The global average cost of a data breach has reached an all-time high of $4.35 million, according to IBM Security's annual Cost of a Data Breach Report.
With breach costs increasing nearly 13% over the last two years of the report, the findings suggest these incidents may also be contributing to rising costs of goods and services. In fact, 60% of studied organizations raised their product or service prices due to the breach when the cost of goods is soaring worldwide amid inflation and supply chain issues.
Based on an in-depth analysis of real-world data breaches experienced by 550 organizations globally between March 2021 and March 2022, the report was conducted by the Ponemon Institute and analyzed by IBM Security.
The report reveals four key findings.
1. Critical Infrastructure Lags in Zero Trust
Almost 80% of critical infrastructure organizations studied don't adopt zero trust strategies, seeing average breach costs rise to $5.4 million — a $1.17 million increase compared to those that do. All while 28% of breaches amongst these organizations were ransomware or destructive attacks.
Critical infrastructure is particularly attractive to attackers who believe their victims will believe the shortest path to restored operations involves payment of a ransom, says Tim Mackey, Principal Security Strategist at Synopsys Cybersecurity Research Center. "While zero trust technologies offer significant promise, the reality is that critical infrastructure systems have a significantly longer lifespan than most other software. Overlaying a relatively new paradigm on top of what might arguably be a legacy architecture may not always be feasible," says Mackey. "This is where continuous monitoring for abnormal events identified based on comprehensive threat models can help, as can the creation of incident response plans that are also informed by those same threat models."
2. It Doesn't Pay to Pay
Ransomware victims in the study that opted to pay threat actors' ransom demands saw only $610,000 less in average breach costs compared to those that chose not to pay — not including the cost of the ransom. Factoring in the high cost of ransom payments, the financial toll may rise even higher, suggesting that simply paying the ransom may not be an effective strategy.
It is interesting to see the cost difference between ransomware victims who chose to pay and those who chose not to, says Nicole Hoffman, Senior Cyber Threat Intelligence Analyst at Digital Shadows. "Those who pay are often targeted again within months of the original attack, which would increase financial losses significantly," Hoffman explains. "These factors are important to consider when making the challenging business decision of whether or not to pay. For these reasons, prevention is important, but cyber resiliency is key."
3. Security Immaturity in Clouds
Forty-three percent of studied organizations are in the early stages or have not started applying security practices across their cloud environments, observing over $660,000 on average in higher breach costs than studied organizations with mature security across their cloud environments.
4. Security Artificial Intelligence and Automation Lead as Multi-Million Dollar Cost Saver
Participating organizations fully deploying security AI and automation incurred $3.05 million less on average in breach costs compared to studied organizations that have not deployed the technology — the most significant cost saver observed in the study.
In addition, the report revealed that phishing has become the costliest breach cause, healthcare breach costs have hit double digits for the first time, and most organizations are not sufficiently staffed to meet their security needs.
For the full report, visit ibm.com.