IBM Cost of a Data Breach Report 2023 - What we learn from it?
The Cost of a Data Breach Report by IBM Security and Ponemon Institute provides insights into the financial impact of data breaches on organizations worldwide. The report has been conducted annually for 18 consecutive years and examines the root causes, consequences, and costs associated with data breaches.
Key findings from the 2023 report:
- The average total cost of a data breach reached an all-time high of $4.45 million in 2023, a 2.3% increase over 2022. Since 2020, the average total cost has increased 15.3%.
- 51% of organizations are planning to increase security investments following a data breach. Top areas for additional investments include incident response planning/testing, employee training, and threat detection/response technologies.
- Organizations with extensive use of security AI and automation experienced $1.76 million lower data breach costs and identified/contained breaches 108 days faster than those with no use.
- Only 33% of breaches were identified by organizations' internal security teams. 67% were reported by third parties or the attackers themselves. When attackers disclosed the breach, costs were nearly $1 million more.
- 82% of breaches involved data stored in cloud environments - public cloud, private cloud, or multiple environments. Breaches spanning multiple environments had higher than average costs at $4.75 million.
- Since 2020, healthcare data breach costs have increased 53.3% to $10.93 million in 2023. Healthcare faced the highest costs for the 13th consecutive year.
- 63% of organizations involved law enforcement in ransomware attacks. Those that didn't experienced $470,000 higher costs and a 33 day longer breach lifecycle.
- Breaches with lifecycles over 200 days cost $1.02 million more on average than those under 200 days. Time to identify and contain continues to impact overall costs.
- High security system complexity increased breach costs by $1.44 million compared to organizations with low complexity. Complexity amplifies costs.
Global Highlights
- The average total cost of a data breach was $4.45 million globally in 2023, a 2.3% increase over 2022. The US had the highest average cost at $9.48 million.
- The average cost per compromised record was $165 in 2023 globally, up slightly from $164 in 2022. This metric helps estimate breach costs based on size.
- Mean time to identify a breach was 204 days and mean time to contain was 73 days in 2023 globally. The combined time to identify and contain was 277 days.
- 57% of organizations increased the pricing of products/services for customers as a result of a data breach, passing on costs.
Initial Attack Vectors
- Phishing (16%) and stolen credentials (15%) were the top two initial attack vectors, followed by cloud misconfiguration (11%) and business email compromise (9%).
- Breaches initiated via malicious insiders had the highest average cost at $4.9 million, 9.6% above average. Phishing was second costliest at $4.76 million.
- Stolen credentials (328 days) and malicious insiders (308 days) caused the longest time to identify and contain. Phishing breaches took 293 days on average.
Identifying Attacks
- 33% of breaches were identified by organizations' internal teams, while 67% were identified by third parties or attackers.
- Breaches disclosed by attackers cost $930,000 more on average than those identified internally. Disclosure by attackers was associated with the highest costs.
- It took 320 days to identify and contain breaches disclosed by attackers - 80 days longer than those identified internally.
Data Breach Lifecycle
- Breaches contained in under 200 days cost $1.02 million less on average than those over 200 days. Faster containment reduced costs by 23%.
- Since 2020, the cost difference based on this 200 day timeline has been consistent, emphasizing the importance of timely incident response.
Key Cost Factors
- The top cost-mitigating factors were DevSecOps adoption, employee training, and incident response planning/testing.
- The top cost-amplifying factors were security staffing shortages, system complexity, and non-compliance with regulations.
- High security complexity increased breach costs by $1.44 million compared to low complexity organizations. Complexity remains an important cost driver.
- High investment in DevSecOps lowered breach costs by $1.68 million compared to low adoption. DevSecOps showed the largest mitigating impact.
Ransomware and Destructive Attacks
- 24% of attacks involved ransomware, while 25% were destructive attacks that disabled systems.
- The average cost of ransomware attacks increased 13% to $5.13 million. Destructive attacks rose 2.3% to $5.24 million.
- Involving law enforcement in ransomware attacks reduced costs by $470,000 and shortened time to identify/contain by 33 days.
- Paying the ransom resulted in just 2.2% lower costs, meaning ransom payment provided negligible financial benefit.
