The cost of a data breach has been climbing since 2017, and in 2023 reached a record $4.45 million (USD), according to the latest Cost of a Data Breach Report. The average cost dipped slightly at the start of the pandemic in 2020, but since then has climbed steadily with the cost of a data breach exceeding $4 million each year.
The latest report offers some surprising revelations, a few of which are shared below along with charts published in the report.
According to the IBM Report, over the past three years—since the start of the pandemic—the average cost of a data breach in healthcare has increased 53.3%. It’s a staggering figure compared to the 15% increase for the same three years across all industries. Possible contributing factors include heavy regulation and designation as critical infrastructure by the U.S. government.
While the financial industry occupied second place in terms of cost per breach, the cost of a financial data breach was roughly half the cost of a healthcare breach.
In both 2022 and 2023, the U.S. ranked number one among the top ten countries in terms of data breach costs, reaching
Germany, Japan, the United Kingdom, France, and Italy all averaged between $4 and $5 million per breach.
A possible explanation for the extremely high costs in the U.S. and Middle East may relate to the comparatively high number and value of assets that are attractive to cybercriminals, hackers, and ransomware gangs.
Data breaches originate from a variety of sources, which tend to change slowly over time. Phishing was responsible for 16% of data breaches, followed closely by stolen or compromised credentials at 15%. Often, the goal of phishing schemes is to manipulate employees into disclosing login credentials, so it makes sense that the two would track closely.
Slightly more than 10% of data breaches were attributed to misconfigured cloud applications, followed by business email compromise scams at 9%.
For the first time, the 2023 IBM Report assessed the role of zero-day (unknown) vulnerabilities in data breaches as well as known but unpatched vulnerabilities. Although a relatively small number, it is still concerning that more than 5% of data breaches originated from known vulnerabilities that had not been patched. The failure to promptly patch software when updates are made available consistently contributes to cyberattacks. Not surprisingly, patching is widely considered a cybersecurity best practice and is a requirement in most cybersecurity frameworks and security regulations.
In terms of data breach cost, the most expensive data breaches originated from the malicious acts of insiders. These incidents averaged a cost of $4.9 million per breach—which is 9.6% higher than the global average cost ($4.45 million per breach). On the plus side, malicious insider attacks comprise just 6% of total data breaches. The second most expensive data breach source was phishing, at $4.76 million per data breach. Phishing continues to plague organizations year after year, in part due to poor or absent cybersecurity training for employees and management.
The 2023 Cost of a Data Breach Report presents 78 pages of extensive research, correlated data, and insights. Below are several additional revelations from the report that may be of interest to Chief Information Security Officers, Chief Information Officers, and others responsible for cybersecurity at their organizations.
The annual Cost of a Data Breach Report presents a wealth of useful information regarding the costs of data breaches around the world. It examines data breach costs through a variety of lenses, including breaches by country, industry, source or cause, and many others.
Organizations who make a point to study this information, and to understand the vulnerabilities that contribute to data breaches, have an advantage over those who do not. Well-informed organizations are better able to harden their cybersecurity defenses to avoid the high costs and other pitfalls of a data breach.