The average global cost of a data breach now stands at a record $4.45m, up a little over 2% year on year (YoY), according to IBM.
Now in its 18th year, the tech giant’s annual Cost of a Data Breach Report was compiled by the Ponemon Institute from interviews with 553 organizations worldwide.
Read more on data breaches: Data Breach Costs Reach New Record High
It claimed that the main contributor to additional cost this year was detection and escalation activities, which include forensics and investigations, assessment and audit services, crisis management and communication to executives and boards. These costs surged 42% YoY.
Disappointingly, the report noted that breached organizations were more likely to pass incident costs onto consumers (57%) than to increase security investments (51%).
Alongside the global average, the cost of a breach in the US also increased (to $9.48m) and it continues to be the country with the highest breach costs. Healthcare is still the costliest vertical, with costs increasing 8% to $10.93m per breached organization.
However, in many countries and verticals costs actually declined. The countries that experienced a reduction in average breach costs included Canada, Germany, Japan, the UK, France, South Korea, South Africa, Australia, India, Scandinavia and Brazil.
In terms of verticals, financial services, pharmaceuticals, technology, professional services, consumer, education, research, entertainment and retail all saw a decline in breach costs.
As highlighted in the report, the three most impactful ways to reduce breach costs are: use of DevSecOps (which saved $249,278 on the global average figure); employee training (-$232,867); and incident response plans and testing (-$232,008).
Many other factors are listed as potentially helping organizations to mitigate the financial impact of a data breach, including:
- Involving law enforcement in investigations (for ransomware), which saved $470,000 on average. Despite the figure, nearly two-fifths (37%) of organizations did not do this
- Detecting a breach in-house. Incidents disclosed by the attacker cost around $1m more
- AI and automation, which saved respondents $1.8m in costs and accelerated the breach lifecycle by 108 days
Phishing and stolen or compromised credentials were the two most common initial attack vectors and also featured in the top four most expensive access vectors alongside malicious insiders and business email compromise (BEC).