New IBM Report - The Real Cost Of A Data Breach In 2022
Every year, the cost of a security breach gets higher and higher. This year is no exception, according to IBM’s 2022 Cost of a Data Breach report. This blog post uses the latest data to uncover how much a cyberattack could cost your organisation. We also highlight trends in data breaches you should be aware of. Though the topic is heavy, we’ll end on a lighter note with actionable recommendations you can use to improve your orgnaisation’s security and reduce your risk of a data breach.
Table of contents
Recent trends in data breaches
- How the report is made
- Data breaches in Scandinavia
Data breaches are becoming more common
- Most organisations have experienced multiple security breaches
All types of organisations are vulnerable to data breaches
How data breaches happen
How much data breaches cost and why they’re so expensive
Data breaches, personal data, and the GDPR
Steps you can take to prevent breaches and reduce costs
Recent trends in data breaches
If this sounds like a lot of money, you’re not alone. This cost is nearly a 13% increase from the cost of a data breach in 2020. So, data breaches cost a lot and are getting more expensive every year. Since data breaches cost so much money, preventing one by maintaining good security practices should be a priority.
What changed from last year
Compared to the 2021 report, data breaches got more expensive in 2022. Last year, the average cost of a breach was $4.24 million, and this year the average cost is $4.35 million. One explanation for the higher cost is the increase in prices paid by healthcare companies, which increased by $870,000 this year.
This year’s report also offers, for the first time, insight into the process of experiencing a data breach. For example, the majority of businesses surveyed had to increase prices after a breach.
This report also shows how vulnerable companies are to breaches, because over 80% of the organisations studied had experienced more than one breach.
Remote work is still a factor that increases the cost of data breaches, but the cost of a breach when remote work was involved slightly decreased this year.
Finally, last year, phishing was the most common source of data breaches. This year, compromised credentials were the most common source of breaches, followed by phishing.
Now that we’ve covered some of the main findings from IBM’s 2022 report, let’s talk about how the report was made. Next, we’ll quickly go over IBM’s survey methods and what they found about security breaches in Scandinavia.
How the report is made
To gather data for the report, IBM interviewed 3,600 people from 550 organisations across the world. To best calculate the average cost of a breach, IBM excluded the smallest and largest data breaches, although their report has a section on mega breaches if you are interested in seeing some bigger numbers. Additionally, the majority of the sample came from these industries: financial, services, industrial, and technology.
What this means for small businesses
Because the findings are reported based on averages, it might be hard for small businesses to see themselves in the findings. If that sounds like you, we encourage you to pay attention to the trends in how breaches happen and the impacts they have on businesses, rather than the dollar amount reported.
For example, while it’s unlikely that a phishing attack will cost your business the average ($4.91 million), it is likely that your organisation will face phishing attacks, because they are one of the most common sources of breaches. So, the trends and recommendations will hopefully be useful to you, even if the cost seems unrealistic.
Data breaches in Scandinavia
To put the numbers into perspective locally, Scandinavian companies made up 4% of the sample studied this year. Interestingly, the average cost of a data breach decreased among Scandinavian companies this year. In 2021, the average cost of a breach in Scandinavia was $2.67 million, while this year the average cost was $2.08 million. Only Brazil and Turkey had lower average breach costs than Scandinavia.
Cyber-attacks involving data breaches are becoming more common. The cost of recovering from these attacks is increasing, too.
In 2009, estimates showed that a cyber-attack happened every 39 seconds
In 2022, the frequency of attacks increased to once every 11 seconds
Since data breaches are happening more often and costing companies more money, it’s safe to say that we should pay attention to this issue.
Most organisations have experienced multiple security breaches
Of the organisations IBM studied for their 2022 report, 83% experienced more than one data breach. Can you imagine having to pay over $4 million to recover from a cyber-attack, more than one time?
As a result of how expensive data breaches are, 60% of businesses had to increase the costs of their products or services. This is bad news for businesses. Higher costs on top of a loss of customer trust can push customers away, towards competitors.
Cyber criminals are smart. They know what kinds of businesses have the most to lose from a data breach and who can afford to pay ransom requests. Big organisations also end up receiving the largest fines for breaking the GDPR.
