Average Cost of a Data Breach

Authored by Ron Cadwell, founder and CEO of phoenixNAP. Prepared for publishing by the Editorial team.

Data breaches have become a global and ever-growing threat, with high-profile incidents regularly making the headlines. Unfortunately, breaches also have a financial cost beyond just making the news and damaging reputations.

According to the latest IBM report, the average total cost of a data breach reached an all-time high of $4.35 million in 2022, up 2.6% compared to the previous year and 12.7% from 2020. Therefore, we must acknowledge and address the impact of data breaches.

In this article, we will explore the factors contributing to the hefty price tag that comes with data breaches and how these losses can be mitigated.

What Is the Cost of a Data Breach?

The average cost of a data breach is $4.35 million. However, no two breaches are the same, and calculating a price tag is a complex and multifaceted task. The number can vary widely depending on several factors, such as the size and industry of the affected organization, the type of data that was compromised, and the victim’s location.

United States

The United States has maintained its position as the country with the highest data breach cost for 12 consecutive years. With a $9.44 million average, the typical data breach in the United States is $5.09 million more expensive than the global average.

One of the main reasons data breaches in the USA are generally more expensive is the market size. As the USA has a much larger population than most other countries, it has more potential victims and higher remediation costs.

Another factor is the complex and continuously evolving set of data protection regulations at both the federal and state levels. Companies that suffer data breaches are fined and penalized for noncompliance, adding to the costs of a breach. Finally, the litigious culture in the USA means that affected organizations often face legal action from customers or shareholders, leading to high legal fees and settlement costs.

Other Countries and Regions

Data breaches are a global issue and can occur anywhere. However, they are more prevalent in developed countries with a higher concentration of businesses and a greater reliance on digital infrastructure.

On the other hand, less developed regions have fewer digital systems and networks vulnerable to attack. Nevertheless, as they continue to develop and digitize, they too will become more susceptible to cyber-attacks.

Below are countries, aside from the USA, that experience above average losses due to data breaches:

1. The Middle East has several high-value targets for cybercriminals, such as oil and gas companies and financial institutions. The region maintained its position as the second highest in terms of the average total data breach cost, rising 7.6%  in 2021 to reach $7.46 million in 2022. 
2. Canada relies heavily on the technology sector and has strict data protection laws, including the Personal Information Protection and Electronic Documents Act (PIPEDA). Canada ranked third, with an average breach in 2022 costing $5.64 million, an increase of 4.4% compared to the previous year.
3. The United Kingdom houses many large multinational corporations and a thriving SME sector. The country also has some of the strictest data protection laws in the world, including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. In 2022, the UK overtook Germany, Japan, and France to become the fourth among the 17 in the ranking. The average total cost of a data breach in the UK rose by 8.1% to reach $5.05 million. 
4. Germany is an industrial powerhouse with robust data protection laws such as the GDPR and the Federal Data Protection Act (BDSG). Germany saw a 0.8% decrease in the average data breach cost, falling to $4.89 million in 2022.
5. Japan has a number of large corporations spanning the technology, automotive, and financial service sectors and particularly stringent data protection laws, including the Protection of Personal Information (APPI) Act. In 2022, Japan experienced a 2.5% decline in the average total data breach cost, which dropped to $4.57 million.

Cost of Data Breach by Industry

The costs of a data breach vary significantly by industry due to various factors, such as the type of data stored and the size and complexity of an organization’s IT infrastructure. For example, industries that process large amounts of sensitive customer data are more likely to experience breaches with severe consequences.

Worryingly, in 2022, 28% of the critical infrastructure organizations surveyed experienced a ransomware attack, while 17% experienced a breach because of a compromised business partner. The average cost of a data breach for critical infrastructure organizations was $4.82 million, that is, 1 million more than the average cost for organizations in other industries.

The healthcare sector was again the hardest hit. At $10.1 million, it retained its position as the industry with the highest average data breach cost for the twelfth consecutive year. Furthermore, healthcare providers experienced a 9.4% surge in breach costs year-over-year and a 42% increase since 2020. 

2022 IBM Cost of Data Breach Report Breakdown

IBM’s annual data breach report is the field’s gold standard, providing the most accurate and comprehensive data on data breaches. The recently published Cost of a Data Breach Report revealed many intriguing insights. 

Here’s a breakdown of the most noteworthy takeaways of the report:

Detection and Escalation Overtake Lost Business Costs

Detection and escalation refer to confirming the breach, assessing its impact, and informing relevant stakeholders. On the other hand, lost business costs represent the financial impact of a decline in customer trust and reputation, which inevitably lead to reduced revenue and difficulty acquiring new customers.

