The Costs of Data Breaches in 2022
Insights on IBM’s annual Cost of a Data Breach Report and strategies that can help organizations minimize data breach risks
Data Breaches by the NumbersThe report shows that data breach average cost increased 2.6% from $4.24 million in 2021 to $4.35 million in 2022. The average cost has climbed 12.7% from $3.86 million in the 2020 report.
There was some slightly good news in the report—the average time to identify and contain a data breach has decreased from 287 days in 2021 to 277 days in 2022. In 2022 it took an average of 207 days to identify the breach and 70 days to contain the breach. In comparison, in 2021 it took an average of 212 days to identify the breach and 75 days to contain the breach. However, that’s still a concerning length of time. The report also found that nearly 50% of breach costs are incurred more than a year after the breach occurs.
How the Data Breaches Were MadeLooking at how the attacks were made, the report found that stolen or compromised credentials were responsible most often and were responsible for 19% of breaches. Phishing was responsible for 16% of the breaches, with cloud misconfiguration causing 15% of breaches.
The report looked at 550 organizations impacted by data breaches that occurred between March 2021 and March 2022. The breaches occurred across 17 countries and regions and in 17 different industries. Worryingly, the report found that 83% of the organizations studied had more than one data breach. Also of concern were the findings that 19% of the breaches occurred because of a compromise with a business partner. In addition, 45% of the breaches were cloud-based. Breaches caused by stolen or compromised credentials had an average cost of $4.50 million. These breaches had the longest lifecycle—243 days to identify the breach, and another 84 days to contain the breach. Phishing was the costliest, averaging $4.91 million in breach costs.
Average Cost of Data BreachesThe report did include 13 companies that had experienced a data breach involving the loss or theft of 1 million to 60 million records. The average cost of a mega breach, which involves 50 million to 60 million records was a whopping $387 million.
The average cost of a data breach for critical infrastructure organizations studied was $4.82 million—$1 million more than the average cost for organizations in other industries. Critical infrastructure organizations included those in the financial services, industrial, technology, energy, transportation, communication, healthcare, education, and public sector industries. Twenty-eight percent experienced a destructive or ransomware attack, while 17% experienced a breach because of a business partner being compromised.
11% of breaches in the study were ransomware attacks, an increase from 2021 when 7.8% of breaches were ransomware. The average cost of a ransomware attack went down slightly, from $4.62 million in 2021 to $4.54 million in 2022. This cost was slightly higher than the overall average total cost of a data breach, $4.35 million. The $4.54 million figure does not include the cost of the ransom itself.
Interestingly, the study found that ransomware victims who opted to pay the ransom demands saw only $610,000 less in average breach costs compared to those that chose not to pay (again, the figure doesn’t include the cost of the ransom). The average cost of the breach was $5.12 million. For organizations that did pay the ransom, the cost of the breach was $4.49 million.
Data Breaches in Various Work EnvironmentsWith the huge growth in remote working, it was interesting and worrying to see that breaches cost nearly $1 million more than breaches where remote working wasn’t a factor ($4.99 million as opposed to $4.02 million). Remote work-related breaches cost on average about $600,000 more compared to the global average.
While 45% of breaches in the study occurred in the cloud, the study found that breaches that happened in a hybrid cloud environment cost an average of $3.80 million, compared to $4.24 million for breaches in private clouds and $5.02 million for breaches in public clouds. The cost difference was 27.6% between hybrid cloud breaches and public cloud breaches. Organizations with a hybrid cloud model also had shorter breach lifecycles than organizations that solely adopted a public or private cloud model.
For the past 12 years, the healthcare industry has had the highest average cost of a breach. This year the figure was $10.10 million. Financial organizations had the second highest costs at $5.97 million, with pharmaceuticals at $5.01 million, technology at $4.97 million, and energy at $4.72 million.
The most expensive country for a breach is the USA at $9.44 million on average. That's followed by the Middle East at $7.46 million, Canada at $5.64 million, the UK at $5.05 million, and Germany at $4.85 million.
The report suggests that data breaches may also be contributing to the rising costs of goods and services. 60% of organizations surveyed raised their product or service prices due to the breach. For consumers, this adds to their costs along with inflation and supply chain issues.
Minimizing Security Breach RisksThe report found that more organizations are deploying a zero-trust approach and seeing savings. The percentage of sites using this approach rose from 35% in 2021 to 41% in 2022. Organizations that don't deploy zero trust incurred an average of $1 million greater breach costs compared to those with zero trust deployed.
Security artificial intelligence (AI) had the biggest cost-mitigating effect. When it was fully deployed, it led to the average breach costing up to $3.05 million less at organizations with it than at organizations without it. This was the largest cost saving found in the study. Companies with fully deployed security AI and automation also experienced on average a 74-day shorter time to identify and contain the breach than those without security AI and automation (249 days versus 323 days).
Nearly three-quarters of organizations in the study said they had an incident response (IR) plan, while 63% of those organizations said they regularly tested the plan. Businesses with an IR team that tested their IR plan saw an average of $2.66 million lower breach costs than organizations without an IR team or don’t test an IR plan. The figures are $3.26 million against $5.92 million.
Organizations with extended detection and response (XDR) technologies shortened the time to identify and contain the data breach by about a month on average compared to organizations that didn’t implement it. XDR technologies were implemented by 44% of organizations. They took 275 days to identify and contain a breach compared with 304 days for organizations without XDR deployed.
Concluding ThoughtsWhile it’s worrying that data breaches are continuing to increase in terms of the number of attacks and the cost to the organization being attacked, it’s good to see that the average time to identify and contain a breach is going down. It’s also good to see some strategies that organizations can adopt to help them—like security AI, a regularly tested IR plan, XDR technologies, and the use of zero-trust tools.
Find out more on security data breaches here.
About the author
Trevor Eddolls is the CEO of iTech-Ed Ltd and has been an IBM Champion from 2009-2021.
See more by Trevor Eddolls