With this in mind, it makes sense that big organisations, such as healthcare companies, suffer the highest costs when they experience data breaches. Think about all the personal information about patients that hackers can gain access to. Healthcare organisations need access to patients’ records in order to care for them. Plus, they need to keep their patients’ trust when it comes to their personal health information. The amount of sensitive data healthcare organisations have, and their willingness to pay for control of these records, make healthcare organisations a big target for expensive data breaches.
In fact, the cost of a data breach for a healthcare organisation is more than double the overall average in 2022, at $10.10 million.
Critical services pay a higher priceIn addition to healthcare companies, other critical infrastructure organisations are susceptible to data breaches with price tags higher than the average cost of a breach. Critical infrastructure organisations include the following sectors: financial services, industrial, technology, energy, transportation, communication, healthcare, education and public sector industries.
Small organisations are also vulnerable
Even though larger companies are more obvious targets for cyber criminals, small businesses also suffer greatly from data breaches. Six months after experiencing a breach, 60% of small companies have to completely shut down. Since small businesses lack the massive IT security budgets and institutional resources that large companies have, they are more vulnerable to business-ending breaches.
This makes sense, especially given that organisations usually pass the consequences of the breach onto their customers in the form of higher prices. It’s easy for customers to choose a new business partner when they lose trust in the company due to a breach, and when the company starts to increase their prices.
To reduce the risk of your organisation falling victim to a data breach, you need to know how data breaches occur in the first place. The three most common sources of data breaches in 2022 are:
Any organisation should make it their goal to ensure that their employees are aware of how breaches usually happen, and how to prevent them.
The most frequent way that hackers get into a company’s system is by getting access to an employee’s account information.
These kinds of attacks are the most common, and unfortunately, they also take the longest amount of time to resolve. In 2022, these breaches took an average of 327 days in total to detect and contain.
To reduce the risk of a breach caused by compromised credentials, it’s important to have strong passwords and know the signs of a phishing email. One way to help your employees recognize phishing emails is through phishing training. You can also add an extra line of defence through either two-factor authentication, password managers, or a combination of both to further increase the cyber security in your organisation.
Phishing is one of the most expensive methods of attack, costing an average of $4.91 million per breach.
This again highlights the importance of aware employees who can spot a phishing email.
Recovering from a data breach involves both direct costs and indirect costs. For example, direct costs can include the need to hire an IT forensic team to investigate the breach and repair damaged systems. One big indirect cost is the reputational harm businesses experience after being victims of a breach. Below you can see the different cost areas involved in a breach.
- 33%: lost business costs - reputational harm
- 33%: detection and escalation of the breach - audits and investigations
- 27%: post-breach response - services for victims, e.g., help desk and credit monitoring
- 7%: notification - letting customers and regulators know about the breach via mail, telephone, email, etc.
Let’s dig into the biggest cost area, lost business, a bit further. Regardless of how big your company is, lost business is surely a big threat to your organisation’s future.
Lost business is a major cost
Lost business is a big factor in the overall cost of a data breach. It costs an average of $1.42 million per breach.
Put yourself in a customer’s shoes. As you hear news of the data breach, you begin to lose trust in the business that experienced the cyber-attack. If you are a current customer, you may wish to stop doing business with them. If you are a prospective customer, you might choose a different vendor that provides the same service.
The bottom line is that data breaches are bad for business.
Even after the company recovers all the sensitive data, it can take years for them to regain customers’ trust.
Beyond that, many businesses also suffer lost revenues from the time that their services were down during the breach, leaving customers without access. This is especially the case in ransomware attacks, where the ransomware brings a business “offline” for a period of time.
The total cost of a breach depends mostly on how efficiently an organisation can respond to it. The faster you can react to a breach, the less expensive it will be to manage. A few factors that impact the cost of a breach are:
Existing security and detection practices
How long it takes to find and contain the breach
The amount of information that is compromised
Safeguards the company puts in place after the breach to protect its own data and the people whose information was compromised during the attack
Having a breach response plan in place can help your organisation save time once a breach occurs, so it wouldn’t hurt to have one in place.
