The average total cost of a data breach has increased 10% annually to reach nearly $4.9m, and even higher ($5m) for malicious insider attacks, according to IBM.
The tech giant’s Cost of a Data Breach Report 2024 is based on analysis of 604 organizations impacted by data breaches between March 2023 and February 2024, in 17 sectors and 16 countries and regions. Researchers also interviewed 3556 security and C-suite business leaders with first-hand knowledge of the breaches at their organizations.
IBM claimed the increase in costs came about as a result of a rise in the cost of lost business – including operational downtime and lost customers – and the cost of post-breach response, such as staffing customer service help desks and paying higher regulatory fines.
A major problem contributing to breaches appears to be so-called “shadow data” – information that’s difficult for organizations to track and therefore secure.
Read more on data breaches: Data Breach Costs Hit Record High but Fall for Some
A third (35%) of breaches last year featured shadow data, leading to a 16% increase in breach costs. These incidents took 26% longer on average to identify and 20% longer on average to contain, the report claimed.
IBM argued that supply chain breaches, system complexity and skills shortages are also driving up breach costs.
On the latter, over half of breached organizations face high levels of security staffing shortages, a 26% increase from the previous year, and a factor that corresponds to an average $1.8m increase in breach costs, the report claimed.
Although average breach costs for the healthcare sector dropped from $10.9m to $9.8m over the period, in most other sectors, costs increased – notably finance, where average breach costs rose from $5.9m to $6.1m.
Cutting Costs
Employee training (-$259,000) and AI-driven insight (-$259,000) were the factors that reduced average breach costs the most. Involving law enforcement in ransomware breaches could also shave $1m off costs, not including the ransom itself.
Perhaps unsurprisingly, breaches that take longer to discover and remediate lead to higher costs. Data breaches with a lifecycle exceeding 200 days had the highest average cost, at $5.5m, which makes a strong case for enhanced threat detection and response.
For the second year in a row, phishing (15%) and stolen or compromised credentials (16%) were the two most common attack vectors. That’s bad news, as incidents stemming from stolen/compromised credentials were also the longest to identify and contain, taking an average of 292 days.
However, the overall mean time to identify and contain incidents dropped to 258 days, a seven-year low.
Some 70% of organizations in this year’s study experienced a significant or very significant disruption to business resulting from a breach. Most (63%) organizations also said they planned to pass on any costs to their customers, up from 57%.