New IBM Report - The Real Cost Of A Data Breach In 2024

Every year, the cost of a security breach gets higher and higher. This year is no exception, according to IBM’s 2024 Cost of a Data Breach report. This blog post uses the latest data to uncover how much a cyberattack could cost your organisation. We also highlight trends in data breaches you should be aware of. Though the topic is heavy, we’ll end on a lighter note with actionable recommendations you can use to improve your orgnaisation’s security and reduce your risk of a data breach.

If this sounds like a lot of money, you’re not alone. This cost is nearly a 26.4% increase from the cost of a data breach in 2020. So, data breaches cost a lot and are getting more expensive every year. Since data breaches cost so much money, preventing one by maintaining good security practices should be a priority.

What changed from last year

Compared to the 2023 report, data breaches got more expensive in 2024. Last year, the average cost of a breach was $4.45 million, and this year the average cost is $4.88 million. One explanation for the higher cost is the increase in prices paid by healthcare companies.

This year’s report also offers insight into the effect of extensive security AI and automation on the financial impact of a breach.  
 
Now that we’ve covered some of the main findings from IBM’s 2024 report, let’s talk about how the report was made. Next, we’ll quickly go over IBM’s survey methods and what they found about security breaches in Scandinavia. 

How the report is made

To gather data for the report, IBM interviewed 3,556 people from 604 organisations across the world. To best calculate the average cost of a breach, IBM excluded the smallest and largest data breaches, although their report has a section on mega breaches if you are interested in seeing some bigger numbers. Additionally, the majority of the sample came from these industries: financial, services, industrial, and technology.

What this means for small businesses

Because the findings are reported based on averages, it might be hard for small businesses to see themselves in the findings. If that sounds like you, we encourage you to pay attention to the trends in how breaches happen and the impacts they have on businesses, rather than the dollar amount reported.

For example, while it’s unlikely that a phishing attack will cost your business the average ($4.91 million), it is likely that your organisation will face phishing attacks, because they are one of the most common sources of breaches. So, the trends and recommendations will hopefully be useful to you, even if the cost seems unrealistic.

Data breaches in Scandinavia

IBM dropped Scandinavia from the study this year. But we can use last year's data as a reference point.

To put the numbers into perspective locally, Scandinavian companies made up 4% of the sample studied last year. Interestingly, the average cost of a data breach decreased among Scandinavian companies that year. In 2021, the average cost of a breach in Scandinavia was $2.67 million, while in 2023 the average cost was $2.08 million. Only Brazil and Turkey had lower average breach costs than Scandinavia.

• In 2009, estimates showed that a cyber-attack happened every 39 seconds

• In 2022, the frequency of attacks increased to once every 11 seconds

Since data breaches are happening more often and costing companies more money, it’s safe to say that we should pay attention to this issue.

Smaller organizations face increasing data breach costs 

In IBM’s 2023 report it-is clear that organizations face a much higher increse in the cost of data braches. Here are some numbers from the report:  

• Organizations with fewer than 500 employees reported that the average impact of a data breach increased to USD 3.31 million or a 13.4% increase from 2022. 
• Those with 500–1,000 employees saw an increase of 21.4%, from USD 2.71 million to USD 3.29 million.  
• In the 1,001– 5,000 employee range, the average cost of a data breach increased from USD 4.06 million to USD 4.87 million, rising nearly 20%.  

This is bad news for businesses. Higher costs on top of a loss of customer trust can push customers away, towards competitors. 

Cyber criminals are smart. They know what kinds of businesses have the most to lose from a data breach and who can afford to pay ransom requests. Big organisations also end up receiving the largest fines for breaking the GDPR.

With this in mind, it makes sense that big organisations, such as healthcare companies, suffer the highest costs when they experience data breaches. Think about all the personal information about patients that hackers can gain access to. Healthcare organisations need access to patients’ records in order to care for them. Plus, they need to keep their patients’ trust when it comes to their personal health information. The amount of sensitive data healthcare organisations have, and their willingness to pay for control of these records, make healthcare organisations a big target for expensive data breaches.

In fact, the cost of a data breach for a healthcare organisation is more than double the overall average in 2024, at $9.77 million.

Even though larger companies are more obvious targets for cyber criminals, small businesses also suffer greatly from data breaches. Six months after experiencing a breach, 60% of small companies have to completely shut down. Since small businesses lack the massive IT security budgets and institutional resources that large companies have, they are more vulnerable to business-ending breaches.

This makes sense, especially given that organisations usually pass the consequences of the breach onto their customers in the form of higher prices. It’s easy for customers to choose a new business partner when they lose trust in the company due to a breach, and when the company starts to increase their prices.

• Phishing

• Compromised account credentials

• Malicious insiders

Any organisation should make it their goal to ensure that their employees are aware of how breaches usually happen, and how to prevent them.

The most frequent way that hackers get into a company’s system is by getting access to an employee’s account information.

These kinds of attacks are the most common, and unfortunately, they also take the longest amount of time to resolve. 

To reduce the risk of a breach caused by compromised credentials, it’s important to have strong passwords and know the signs of a phishing email. One way to help your employees recognize phishing emails is through phishing training. You can also add an extra line of defence through either two-factor authentication, password managers, or a combination of both to further increase the cyber security in your organisation.

• 30%: lost business costs - reputational harm
• 33%: detection and escalation of the breach - audits and investigations
• 27%: post-breach response - services for victims, e.g., help desk and credit monitoring
• 8%: notification - letting customers and regulators know about the breach via mail, telephone, email, etc.

Lost business is a big factor in the overall cost of a data breach. It costs an average of $1.47 million per breach.

Put yourself in a customer’s shoes. As you hear news of the data breach, you begin to lose trust in the business that experienced the cyber-attack. If you are a current customer, you may wish to stop doing business with them. If you are a prospective customer, you might choose a different vendor that provides the same service.

The bottom line is that data breaches are bad for business.

Even after the company recovers all the sensitive data, it can take years for them to regain customers’ trust.

Beyond that, many businesses also suffer lost revenues from the time that their services were down during the breach, leaving customers without access. This is especially the case in ransomware attacks, where the ransomware brings a business “offline” for a period of time.

• Existing security and detection practices

• How long it takes to find and contain the breach

• The amount of information that is compromised

• Safeguards the company puts in place after the breach to protect its own data and the people whose information was compromised during the attack

Having a breach response plan in place can help your organisation save time once a breach occurs, so it wouldn’t hurt to have one in place.

AI and automation has been a central topic throughout 2024. And it is have also shown an positive impact on data breaches because with AI and automation organization are 100 days faster to identify and contain a data breach than organizations with no use. 

This means identifying and containing a breach with extensive use of security AI and automation took just 61% of the time it took organizations with no use. 

In the 2024 report, only 31% of organizations used security AI and automation extensively in their operations, which means many organizations have a significant opportunity to improve their speed, accuracy and efficiency. Extensive use of security AI and automation saved nearly USD 1.88 million in data breach cost and accelerated the time to identify and contain a breach.