The global average breach cost reached $4.45 million, with detection and escalation the most expensive component—indicating a shift toward more extended and complex investigations.
The cost of the global average data breach in 2023 has set an all-time record high, with the average breach cost reaching $4.45 million, a 2.3% increase from 2022 and a 15.3% from 2020, according to IBM's “Cost of a Data Breach" report, which determines that organizations must invest in cybersecurity to limit damage.
The 2023 research, conducted independently by Ponemon Institute and sponsored, analyzed and published by IBM Security, studied 553 organizations impacted by data breaches that occurred between March 2022 and March 2023.
When cyber breaches were detected by an organization itself, they were able to reduce the impact to the firm, the report found. However, only one-third of companies surveyed discovered the data breach through their own security teams and approximately 67% of breaches were reported to firms by a benign third party or by attackers.
Further, when attackers disclosed a breach, it cost organizations nearly $1 million more per incident than when detected internally, the report said.
Identifying and containing a breach disclosed by an attacker required a mean time of 320 days, 80 additional days compared to breaches identified internally and 47 days longer than breaches identified by a benign third party.
The report identified three ways organizations can help mitigate the effects and costs of a cyber breach:
1) Involve law enforcement. Organizations that involved law enforcement in a ransomware attack saved money and shortened the lifecycle of the breach compared to those that didn't. Neglecting to involve law enforcement incurred an additional $470,000 in expenses on average.
Approximately 63% of respondents said they involved law enforcement while the 37% that didn't paid 9.6% more and experienced a 33-day longer breach lifecycle.
2) Explore artificial intelligence (AI). Organizations that extensively used AI and automation security capabilities within their approach experienced, on average, a 108-day shorter time to identify and contain the breach, the report said. These organizations also reported $1.76 million lower data breach costs compared to organizations that didn't.
3) Focus on incident response (IR) planning and testing. Organizations that reported high levels of IR planning and testing saved $1.49 million over the year compared to those reporting low levels. Yet, only 51% of organizations surveyed plan to increase security investments following a breach with others focusing on IR planning and testing, employee training, and threat detection and response technologies, according to the report.
Despite the growing overall expense of cyberattacks, lost business costs hit a five-year low, the report said. In contrast, detection and escalation costs were the costliest category of data breach expenses, increasing from $1.44 million in 2022 to $1.58 million in 2023. This is indicative of a shift toward more extended and complex breach investigations, including forensic and investigative activities, assessment and audit services, crisis management and communications to executives and boards.
Since 2020, healthcare data breach costs have increased by 53.3% and for the 13th year in a row, the industry reported the most expensive data breaches at an average cost of $10.93 million. Additionally, cloud environments were also frequent targets for cyber attackers in 2023, comprising 82% of reported attacks in public, private or multiple environments, with 39% of breaches spanning multiple environments and incurring a higher-than-average cost of $4.75 million, the report said.
The impact of these costs is felt primarily by customers and consumers with the majority (57%) of respondents indicating that data breaches led to increased pricing of their business offerings.
Olivia Overman is IA content editor.