The volume and impact of data breaches have accelerated largely in 2022, which has contributed to many adverse effects for businesses. Tc highlights several updated factors that have generated great costs across 17 countries and regions, and 17 industries. The report has included new related areas of analysis such as:
- Extended Detection and Response (XDR).
- Risk Quantification techniques.
- Technologies that contribute to a zero trust security framework - Identity and Access Management (IAM) and Multifactor Authentication (MFA).
The 2022 report records the highest global cost increase incurred by data breaches over all the previous years. The average global cost of a data breach reached USD 4.35 million, which is a 12.7% increase from the last year, and the highest ever noted across the history of IBM reports. For the 12th year in a row, the United States is the topmost country, reported as the costliest, with the average total cost of a data breach of USD 9.44 million. The second highest is the Middle East Region, at USD 7.46 million. Germany is in fifth place with the lowest cost of 4.85 million.
The top three industries affected by the costs of data breaches listed in this report are, healthcare, financial, and pharmaceuticals. The healthcare industry represented first place of USD 10.10 million, a 9.4% increase from the previous year. The financial sector listed the second place of USD 5.97 million in costs endured with a 4.4% increase than 2021. The average total cost decreased slightly in the pharmaceutical industry of USD 5.01 million. Each of these are part of critical infrastructure sectors. As a result of the costs endured by the organizations from the data breaches, a majority of 60% of organizations increased the prices of their services and products for the consumer to bear.
The top four initial attack vectors of data breaches in the 2022 report are indicated in the same order as the previous 2021 report. The most common initial attack vector reported was compromised credentials of 19% at an average cost of USD 4.50 million. Phishing attacks accounted for 16% of breaches, costing USD 4.91 million. The rest of the initial attack vectors such as cloud misconfiguration of 15%, and third-party software vulnerabilities of 13%, were classified in order.
A positive sign is noticed of multiple cost factors decreasing the cost of data breaches in the report. For example, AI platforms decreased the cost of a data breach by an average of USD 300,075 from the mean cost of a data breach of USD 4.35 million. DevSecOps approaches decreased costs averaging USD 276,124, and for the third factor, the formation of an Incident Response (IR) team decreased the average breach costs by USD 252,897. Considering AI automated security controls, fully deployed automated security measures have lower costs of USD 3.15 million than measures where there is no automation security procedure involved. Instances where no AI security and automation were adopted had a higher cost of USD 6.20 million. Organizations that had fully deployed automated AI security controls detected and contained a breach two and a half months earlier on average than organizations that had no security controls deployed.
Cloud security and Remote work
Organizations that had mature cloud security procedures showed a cost decrease of more than half a million dollars over those in the early stages of securing their cloud environments. The highest maturity level in the application of cloud security practices reported a cost of USD 3.87 million, while the lowest maturity level in cloud security practices where no controls are used had a higher cost of USD 4.59 million.
When remote work environments were considered as a factor causing the data breach, the cost was calculated as USD 4.99 million which is more than half a million dollars higher than the global average. When it wasn`t considered as a factor causing the data breach, the cost was calculated as USD 4.02 million.
New Key Cost Factors
For the first time in the history of the IBM report, Extended Detection and Response (XDR) technologies are analyzed. Organizations that have deployed XDR technologies experienced an average lower cost of USD 4.15 million than the organizations that haven`t deployed XDR technologies. Those non-XDR companies experienced a cost of USD 4.55 million, which is above the global average cost of a data breach.
Incident Response (IR)
This year`s report also focuses on the usage of IR teams and testing of IR plans. The employment of both methods has shown a significant low cost of USD 3.26 million from the average cost of a data breach, while having no IR team or IR testing mechanisms resulted in a massive cost of USD 5.92 million.
Risk quantification methodologies focus on the financial impacts, losses, and the availability of data with data integrity. Such factors are very beneficial for CISOs, risk managers, and security teams for quantification of those risks into financial means. Risk quantification has saved USD 2.10 million on average, which is USD 3.30 million, while not using any risk quantification procedures has provoked a cost of USD 5.40 million.
The impact of the zero trust security framework on data breaches is analyzed for the second time since the prior year’s report. Organizations saved nearly 1 million dollars in costs by having zero trust deployed. Organizations that had a zero trust framework had an average cost of USD 4.15 million, while organizations that didn`t reported a cost of USD 5.10 million.
Many millions of dollars were lost due to data breaches spanning across 17 different countries and 17 different industries. The report highlights that the lack of security controls and procedures is a dominant cause for all the losses created by these data breaches. The global costs have reached an all-time high, which brings attention to the need for better, solid considerations regarding the security of the industries and organizations.
The new key cost factors that have been analyzed in this year`s report also show good signs of reducing many of the losses. This brings us to the conclusion that the advancement of various attack vectors and the technologies that are targeted for data breaches are increasing and are becoming more complicated than ever. However, the report also shows that the adoption of various technological security procedures like automated AI security, DevSecOps, IR teams, and plans have all contributed to decreasing many of the costs.
About the Author: Dilki Rathnayake is a Cybersecurity student studying for her BSc (Hons) in Cybersecurity and Digital Forensics at Kingston University. She is also skilled in Computer Network Security and Linux System Administration. She has conducted awareness programs and volunteered for communities that advocate best practices for online safety. In the meantime, she enjoys writing blog articles for Bora and exploring more about IT Security.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.