For the first time in six years, detection and escalation overtook lost business costs as the most expensive category. Average detection and escalation costs increased from $1.24 million in 2021 to $1.44 million in 2022, a 16.1% rise. On the other hand, lost business costs fell by 10.7% from $1.59 million in 2021 to $1.42 million in 2022. 

The data suggests that consumers acknowledge the efforts made by companies to safeguard their data and recognize that some data breaches are unavoidable and not solely the responsibility of the companies. Moreover, the increasing costs of detecting and addressing security threats reflect the additional measures taken by organizations to enhance their cybersecurity.

Breached Credentials Remain the Primary Attack Vector

Stolen or compromised credentials remained the most common cause of a data breach and the primary attack vector in 19% of breaches in 2022. Although not the most expensive, with an average cost of $4.50 million, breaches caused by stolen or compromised credentials also had the longest average duration, taking 327 days to detect and contain, 16.6% longer than the average.

Phishing, which accounted for 16% of breaches, was the second most frequent cause and but the most expensive, resulting in an average of $4.91 million in costs.

After phishing, the most expensive type of breach was compromised business emails, resulting in an average cost of $4.89 million. Compromised business emails accounted for 6% of all breaches.

The third most costly breach was due to vulnerabilities in third-party software, with an average cost of $4.55 million.

Ransomware Attacks Increase

In 2022, ransomware attacks accounted for 11% of breaches, an increase from 2021, when 7.8% were ransomware. However, the average ransomware attack cost decreased slightly, from $4.62 million in 2021 to $4.54 million in 2022. This cost was marginally higher than the overall average total data breach cost, at $4.35 million.

On average, organizations that chose not to pay the ransom incurred 13.1% higher costs than those that did. Specifically, the price of a breach for organizations that paid the ransom was $4.49 million. In contrast, organizations that refused to pay had to spend $5.12 million, resulting in a difference of $0.63 million between the two groups.

Factors That Impact Data Breach Costs

The costs of a data breach are impacted by a range of organizational and technological factors that play a crucial role in improving an organization’s cybersecurity posture. Let’s explore the aspects that can easily be improved upon.

Top Money-Saving Factors

Here are several strategies organizations should implement to reduce the costs of a data breach in 2023. 

AI and Automation

Organizations with fully deployed security AI and automation had an average breach cost of $3.15 million. This is almost half of $6.20 million, which organizations without AI security had to shell out.

Additionally, companies with security AI took an average of 74 days less to detect and contain the breach than those without it. In other words, using AI reduced the breach lifecycle from 323 days to 249 days. 

In the last two years, the adoption of security AI and automation has significantly grown, with an increase of nearly 20%. Specifically, the utilization of these technologies increased from 59% in 2020 to 70% in 2022, highlighting the growing importance of AI in safeguarding organizations against data breaches and other security threats.

Zero Trust

Zero trust is an increasingly popular security strategy designed to improve a company’s security posture. Unlike traditional network security models that rely on a perimeter-based approach, where everything inside the network is trusted, zero trust doesn’t automatically trust any user, device, or application, whether they are inside or outside the network. 

Instead, zero trust requires the verification of the identity and security of every user and device before granting access to any resource or data. This approach minimizes the risk of unauthorized access, reduces the attack surface, and detects and mitigates threats more effectively. 

Adopting zero-trust security measures has proven to be a cost-effective strategy in recent years. According to current data, organizations with zero-trust policies saved an average of almost $1 million, with a breach cost of $4.15 million, compared to $5.10 million for organizations without zero trust.

Incident Response Plans

A robust Incident Response (IR) framework is crucial for minimizing the impact of a data breach and maintaining business continuity. Businesses with a dedicated IR team and regularly tested plans reported that data breaches cost them an average $2.66 million less than organizations without an IR team or those that didn’t regularly test their IR plan. The cost savings represent a 58% reduction, with breach costs totaling $3.26 million for companies with a strong IR framework compared to $5.92 million for those without one.

Risk Factors

In 2023, the following factors are poised to be the most significant contributors to financial losses:

Slow Response Time

The financial consequences of a breach are directly proportional to the length of time it remains undiscovered. The latest findings reveal that the average duration of a breach before detection is 277 days. 

Ransomware attacks are the most difficult to identify, taking on average 49 days longer to detect than other breaches. In comparison, supply chain breaches take approximately 26 days longer to discover.

