The global average cost of data breaches reached an all-time high of $4.35 million in 2022 compared with $4.24 million in 2021, according to a new IBM Security report. About 60% of the breached organizations raised product and services prices due to the breaches.
The annual report, conducted by Ponemon Institute and analyzed and sponsored by IBM Security, is based on the analysis of real-world data breaches experienced by 550 organizations globally between March 2021 and March 2022.
According to the report, about 83% of the organizations have experienced more than one breach in their lifetime, with nearly half of the costs reported to be incurred more than a year after the breach.
Cloud and critical infrastructure remain at high risk
The report revealed that ransomware and destructive attacks represented 28% of breaches among critical infrastructure organizations studied, indicating threat actors specifically targeting the sector for disrupting global supply chain. The critical infrastructure sector includes financial services, industrial, transportation, and healthcare companies.
The report also noted that in the US, even a year after the Biden administration issued a cybersecurity executive order mandating federal agencies to adopt a zero-trust security model, only 21% of critical infrastructure organizations surveyed have done so, raising costs by $1.17 million for those who did not. Seventeen percent of the critical infrastructure breaches were caused due to a business partner being initially compromised.
Cloud computing infrastructure is an even easier target because of the security immaturity it suffers, according to the report. “Forty-three percent of studied organizations are in the early stages or have not started applying security practices across their cloud environments, observing over $660,000 on average in higher breach costs than studied organizations with mature security across their cloud environments,” it added.
Hybrid cloud, however, has offered a silver lining in digital transformation as organizations adopting hybrid clouds (45%) have witnessed lower breach costs than the ones with a solely public or private cloud model, according to the report. While the breach cost for hybrid cloud averaged $3.8 million, public clouds recorded $5.02 million while private clouds recorded $4.24 million in breach costs respectively.
Overall, 45% of the breaches occurred in the cloud, making cloud architecture the most sought after target. Forty-three percent of the organizations said they are either still in the early stages or have not started implementing security solutions to protect their cloud infrastructure.
While compromised credentials were the leading cause of data breaches among companies surveyed (at 19%), phishing—in second place at 16%—has emerged as the costliest, leading to $4.91 million in average breach costs for responding organizations, the report underlined.
Healthcare sector hit hardest by breach costs
Healthcare has been for the last 12 years and continues to be the industry hit hardest by the cost of breaches, with average costs per breach increasing by $1 million to a record total of $10.1 million.
According to the report, businesses that paid threat actors' ransom demands saw $610,000 less in average breach costs compared to those that chose not to pay—not including the ransom amount paid. However, when accounting for the average ransom payment, which according to Sophos reached $812,000 in 2021, businesses that opt to pay the ransom could net higher total costs—all while inadvertently funding future ransomware attacks with capital that could be allocated to remediation and recovery efforts. Organizations suffering data breaches could also be looking at costs of federal offenses.
Among concerning factors, 62% of the suryeyed organizations stated they are not sufficiently staffed to meet their security needs, averaging $550,000 more in breach costs than those that state they are sufficiently staffed. Implementing security AI and automation has helped reduce costs by $3.05 million on average, the report added.