Also, a breach can become more expensive when ransom is involved, which is often the case in ransomware attacks. That’s because the company must recover from the breach itself and potentially pay a ransom to the cyber criminals. Without paying the ransom, the company may have trouble regaining access to its systems and important files.
Because of the added cost, ransomware attacks are more expensive to recover from than breaches that do not involve ransomware. In 2022, 11% of breaches involved ransomware.
Although it can seem like you have to pay the ransom if you are part of a ransomware attack, we do not suggest sending money to the cyber criminals. This is because you might not get your data back in its original condition and your willingness to pay could encourage future attacks. The best thing you can do is prevent an attack.
We all know the saying, “time is money.” Seriously though – when it comes to data breaches, every day a breach goes undetected, the cost of resolving it increases.
The reality is that it takes much longer to identify a breach than it takes to contain one, but both processes can be lengthy. In 2022, it took an average of 207 days to identify a breach and 70 days to contain the breach. In other words, an average breach takes about ¾ of a year to recover from. Detecting breaches is easier if you use practices such as SIEM and log management. Technical solutions like these can be useful for smaller organisations, which may have fewer human resources in the IT department.
We all enjoy the flexibility of working from home. However, it can take longer to detect and contain a data breach when large parts of a company are working remotely.
Breaches involving remote work cost an average of $1 million more than breaches where remote work was not a factor.
The truth is that remote work is a regular part of our work culture today. To maintain data security while working from home, it is important that businesses protect their systems and their remote employees. Security measures like asset management tools can help increase your protection if remote work is common in your organisation.
If a data breach happens in your organisation, the GDPR has a few requirements related to notifications you must give. For example, you have to notify the national supervisory authority immediately and no more than 72 hours after you become aware of the breach, unless it is highly unlikely that personal data was compromised during the breach. In this notification, you’ll have to describe the nature of the breach, the type and amount of data compromised, the contact information of your Data Protection Officer, the expected consequences, and the actions you have already taken or plan to take in response. You’ll also have to notify the individuals whose data was impacted by the breach without unnecessary delay if you decide they could be at high risk.
So, we’ve covered how breaches happen and why they’re so expensive. Now, let’s move on to ways you can protect your organisation from breaches and reduce the cost of a breach if it does happen.
It goes without saying that the best way to reduce the cost of a breach is to avoid one in the first place. Preventing data breaches is a big topic, so we won’t go into too much depth on it in this post. We cover a lot of different prevention methods in depth in other blog posts. Some examples of ways you can prevent a breach are:
Make sure the software on all your devices is up to date
Train your staff to be aware of security best practices
Conduct risk assessments
Encrypt personal data
Encourage the use of strong account credentials/passwords
Adopting these practices can strengthen your security culture and make your organisation less vulnerable to a security breach.
Hopefully, your organisation will not be the victim of a data breach. But, since data breaches are on the rise, it is likely that your organisation could be the target of a breach.
We’ve learned that our employees are our biggest resource when it comes to preventing and detecting data breaches. One way to reduce the likelihood and cost of a breach occurring in your company is to create a strong cyber security culture. Since many data breaches happen because of human error, like clicking on a link in a suspicious email, employees are our first line of defense.
But how can you reduce human error? Aware employees are less likely to make the mistakes that lead to data breaches. That’s why it’s important to create and maintain awareness about cyber security and proper data handling in your organisation. It can be done in many ways, for example through awareness training activities, simulations, and regular exposure to keep your employees sharp. A few ways CyberPilot can help you achieve a stronger security culture are:
- Free best practice posters/digital screensavers to keep in your office
- Awareness training that is quick and pain-free, with new lessons available regularly to keep your employees updated on new security threats they should know about
- Phishing training exposes your employees to simulated phishing attacks, teaching them to recognize a phishing email in a low-stakes scenario
Building a strong security culture does not have to be hard or time consuming. Plus, it can really reduce your risk of a data breach. Aware employees are safe employees, and when it comes to data breaches – that’s a cost you want to avoid.
Security breaches continue to rise. We've gathered the biggest security breaches of 2022 and show you how you can protect your organisation from a breach.
The Danish Data Protection Agency has published statistics on GDPR security breaches. Find out the most common security breaches and how to avoid them.
You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.