Contact us: +45 32 67 26 26

New IBM Report - The Real Cost Of A Data Breach In 2022

Sarah Hofmann
By: Sarah Hofmann GDPR | 8 November

Every year, the cost of a security breach gets higher and higher. This year is no exception, according to IBM’s 2022 Cost of a Data Breach report. This blog post uses the latest data to uncover how much a cyberattack could cost your organisation. We also highlight trends in data breaches you should be aware of. Though the topic is heavy, we’ll end on a lighter note with actionable recommendations you can use to improve your orgnaisation’s security and reduce your risk of a data breach.

Short Summary

  • Data breaches are becoming more common and more expensive every year. The average cost of a data breach in 2022 was $4.34 million.
  • While every kind of organization is vulnerable to data breaches, those providing critical infrastructure and healthcare services are big targets.
  • Small businesses are also vulnerable to data breaches, and the consequences can be devastating, often leading to complete shutdowns.
  • The most common sources of data breaches are compromised account credentials, phishing, and cloud misconfigurations.
  • To prevent data breaches, organizations should prioritize good security practices and educate their employees.


Table of contents


Recent trends in data breaches

In 2022, the average data breach costs $4.35 million

If this sounds like a lot of money, you’re not alone. This cost is nearly a 13% increase from the cost of a data breach in 2020. So, data breaches cost a lot and are getting more expensive every year. Since data breaches cost so much money, preventing one by maintaining good security practices should be a priority.

What changed from last year

Compared to the 2021 report, data breaches got more expensive in 2022. Last year, the average cost of a breach was $4.24 million, and this year the average cost is $4.35 million. One explanation for the higher cost is the increase in prices paid by healthcare companies, which increased by $870,000 this year.

This year’s report also offers, for the first time, insight into the process of experiencing a data breach. For example, the majority of businesses surveyed had to increase prices after a breach.

This report also shows how vulnerable companies are to breaches, because over 80% of the organisations studied had experienced more than one breach.

Remote work is still a factor that increases the cost of data breaches, but the cost of a breach when remote work was involved slightly decreased this year.

Finally, last year, phishing was the most common source of data breaches. This year, compromised credentials were the most common source of breaches, followed by phishing.

Now that we’ve covered some of the main findings from IBM’s 2022 report, let’s talk about how the report was made. Next, we’ll quickly go over IBM’s survey methods and what they found about security breaches in Scandinavia.

How the report is made

To gather data for the report, IBM interviewed 3,600 people from 550 organisations across the world. To best calculate the average cost of a breach, IBM excluded the smallest and largest data breaches, although their report has a section on mega breaches if you are interested in seeing some bigger numbers. Additionally, the majority of the sample came from these industries: financial, services, industrial, and technology.

What this means for small businesses

Because the findings are reported based on averages, it might be hard for small businesses to see themselves in the findings. If that sounds like you, we encourage you to pay attention to the trends in how breaches happen and the impacts they have on businesses, rather than the dollar amount reported.

For example, while it’s unlikely that a phishing attack will cost your business the average ($4.91 million), it is likely that your organisation will face phishing attacks, because they are one of the most common sources of breaches. So, the trends and recommendations will hopefully be useful to you, even if the cost seems unrealistic.

Data breaches in Scandinavia

To put the numbers into perspective locally, Scandinavian companies made up 4% of the sample studied this year. Interestingly, the average cost of a data breach decreased among Scandinavian companies this year. In 2021, the average cost of a breach in Scandinavia was $2.67 million, while this year the average cost was $2.08 million. Only Brazil and Turkey had lower average breach costs than Scandinavia.

Data breaches are becoming more common

Cyber-attacks involving data breaches are becoming more common. The cost of recovering from these attacks is increasing, too.

  • In 2009, estimates showed that a cyber-attack happened every 39 seconds

  • In 2022, the frequency of attacks increased to once every 11 seconds

Since data breaches are happening more often and costing companies more money, it’s safe to say that we should pay attention to this issue.

Most organisations have experienced multiple security breaches

Of the organisations IBM studied for their 2022 report, 83% experienced more than one data breach. Can you imagine having to pay over $4 million to recover from a cyber-attack, more than one time?

As a result of how expensive data breaches are, 60% of businesses had to increase the costs of their products or services. This is bad news for businesses. Higher costs on top of a loss of customer trust can push customers away, towards competitors.

