Contact us: +45 32 67 26 26

New IBM Report - The Real Cost Of A Data Breach In 2023

Sarah Hofmann
By: Sarah Hofmann GDPR | 8 November

Every year, the cost of a security breach gets higher and higher. This year is no exception, according to IBM’s 2023 Cost of a Data Breach report. This blog post uses the latest data to uncover how much a cyberattack could cost your organisation. We also highlight trends in data breaches you should be aware of. Though the topic is heavy, we’ll end on a lighter note with actionable recommendations you can use to improve your orgnaisation’s security and reduce your risk of a data breach.

Short Summary

  • Data breaches are becoming more common and more expensive every year. The average cost of a data breach in 2023 was $4.3 5million.
  • While every kind of organization is vulnerable to data breaches, those providing critical infrastructure and healthcare services are big targets.
  • Small businesses are also vulnerable to data breaches, and the consequences can be devastating, often leading to complete shutdowns.
  • The most common sources of data breaches are compromised account credentials, phishing, and cloud misconfigurations.
  • To prevent data breaches, organizations should prioritize good security practices and educate their employees.


Table of contents


Recent trends in data breaches

In 2023, the average data breach costs $4.45 million dollars

If this sounds like a lot of money, you’re not alone. This cost is nearly a 15,3% increase from the cost of a data breach in 2020. So, data breaches cost a lot and are getting more expensive every year. Since data breaches cost so much money, preventing one by maintaining good security practices should be a priority.

What changed from last year

Compared to the 2022 report, data breaches got more expensive in 2023. Last year, the average cost of a breach was $4.35 million, and this year the average cost is $4.45 million. One explanation for the higher cost is the increase in prices paid by healthcare companies, which increased by $830,000 this year.

This year’s report also offers insight into the effect of extensive security AI and automation on the financial impact of a breach. 

Finally, last year, compromised credientials was the most common source of data breaches. This year, phishing moved into the leading spot by a small margin over stolen credentials. 
Now that we’ve covered some of the main findings from IBM’s 2023 report, let’s talk about how the report was made. Next, we’ll quickly go over IBM’s survey methods and what they found about security breaches in Scandinavia. 

How the report is made

To gather data for the report, IBM interviewed 3,600 people from 550 organisations across the world. To best calculate the average cost of a breach, IBM excluded the smallest and largest data breaches, although their report has a section on mega breaches if you are interested in seeing some bigger numbers. Additionally, the majority of the sample came from these industries: financial, services, industrial, and technology.

What this means for small businesses

Because the findings are reported based on averages, it might be hard for small businesses to see themselves in the findings. If that sounds like you, we encourage you to pay attention to the trends in how breaches happen and the impacts they have on businesses, rather than the dollar amount reported.

For example, while it’s unlikely that a phishing attack will cost your business the average ($4.91 million), it is likely that your organisation will face phishing attacks, because they are one of the most common sources of breaches. So, the trends and recommendations will hopefully be useful to you, even if the cost seems unrealistic.

Data breaches in Scandinavia

To put the numbers into perspective locally, Scandinavian companies made up 4% of the sample studied this year. Interestingly, the average cost of a data breach decreased among Scandinavian companies this year. In 2021, the average cost of a breach in Scandinavia was $2.67 million, while this year the average cost was $2.08 million. Only Brazil and Turkey had lower average breach costs than Scandinavia.

Data breaches are becoming more common

Cyber-attacks involving data breaches are becoming more common. The cost of recovering from these attacks is increasing, too.

  • In 2009, estimates showed that a cyber-attack happened every 39 seconds

  • In 2022, the frequency of attacks increased to once every 11 seconds

Since data breaches are happening more often and costing companies more money, it’s safe to say that we should pay attention to this issue.

Smaller organizations faced higher data breach costs than last year. 

In IBM’s 2023 report it-is clear that organizations face a much higher increse in the cost of data braches. Here is some numbers from the report:  

  • Organizations with fewer than 500 employees reported that the average impact of a data breach increased to USD 3.31 million or a 13.4% increase from 2022. 
  • Those with 500–1,000 employees saw an increase of 21.4%, from USD 2.71 million to USD 3.29 million.  
  • In the 1,001– 5,000 employee range, the average cost of a data breach increased from USD 4.06 million to USD 4.87 million, rising nearly 20%.  

This is bad news for businesses. Higher costs on top of a loss of customer trust can push customers away, towards competitors. 