Supply Chain Attacks
- 15% of attacks originated from vendors' networks (business partner supply chain), while 12% involved compromised software (software supply chain).
- Breaches from business partner suppliers cost 11.8% more than other causes. Software supply chain breaches cost 8.3% more than other causes.
Regulatory Environments
- In high regulation environments, 58% of breach costs accrued after the first year due to fines and ongoing legal/regulatory activities.
- 31% of organizations incurred fines related to data breaches. 20% of those fines exceeded $250,000.
Cloud Breaches
- 82% of breaches involved data stored in cloud environments - public cloud (27%), private cloud (18%), or multiple environments (39%).
- Breaches of data across multiple cloud environments incurred the highest cost at $4.75 million, 6.5% above average.
- Identifying and containing breaches in multiple environments took the longest at 291 days. Public cloud breaches took 276 days to identify and contain.
Security Investments
- 51% of organizations are increasing security investments following a data breach. The top areas for investment were incident response, employee training, and threat detection/response technologies.
- While data breach costs rose slightly, perspectives on increasing security spending were divided about evenly.
Security AI and Automation
- Extensive use of AI and automation lowered breach costs by $1.76 million and reduced identification/containment time by 108 days compared to no use.
- Only 28% of respondents reported extensive use of AI and automation in security, while 39% reported no use. Wider adoption can improve outcomes.
Incident Response
- IR planning and testing combined with a dedicated IR team reduced breach lifecycles by 54 days compared to having neither approach.
- IR planning and testing on its own shortened the breach resolution timeline by 48 days compared to having no IR planning.
Threat Intelligence
- Use of threat intelligence reduced the time to identify a breach by 28 days compared to organizations without threat intelligence.
Attack Surface Management
- Organizations with ASM solutions identified and contained breaches 25% faster - in just 75% of the time taken by those without ASM.
Managed Security Service Providers
- Partnering with an MSSP accelerated breach identification by 8% and containment by 15% - reducing lifecycles by 21% overall.
Recommendations
Based on the report findings, IBM outlined steps organizations can take to help reduce the impact and costs of data breaches:
- Build security into every stage of software development and deployment - and test regularly. Adopt DevSecOps methodologies and continually test applications.
- Modernize data protection capabilities across hybrid cloud environments. Improve visibility and control over sensitive data spread across multicloud.
- Use AI and automation extensively to increase speed and accuracy in security operations. Embed AI and automation throughout detection, response and investigation workflows.
- Know your attack surface and practice effective incident response. Prioritize risks based on real-world threats and regularly test incident response capabilities.
Research Methodology
The 2023 report compiled research across 553 organizations that experienced data breaches impacting between 2,200 to 102,000 records each. It utilized interviews with over 3,475 individuals knowledgeable about their company's breach experience and costs.
The average cost of a data breach is calculated based on activity-based costing across four main categories: 1) Detection and escalation, 2) Notification, 3) Post-breach response, and 4) Lost business costs. Direct and indirect expenses are collected to derive the total cost.
The study utilizes a proprietary benchmarking methodology designed to preserve confidentiality by having participants estimate costs along a range variable. Actual accounting data is not collected. The per-record cost metric is calculated based on breaches under 102,000 records and should not be extrapolated to mega breaches. Large-scale incidents are evaluated separately using simulations.
About Ponemon Institute and IBM Security
Ponemon Institute is an independent research organization focused on privacy, data protection and information security practices. IBM Security works with organizations worldwide to help predict, detect and respond to cybersecurity threats through an integrated portfolio of enterprise security products and services.
Conclusion
The 2023 Cost of a Data Breach Report provides an annual, in-depth analysis of the causes, impacts and costs associated with data breaches globally. Some key themes from this year's report include the rising financial consequences of breaches, the risks associated with complex on-prem and cloud environments, the importance of preparation through IR planning and testing, and the cost-mitigating benefits of AI, automation and other proactive security strategies.
As data breaches continue to pose severe financial and reputational risks, the report offers security leaders meaningful benchmarks and guidance to help strengthen their organization's security posture. By learning from other's experiences and leveraging the latest techniques and technologies, companies can become more resilient in the face of cyber threats. The report emphasizes that investing in robust cybersecurity and risk management strategies can significantly reduce exposure to attacks and minimize the impact of incidents.