All types of organisations are vulnerable to data breaches

Big organisations, especially in healthcare, are common targets

Cyber criminals are smart. They know what kinds of businesses have the most to lose from a data breach and who can afford to pay ransom requests. Big organisations also end up receiving the largest fines for breaking the GDPR.

With this in mind, it makes sense that big organisations, such as healthcare companies, suffer the highest costs when they experience data breaches. Think about all the personal information about patients that hackers can gain access to. Healthcare organisations need access to patients’ records in order to care for them. Plus, they need to keep their patients’ trust when it comes to their personal health information. The amount of sensitive data healthcare organisations have, and their willingness to pay for control of these records, make healthcare organisations a big target for expensive data breaches.

In fact, the cost of a data breach for a healthcare organisation is more than double the overall average in 2022, at $10.10 million.

Critical services pay a higher price

In addition to healthcare companies, other critical infrastructure organisations are susceptible to data breaches with price tags higher than the average cost of a breach. Critical infrastructure organisations include the following sectors: financial services, industrial, technology, energy, transportation, communication, healthcare, education and public sector industries.        

Small organisations are also vulnerable

Even though larger companies are more obvious targets for cyber criminals, small businesses also suffer greatly from data breaches. Six months after experiencing a breach, 60% of small companies have to completely shut down. Since small businesses lack the massive IT security budgets and institutional resources that large companies have, they are more vulnerable to business-ending breaches.

This makes sense, especially given that organisations usually pass the consequences of the breach onto their customers in the form of higher prices. It’s easy for customers to choose a new business partner when they lose trust in the company due to a breach, and when the company starts to increase their prices.

How data breaches happen

To reduce the risk of your organisation falling victim to a data breach, you need to know how data breaches occur in the first place. The three most common sources of data breaches in 2022 are:

  • Compromised account credentials

  • Phishing

  • Cloud misconfiguration

Any organisation should make it their goal to ensure that their employees are aware of how breaches usually happen, and how to prevent them.

Compromised account credentials are the most common cause

The most frequent way that hackers get into a company’s system is by getting access to an employee’s account information.

Picture of the risk analysis template

These kinds of attacks are the most common, and unfortunately, they also take the longest amount of time to resolve. In 2022, these breaches took an average of 327 days in total to detect and contain.

To reduce the risk of a breach caused by compromised credentials, it’s important to have strong passwords and know the signs of a phishing email. One way to help your employees recognize phishing emails is through phishing training. You can also add an extra line of defence through either two-factor authentication, password managers, or a combination of both to further increase the cyber security in your organisation.

Phishing is one of the most expensive methods of attack, costing an average of $4.91 million per breach. 

This again highlights the importance of aware employees who can spot a phishing email. 


How much data breaches cost and why they’re so expensive

Breaking down the cost of a data breach

Recovering from a data breach involves both direct costs and indirect costs. For example, direct costs can include the need to hire an IT forensic team to investigate the breach and repair damaged systems. One big indirect cost is the reputational harm businesses experience after being victims of a breach. Below you can see the different cost areas involved in a breach.

  • 33%: lost business costs - reputational harm
  • 33%: detection and escalation of the breach - audits and investigations
  • 27%: post-breach response - services for victims, e.g., help desk and credit monitoring
  • 7%: notification - letting customers and regulators know about the breach via mail, telephone, email, etc.


Cost of a data breach 2022

Let’s dig into the biggest cost area, lost business, a bit further. Regardless of how big your company is, lost business is surely a big threat to your organisation’s future.

Lost business is a major cost

Lost business is a big factor in the overall cost of a data breach. It costs an average of $1.42 million per breach.

Put yourself in a customer’s shoes. As you hear news of the data breach, you begin to lose trust in the business that experienced the cyber-attack. If you are a current customer, you may wish to stop doing business with them. If you are a prospective customer, you might choose a different vendor that provides the same service.

The bottom line is that data breaches are bad for business.

Even after the company recovers all the sensitive data, it can take years for them to regain customers’ trust.

Beyond that, many businesses also suffer lost revenues from the time that their services were down during the breach, leaving customers without access. This is especially the case in ransomware attacks, where the ransomware brings a business “offline” for a period of time.

