 million while private clouds recorded $4.24 million in breach costs respectively.
Overall, 45 per cent of the breaches occurred in the cloud, making cloud architecture the most sought after target. Forty-three percent of the organisations said they are either still in the early stages or have not started implementing security solutions to protect their cloud infrastructure.
While compromised credentials were the leading cause of data breaches among companies surveyed (at 19 per cent), phishing — in second place at 16 per cent — has emerged as the costliest, leading to $4.91 million in average breach costs for responding organisations, the report underlined.
Healthcare sector hit hardest by breach costs
Healthcare has been for the last 12 years and continues to be the industry hit hardest by the cost of breaches, with average costs per breach increasing by $1 million to a record total of $10.1 million.
According to the report, businesses that paid threat actors' ransom demands saw $610,000 less in average breach costs compared to those that chose not to pay — not including the ransom amount paid.
However, when accounting for the average ransom payment, which according to Sophos reached $812,000 in 2021, businesses that opt to pay the ransom could net higher total costs — all while inadvertently funding future ransomware attacks with capital that could be allocated to remediation and recovery efforts. Organisations suffering data breaches could also be looking at costs of federal offences.
Among concerning factors, 62 per cent of the surveyed organisations stated they are not sufficiently staffed to meet their security needs, averaging $550,000 more in breach costs than those that state they are sufficiently staffed. Implementing security artificial intelligence (AI) and automation has helped reduce costs by $3.05 million on average, the report added.