You can improve response times for data breaches by:

1. Developing a robust and clear incident response plan.
2. Conducting regular training and drills to ensure preparedness.
3. Automating detection and response processes wherever possible.
4. Implementing real-time monitoring technologies and alerts.
5. Establishing clear communication protocols among all stakeholders.

Remote Work

On average, breaches involving remote work resulted in costs nearly $1 million greater than breaches where remote work wasn’t a factor — $4.99 million versus $4.02 million. Additionally, breaches related to remote work cost about $600,000 more than the global breach cost average.

Remote work increases data breach costs due to several factors:

• Increased use of personal devices, which are typically less secure than company-issued ones and lack sufficient endpoint security.
• Weaker network security, as remote workers sometimes use public Wi-Fi networks or other unsecured connections to access company systems.
• Greater risk of human error, as remote workers often work in unfamiliar or distracting environments.

Cloud Computing

Approximately 45% of data breaches occurred in the cloud, with hybrid cloud found to be less costly than private or public clouds. Specifically, the average cost of a breach in a hybrid cloud environment was $3.80 million, which was lower than the average costs of $4.24 million and $5.02 million for private and public cloud breaches respectively.

Not only did organizations using a hybrid cloud architecture experience lower breach costs, but they also had shorter breach lifecycles compared to those using only public or private cloud models. 

Reputational Damage

Customer trust is easy to lose and difficult to regain, and one of the most substantial costs of a data breach is the damage it does to a company’s reputation. The impact is usually reflected in changes in its market position as competitors gain a relative advantage.

For example, a data breach can diminish a company’s brand value, leading to a decline in the premium price it commands, higher customer conversion costs, and a loss of market share. The average cost of lost business from a data breach in 2022 was $1.4 million, accounting for 32% of the total cost. 

The impact of a data breach on a public company’s price reflects in its stock price. According to research, companies that experience a data breach can expect a 3.5% decline in their share prices approximately 110 market days after the breach occurs. The long-term effects of a breach on share prices are even more significant, with an average share price decline of 8.6% and underperformance against the NASDAQ by the same amount one year after a breach. The impact on share prices appears to be most significant for tech and finance businesses, while ecommerce and social media companies tend to be less affected. 

It’s worth remembering that the way a company responds to a data breach significantly impacts its reputation and the financial consequences that follow. For example, sweeping the issue under the rug damages customer trust more than the breach itself. On the other hand, proactively disclosing the breach to customers positively impacts their perception of the company’s integrity and commitment to transparency.

Regulations, Litigations, and Fines

Data breaches have direct costs involving response and containment but also potentially hefty legal fines and settlements. Highly regulated industries are particularly vulnerable, as they often face additional penalties from regulatory bodies and are more likely to face legal action from affected individuals. 

Breaches in industries with stringent data protection regulation also tend to incur costs in the years following the breach. This “longtail” effect means that an average of 24% of costs accrue more than two years after the incident. In low regulatory environments, the effect isn’t as pronounced, and costs tend to accrue in the first three to six months. 

Whether paying noncompliance fines, settling class action claims, or covering legal fees, businesses must consider potential regulatory and litigation expenses in their planning. Ultimately, it’s worth remembering that the cost of a data breach will most likely extend beyond the immediate aftermath of the breach itself.

Data Breach Security Measures

Data breaches are a persistent threat in today’s digital landscape, and as much as one tries to prevent them, they are nearly impossible to stop altogether. 

Below are the ten best practices for mitigating the risk of a data breach:

1. Implement a comprehensive security program that includes regular vulnerability assessments and penetration tests.
2. Establish and enforce strong password policies, including multi-factor authentication where possible.
3. Update all software and systems with the latest security patches.
4. Train employees on proper security protocols and provide ongoing security awareness training.
5. Limit access to sensitive data and systems only to those who need it.
6. Encrypt sensitive data both in transit and at rest.
7. Implement monitoring and logging tools to detect unusual activity and potential security breaches.
8. Develop and regularly test your incident response plan to ensure a quick and effective reply to a potential breach.
9. Conduct regular backups of critical data and test the backup and recovery process.
10. Work with trusted vendors and partners who have robust security and privacy practices.

Conclusion 

The average total cost of a data breach reached an all-time high of $4.35 million in 2022. This number is likely to keep increasing.  

While data breaches can have devastating consequences, they can also be catalysts for growth and improvement. By confronting these challenges, organizations gain valuable insights into their cybersecurity posture and identify areas for improvement. Moreover, data breaches provide an opportunity to enhance trust with customers and stakeholders by demonstrating a commitment to transparency and accountability.