All types of organisations are vulnerable to data breaches

Big organisations, especially in healthcare, are common targets

Cyber criminals are smart. They know what kinds of businesses have the most to lose from a data breach and who can afford to pay ransom requests. Big organisations also end up receiving the largest fines for breaking the GDPR.

With this in mind, it makes sense that big organisations, such as healthcare companies, suffer the highest costs when they experience data breaches. Think about all the personal information about patients that hackers can gain access to. Healthcare organisations need access to patients’ records in order to care for them. Plus, they need to keep their patients’ trust when it comes to their personal health information. The amount of sensitive data healthcare organisations have, and their willingness to pay for control of these records, make healthcare organisations a big target for expensive data breaches.

In fact, the cost of a data breach for a healthcare organisation is more than double the overall average in 2023, at $10.93 million.


Critical services pay a higher price

In addition to healthcare companies, other critical infrastructure organisations are susceptible to data breaches with price tags higher than the average cost of a breach. Critical infrastructure organisations include the following sectors: financial services, industrial, technology, energy, transportation, communication, healthcare, education and public sector industries.        

Small organisations are also vulnerable

Even though larger companies are more obvious targets for cyber criminals, small businesses also suffer greatly from data breaches. Six months after experiencing a breach, 60% of small companies have to completely shut down. Since small businesses lack the massive IT security budgets and institutional resources that large companies have, they are more vulnerable to business-ending breaches.

This makes sense, especially given that organisations usually pass the consequences of the breach onto their customers in the form of higher prices. It’s easy for customers to choose a new business partner when they lose trust in the company due to a breach, and when the company starts to increase their prices.

How data breaches happen

To reduce the risk of your organisation falling victim to a data breach, you need to know how data breaches occur in the first place. The three most common sources of data breaches in 2023 are:

  • Phishing

  • Compromised account credentials
  • Cloud misconfiguration

Any organisation should make it their goal to ensure that their employees are aware of how breaches usually happen, and how to prevent them.

oPhishing and Cmpromised account credentials are the most common causes

The most frequent way that hackers get into a company’s system is by getting access to an employee’s account information.

Picture of the risk analysis template

These kinds of attacks are the most common, and unfortunately, they also take the longest amount of time to resolve. In 2022, these breaches took an average of 327 days in total to detect and contain.

To reduce the risk of a breach caused by compromised credentials, it’s important to have strong passwords and know the signs of a phishing email. One way to help your employees recognize phishing emails is through phishing training. You can also add an extra line of defence through either two-factor authentication, password managers, or a combination of both to further increase the cyber security in your organisation.

Phishing is one of the most expensive methods of attack, costing an average of $4.91 million per breach. 

This again highlights the importance of aware employees who can spot a phishing email. 


How much data breaches cost and why they’re so expensive

Breaking down the cost of a data breach

Recovering from a data breach involves both direct costs and indirect costs. For example, direct costs can include the need to hire an IT forensic team to investigate the breach and repair damaged systems. One big indirect cost is the reputational harm businesses experience after being victims of a breach. Below you can see the different cost areas involved in a breach.

  • 33%: lost business costs - reputational harm
  • 33%: detection and escalation of the breach - audits and investigations
  • 27%: post-breach response - services for victims, e.g., help desk and credit monitoring
  • 7%: notification - letting customers and regulators know about the breach via mail, telephone, email, etc.


Cost of a data breach 2022

Let’s dig into the biggest cost area, lost business, a bit further. Regardless of how big your company is, lost business is surely a big threat to your organisation’s future.

Lost business is a major cost

Lost business is a big factor in the overall cost of a data breach. It costs an average of $1.42 million per breach.

Put yourself in a customer’s shoes. As you hear news of the data breach, you begin to lose trust in the business that experienced the cyber-attack. If you are a current customer, you may wish to stop doing business with them. If you are a prospective customer, you might choose a different vendor that provides the same service.

The bottom line is that data breaches are bad for business.

Even after the company recovers all the sensitive data, it can take years for them to regain customers’ trust.

Beyond that, many businesses also suffer lost revenues from the time that their services were down during the breach, leaving customers without access. This is especially the case in ransomware attacks, where the ransomware brings a business “offline” for a period of time.

