The 2023 Report on the Cost of a Data Breach, compiled annually by IBM and the Ponemon Institute, reveals organizations’ responses to cybercrime
The cost of a data breach has been climbing since 2017, and in 2023 reached a record $4.45 million (USD), according to the latest Cost of a Data Breach Report. The average cost dipped slightly at the start of the pandemic in 2020, but since then has climbed steadily with the cost of a data breach exceeding $4 million each year.
The annual report is based on research conducted by the Ponemon Institute and sponsored and analyzed by IBM. 2023 marks the 18th year of the widely read report,which has been expanded over time as cybercrime and organizations’ responses to data breaches have evolved.
The latest report offers some surprising revelations, a few of which are shared below along with charts published in the report.
Healthcare Industry Continues to Experience Highest Cost
For the 13th consecutive year, the healthcare industry recorded the highest cost of a data breach, reaching almost $11 million (USD) in 2023. In the same vein, healthcare data breaches reported to the HHS Office for Civil Rights in 2023 totaled 548 and potentially affected almost 122 million individuals by compromising their protected health information. These numbers set a record for healthcare in terms of both the volume of data breaches and the average cost per breach.
According to the IBM Report, over the past three years—since the start of the pandemic—the average cost of a data breach in healthcare has increased 53.3%. It’s a staggering figure compared to the 15% increase for the same three years across all industries. Possible contributing factors include heavy regulation and designation as critical infrastructure by the U.S. government.
While the financial industry occupied second place in terms of cost per breach, the cost of a financial data breach was roughly half the cost of a healthcare breach.
United States Retains Record for Highest Data Breach Cost Globally
In both 2022 and 2023, the U.S. ranked number one among the top ten countries in terms of data breach costs, reaching $9.48 million last year in a slight increase from 2022. The Middle East ranked second at $8.07 million in 2023. Canada followed at a distant third, with $5.13 million in average data breach cost, a slight decrease from the prior year.
Germany, Japan, the United Kingdom, France, and Italy all averaged between $4 and $5 million per breach.
A possible explanation for the extremely high costs in the U.S. and Middle East may relate to the comparatively high number and value of assets that are attractive to cybercriminals, hackers, and ransomware gangs.
Primary Sources of 2023 Data Breaches
Data breaches originate from a variety of sources, which tend to change slowly over time. Phishing was responsible for 16% of data breaches, followed closely by stolen or compromised credentials at 15%. Often, the goal of phishing schemes is to manipulate employees into disclosing login credentials, so it makes sense that the two would track closely.
Slightly more than 10% of data breaches were attributed to misconfigured cloud applications, followed by business email compromise scams at 9%.
For the first time, the 2023 IBM Report assessed the role of zero-day (unknown) vulnerabilities in data breaches as well as known but unpatched vulnerabilities. Although a relatively small number, it is still concerning that more than 5% of data breaches originated from known vulnerabilities that had not been patched. The failure to promptly patch software when updates are made available consistently contributes to cyberattacks. Not surprisingly, patching is widely considered a cybersecurity best practice and is a requirement in most cybersecurity frameworks and security regulations.
In terms of data breach cost, the most expensive data breaches originated from the malicious acts of insiders. These incidents averaged a cost of $4.9 million per breach—which is 9.6% higher than the global average cost ($4.45 million per breach). On the plus side, malicious insider attacks comprise just 6% of total data breaches. The second most expensive data breach source was phishing, at $4.76 million per data breach. Phishing continues to plague organizations year after year, in part due to poor or absent cybersecurity training for employees and management.
Additional Revelations about Data Breach Costs
The 2023 Cost of a Data Breach Report presents 78 pages of extensive research, correlated data, and insights. Below are several additional revelations from the report that may be of interest to Chief Information Security Officers, Chief Information Officers, and others responsible for cybersecurity at their organizations.
- Organizations that experienced ransomware attacks and who chose to engage law enforcement saved $470,000in their average data breach costs compared to those that did not involve law enforcement. Despite ongoing authoritative recommendations, 37% of organizations elected not to engage law enforcement. In addition, nearly half of ransomware victims (47%) reportedly paid the ransom to retrieve their data.
- Organizations that experienced a data breach were more likely to pass along their data breach costs to consumers (57%) than to increase their investments in security (51%).
- Organizations that extensively employed artificial intelligence and automation were able to reduce their data breach lifecycle to 214 days, as compared to organizations that did not employ these technologies (322 days). Their data breach costs were also nearly $1.8 million
- In terms of detecting a data breach, one-third were detected by an organization's security team, compared to 27% that were disclosed by the cybercriminal. Breaches disclosed by the attacker cost nearly $1 million more on average compared to organizations who discovered the breach themselves.
Summary
The annual Cost of a Data Breach Report presents a wealth of useful information regarding the costs of data breaches around the world. It examines data breach costs through a variety of lenses, including breaches by country, industry, source or cause, and many others.
Organizations who make a point to study this information, and to understand the vulnerabilities that contribute to data breaches, have an advantage over those who do not. Well-informed organizations are better able to harden their cybersecurity defenses to avoid the high costs and other pitfalls of a data breach.