2023 Cost of a Data Breach: Key Takeaways
It’s that time of year - IBM has released its “Cost of a Data Breach Report.” This year’s report is jam-packed with some new research and findings that highlight how organizations are implementing security and risk mitigation techniques to help identify and contain data breaches.
- The average total cost of a data breach has reached an all-time high in 2023 of $4.45 million. This is an increase of 2.3% from last year’s $4.35 million.
- Even with data breach costs rising, surveyed companies were split 49% to 51% on whether to increase security investments. Areas identified for investment included incident planning and response, employee training, threat detection and response technologies.
- AI and automation investments show reduced costs and minimized time to identify and contain data breaches.
- Cloud environments were frequent targets, with attackers often gaining access to multiple environments, with 39% of breaches spanning multiple instances with an average cost of $4.75 million.
- DevSecOps and Incident Response (IR) planning and testing adoption lead the way for cost saving, with DevSecOps saving organizations an average of $1.68 million, and IR planning and testing saving $1.49 million.
- Low or no security complexity experienced an average data breach cost of $3.84 million, while organizations that had high levels of security system complexity reported an average cost of $5.28 million, an increase of 31.6%.
What’s the damage?
This year in 2023, the average cost of a data breach has gone up again from 2022’s previous cost of $4.35 million, to $4.45 million. That’s an increase of 2.3%. The United States took that top spot this year with the highest average cost of $9.48 million, followed by the Middle East region with $8.07 million. The numbers then drop somewhat precipitously, with Canada at $5.13 million, Germany at $4.67 million and finally Japan with $4.52 million. The figure below shows the top 10 countries or regions.
Breaking down costs by industry, not much has changed, with Healthcare incurring the highest cost of an average of $10.93 million per breach, followed by Financial, Pharmaceuticals, Energy, and Technology to round out the top 5. It’s important to note that just because an industry garners a high average cost per breach doesn’t make it the most targeted. IBM threat intelligence reports that Manufacturing was the most commonly targeted industry in 2023. The below graph shows the cost of a breach by sector.
The attack vectors commonly used should be no surprise to anyone, with phishing being the most widely used at 16%, followed by stolen or compromised credentials, cloud misconfiguration, compromised business email, and zero-day vulnerabilities.
The global cost of data breaches has been on the rise. Having that in mind, many would think that organizations would increase their spending on security investments. Following a data breach, 51% of companies said they would increase spending, and 49% said they would not increase spending. The most common investment types for those organizations increasing their spending were in IR plan and testing at 51%, followed closely by employee training at 46%.
Within organizations, investments in security AI and automation are starting to see increased utilization, and their cost savings are delivering impressive numbers. Of the organizations surveyed, only 28% extensively used security AI and automation tools, while 33% had limited use. This leaves nearly 4 in 10 relying on just manual inputs in their security operations. The graphs below paint a picture of the utilization of AI and the cost savings benefits it provides in the event of a data breach.
As shown above, organizations that utilized security AI and automation extensively had a dramatic difference of 39.3% compared to those with no use at all. Even with limited use, this still provides a 28.1% difference. The interesting thing to note is the average cost of a data breach with organizations with no use of AI or automation was 18.6% greater than the 2023 average cost of a data breach.
Light and Dark Side of Cloud Storage
There are many variables during a data breach. What was the attack vector, what safeguards were in place that failed, and where was the data stored? Most commonly, the breaches have data spanning multiple environments, including cloud and on-premises. The graphs below show the storage locations, and the associated costs.
In figure 4.1, the data shows the largest percentage of breaches occurring, with data being stored across multiple environments at 39%, followed by public cloud at 27%. Preface this with figure 4.2, the cost of a breach associated with storing data across multiple types of environments reached $4.75 million, while the lowest cost of a breach was associated with private cloud data storage at $3.98 million, making a 17.6% difference in cost.
Key Cost Factors
This year’s most effective cost mitigators were the DevSecOps approach, Employee Training, and IR plan and testing. The DevSecOps approach had the greatest effect on cost mitigation. This can be attributed to automating the integration of security at every phase of the software development lifecycle. This allows development teams to deliver better, more-secure code faster and, therefore, cheaper. IR planning and testing is another important piece of the security puzzle that organizations are starting to put together.
Having an IR plan in place can help mitigate fallout of security events. There are readily available resources from third parties, such as NIST, that can guide you through the process of building a concrete IR plan.
Figure 5.1 shows the massive amount of cost savings between the top 3 cost-mitigating factors. DevSecOps adopters had an average cost of $3.54 million, a difference of 22.8% compared to the average cost of a data breach, while those with a low level or no usage of DevSecOps had a significantly higher cost of $5.22 million, a difference of 15.9% greater than the average cost of a data breach.
Now that we’ve looked at the top three cost-mitigating factors, let’s look at the top three cost-amplifying factors. These include security system complexity, the security skills shortage, and noncompliance with regulations. Starting with security system complexity, most people think of a complex security system as a good thing, but that’s not always the case. When a security system becomes too complex, the interdependencies have negative implications up and downstream.
Organizations with high levels of security system complexity suffered a $5.28 million average cost for a breach. This reflects a difference of 17.1% compared to the average cost of a data breach. The security skills shortage is estimated to incur an 18.6% cost, and regulatory noncompliance can result in a 12.6% increase cost of a data breach.
Recommendations to aid in reducing the cost of a data breach
IBM Security outlines the following measures that an organization can take to help reduce the financial and reputational impacts of a data breach:
- Believe in the DevSecOps approach. Build security into every stage of the SDLC and deployments and conduct regular testing. Security should be at the forefront of every organization’s mindset when using either commercial, off-the-shelf software, or when developing software on their own. Developers should adhere to the adoption of a “secure by design and secure by default” mindset.
- Ensure hybrid cloud solutions have the most current data protections in place. Jumping headfirst into the rapid adoption of new cloud applications and services can increase the risk of sensitive data not being properly secured. In the 2023 report, the majority (82%) of organizations that suffered data breaches had data stored in cloud environments. Organizations in the wake of these challenges should seek data security and compliance technologies that work on all platforms, allowing them to protect data moving across various environments.
- Embrace AI and automation in your organization’s security practice for increased speed and efficiency. It’s no secret that AI and automation are being used more and more to streamline and strengthen security. Organizations that incorporate AI and automation delivered a cost savings of $1.8 million, accelerating the time to identify and contain a breach by more than 100 days, compared to organizations that did not use those tools. This strategy, packaged with threat detection and response tools can help organizations detect new threats and accurately pinpoint security alerts.
- Understand the attack surface, and implement and practice incident response. Knowing where you are exposed to attacks that are most relevant to your organization’s industry and prioritizing those needs can give you an upper hand when trying to keep your data safe and secure. Attack Surface Management (ASM) tools can help organizations identify their risk profile and vulnerabilities. Having IR planning and testing in place has shown itself to be a top three cost mitigator in this year's 2023 report. Organizations that planned and rehearsed IR had a $1.49 million lower data breach cost, compared to those who do not.
There is no “one-size fits all” approach that organizations can implement when it comes to data security. Regulations require different policies and practices to be in place, and the threat landscape is always changing.
There are many corners of the room where attackers are looking for an opening; studying, and planning their next moves. Understanding and processing other organizations’ shortfalls, and improving upon them with the tools and practices learned in this year's 2023 data breach report are small steps towards a more secure future.