Some factors make a data breach more expensive

The total cost of a breach depends mostly on how efficiently an organisation can respond to it. The faster you can react to a breach, the less expensive it will be to manage. A few factors that impact the cost of a breach are:

  • Existing security and detection practices

  • How long it takes to find and contain the breach

  • The amount of information that is compromised

  • Safeguards the company puts in place after the breach to protect its own data and the people whose information was compromised during the attack

Having a breach response plan in place can help your organisation save time once a breach occurs, so it wouldn’t hurt to have one in place.

Ransomware attacks include additional costs, making them more expensive

Also, a breach can become more expensive when ransom is involved, which is often the case in ransomware attacks. That’s because the company must recover from the breach itself and potentially pay a ransom to the cyber criminals. Without paying the ransom, the company may have trouble regaining access to its systems and important files.

Because of the added cost, ransomware attacks are more expensive to recover from than breaches that do not involve ransomware. In 2022, 11% of breaches involved ransomware.

Although it can seem like you have to pay the ransom if you are part of a ransomware attack, we do not suggest sending money to the cyber criminals. This is because you might not get your data back in its original condition and your willingness to pay could encourage future attacks. The best thing you can do is prevent an attack.

A woman trying free awareness courses on her computer

The faster you can respond, the less a breach will cost you

We all know the saying, “time is money.” Seriously though – when it comes to data breaches, every day a breach goes undetected, the cost of resolving it increases.

The reality is that it takes much longer to identify a breach than it takes to contain one, but both processes can be lengthy. In 2022, it took an average of 207 days to identify a breach and 70 days to contain the breach. In other words, an average breach takes about ¾ of a year to recover from. Detecting breaches is easier if you use practices such as SIEM and log management. Technical solutions like these can be useful for smaller organisations, which may have fewer human resources in the IT department. 

AI and Automation helps identify and contain data breaches  

AI and automation has been a central topic thougout 2023. And it is have also shown an positive impact on data breaches because with AI and automation organization are 108 days faster to identify and contain a data breach than organizations with no use. 

This means identifying and containing a breach with extensive use of security AI and automation took just 66% of the time it took organizations with no use. 

In the 2023 report, only 28% of organizations used security AI and automation extensively in their operations, which means many organizations have a significant opportunity to improve their speed, accuracy and efficiency. Extensive use of security AI and automation saved nearly USD 1.8 million in data breach cost and accelerated the time to identify and contain a breach by more  


Data breaches, personal data, and the GDPR

If a data breach happens in your organisation, the GDPR has a few requirements related to notifications you must give. For example, you have to notify the national supervisory authority immediately and no more than 72 hours after you become aware of the breach, unless it is highly unlikely that personal data was compromised during the breach. In this notification, you’ll have to describe the nature of the breach, the type and amount of data compromised, the contact information of your Data Protection Officer, the expected consequences, and the actions you have already taken or plan to take in response. You’ll also have to notify the individuals whose data was impacted by the breach without unnecessary delay if you decide they could be at high risk.

So, we’ve covered how breaches happen and why they’re so expensive. Now, let’s move on to ways you can protect your organisation from breaches and reduce the cost of a breach if it does happen.

Steps you can take to prevent breaches and reduce costs
Preventing data breaches

It goes without saying that the best way to reduce the cost of a breach is to avoid one in the first place. Preventing data breaches is a big topic, so we won’t go into too much depth on it in this post. We cover a lot of different prevention methods in depth in other blog posts. Some examples of ways you can prevent a breach are:

Adopting these practices can strengthen your security culture and make your organisation less vulnerable to a security breach.


Reducing the likelihood and cost of a data breach

Hopefully, your organisation will not be the victim of a data breach. But, since data breaches are on the rise, it is likely that your organisation could be the target of a breach.

We’ve learned that our employees are our biggest resource when it comes to preventing and detecting data breaches. One way to reduce the likelihood and cost of a breach occurring in your company is to create a strong cyber security culture. Since many data breaches happen because of human error, like clicking on a link in a suspicious email, employees are our first line of defense.

But how can you reduce human error? Aware employees are less likely to make the mistakes that lead to data breaches. That’s why it’s important to create and maintain awareness about cyber security and proper data handling in your organisation. It can be done in many ways, for example through awareness training activities, simulations, and regular exposure to keep your employees sharp. A few ways CyberPilot can help you achieve a stronger security culture are:

Building a strong security culture does not have to be hard or time consuming. Plus, it can really reduce your risk of a data breach. Aware employees are safe employees, and when it comes to data breaches – that’s a cost you want to avoid.       

A woman trying free awareness courses on her computer