Some factors make a data breach more expensive

The total cost of a breach depends mostly on how efficiently an organisation can respond to it. The faster you can react to a breach, the less expensive it will be to manage. A few factors that impact the cost of a breach are:

  • Existing security and detection practices

  • How long it takes to find and contain the breach

  • The amount of information that is compromised

  • Safeguards the company puts in place after the breach to protect its own data and the people whose information was compromised during the attack

Having a breach response plan in place can help your organisation save time once a breach occurs, so it wouldn’t hurt to have one in place.

Ransomware attacks include additional costs, making them more expensive

Also, a breach can become more expensive when ransom is involved, which is often the case in ransomware attacks. That’s because the company must recover from the breach itself and potentially pay a ransom to the cyber criminals. Without paying the ransom, the company may have trouble regaining access to its systems and important files.

Because of the added cost, ransomware attacks are more expensive to recover from than breaches that do not involve ransomware. In 2022, 11% of breaches involved ransomware.

Although it can seem like you have to pay the ransom if you are part of a ransomware attack, we do not suggest sending money to the cyber criminals. This is because you might not get your data back in its original condition and your willingness to pay could encourage future attacks. The best thing you can do is prevent an attack.

A woman trying free awareness courses on her computer

The faster you can respond, the less a breach will cost you

We all know the saying, “time is money.” Seriously though – when it comes to data breaches, every day a breach goes undetected, the cost of resolving it increases.

The reality is that it takes much longer to identify a breach than it takes to contain one, but both processes can be lengthy. In 2022, it took an average of 207 days to identify a breach and 70 days to contain the breach. In other words, an average breach takes about ¾ of a year to recover from. Detecting breaches is easier if you use practices such as SIEM and log management. Technical solutions like these can be useful for smaller organisations, which may have fewer human resources in the IT department. 

Remote work increases the cost of a breach

We all enjoy the flexibility of working from home. However, it can take longer to detect and contain a data breach when large parts of a company are working remotely.

Breaches involving remote work cost an average of $1 million more than breaches where remote work was not a factor.

The truth is that remote work is a regular part of our work culture today. To maintain data security while working from home, it is important that businesses protect their systems and their remote employees. Security measures like asset management tools can help increase your protection if remote work is common in your organisation.


Data breaches, personal data, and the GDPR

If a data breach happens in your organisation, the GDPR has a few requirements related to notifications you must give. For example, you have to notify the national supervisory authority immediately and no more than 72 hours after you become aware of the breach, unless it is highly unlikely that personal data was compromised during the breach. In this notification, you’ll have to describe the nature of the breach, the type and amount of data compromised, the contact information of your Data Protection Officer, the expected consequences, and the actions you have already taken or plan to take in response. You’ll also have to notify the individuals whose data was impacted by the breach without unnecessary delay if you decide they could be at high risk.

So, we’ve covered how breaches happen and why they’re so expensive. Now, let’s move on to ways you can protect your organisation from breaches and reduce the cost of a breach if it does happen.

Steps you can take to prevent breaches and reduce costs
Preventing data breaches

It goes without saying that the best way to reduce the cost of a breach is to avoid one in the first place. Preventing data breaches is a big topic, so we won’t go into too much depth on it in this post. We cover a lot of different prevention methods in depth in other blog posts. Some examples of ways you can prevent a breach are:

Adopting these practices can strengthen your security culture and make your organisation less vulnerable to a security breach.


Reducing the likelihood and cost of a data breach

Hopefully, your organisation will not be the victim of a data breach. But, since data breaches are on the rise, it is likely that your organisation could be the target of a breach.

We’ve learned that our employees are our biggest resource when it comes to preventing and detecting data breaches. One way to reduce the likelihood and cost of a breach occurring in your company is to create a strong cyber security culture. Since many data breaches happen because of human error, like clicking on a link in a suspicious email, employees are our first line of defense.

But how can you reduce human error? Aware employees are less likely to make the mistakes that lead to data breaches. That’s why it’s important to create and maintain awareness about cyber security and proper data handling in your organisation. It can be done in many ways, for example through awareness training activities, simulations, and regular exposure to keep your employees sharp. A few ways CyberPilot can help you achieve a stronger security culture are:

Building a strong security culture does not have to be hard or time consuming. Plus, it can really reduce your risk of a data breach. Aware employees are safe employees, and when it comes to data breaches – that’s a cost you want to avoid.       

A woman trying free awareness courses on her computer