Headline
Average Data Breach Costs Soar to $4.4M in 2022
Call it a "cyber tax": Those costs are usually passed on to consumers, not investors, as compromised businesses raise prices for goods and services.
Sixty percent of breaches have resulted in companies recouping the cost of fines, clean-up, and technological improvements by increasing prices, essentially making consumers pay for breaches and companies’ lack of preparedness, according to an annual report published on July 27.
The “Cost of Data Breach Report 2022” report, based on a survey of executives and security professionals at 550 companies, says the average cost of a data breach continued to rise in 2022, reaching an average of $4.4 million globally (up 13% since 2020) and $9.4 million in the United States. On average, companies required 277 days to identify and contain data breaches, down from 287 days in 2021, and 83% of companies had suffered more than one breach.
“It is clear that cyberattacks are evolving into market stressors that are triggering chain reactions, [and] we see that these breaches are contributing to those inflationary pressures,” says John Hendley, head of strategy for IBM Security’s X-Force research team. “We have to think about cyber events as factors that are capable of straining the economy, similar to COVID, the war in Ukraine, gas prices, all of that.”
Business email compromise and phishing attacks led to the most costly breaches (in millions of US$). Source: IBM Cost of Data Breach Report 2022
The annual report, based on surveys conducted by the Ponemon Institute, is not the first attempt to gauge the impact of breaches on businesses’ balance sheets. Last year, a survey by security-operations firm IronNet found that most companies were affected by the supply chain attack on network management firm SolarWinds, with the average firm seeing an 11% drop in revenue due to dealing with the incident.
Overall, experts estimated that the incident would cost SolarWinds about $18 million but would cost the 18,000 affected businesses and government agencies as much as $100 billion in clean-up costs.
A “Cyber Tax” on Consumers
While cybersecurity experts have increasingly urged companies to count on having their systems compromised, they continue to have problems stopping attackers, and they are passing costs onto consumers, Hendley notes. This suggests that data breaches and cyberattacks are creating a cyber tax, he argues, increasing costs for downstream consumers and clients.
“When you think about the fact that 83% of businesses have been breached at least once in their lifetime, I think it becomes difficult to say that we need to apply punitive damages to help prevent breaches,” Hendley says. “There is always going to be a way in, so I think the best investment that we can have is to try to shift the line from protecting the perimeter to thinking like the attacker.”
In addition to the labeling of breaches and fines as a cyber tax, the report highlighted various trends among industries dealing with cyberattacks. Companies that could reduce the overall breach detection and response time to less than 200 days saved $1.1 million, or 23% of the cost of the average breach.
**Data Breach Costs Worst in Healthcare **
The cost of a single data breach varied significantly based on the type of industry affected. The heavily regulated healthcare sector continued to pay out the highest amount for compromises of data, reaching an average of $10 million per breach in 2022, compared with financial firms that paid an average of $6 million per breach, the second most expensive breach cost. Pharmaceutical companies and technology firms essentially tied for third place, paying about $5 million for each breach.
Ransomware continued to have a significant impact on business, despite signs that — so far this year — ransomware attacks have declined somewhat. The survey found that companies that pay ransoms spend less on clean-up costs, but high ransom totals negate most savings. In addition, 80% of companies that pay ransoms are attacked again, according to the “Ransomware: The True Cost to Business” report published by security firm CyberReason last year.
Ransomware Not as Costly as Phishing Attacks
Other research has highlighted the impact of ransomware on companies that have not adequately prepared for destructive attacks. Two-thirds of global firms hit with ransomware suffered a significant revenue loss, they said, as did 58% of those surveyed at US companies specifically. The attacks overall have led to 31% of global companies shuttering some part of their businesses.
“It is interesting to see the cost difference between ransomware victims who chose to pay and those who chose not to,” Nicole Hoffman, senior cyber-threat intelligence analyst at Digital Shadows, a digital-risk protection firm. “Those who pay are often targeted again within months of the original attack, which would increase financial losses significantly. These factors are important to consider when making the challenging business decision of whether or not to pay.”
That said, the initial vector of the attack also had a significant impact on cost. Business email compromise (BEC) and phishing attacks led to the highest average breach costs — about $4.9 million per incident — with third-party vulnerabilities and compromised credentials accounting for damages of approximately $4.5 million per incident.
The IBM-Ponemon report also highlighted technologies that could have the largest impact on data breach costs. Companies that use artificial intelligence and machine learning (AI/ML) technologies, DevSecOps processes, and formed an incident-response team saved about $300,000, $276,000, and $253,000 per incident, respectively.
In contrast, companies that suffered from security system complexity, were migrating the business to the cloud, and had compliance failures saw the largest increases in cost per incident.
The report is based on more than 3,600 interviews with individuals from 550 companies of various sizes, focusing on breaches that involved anywhere from 2,200 to 102,000 records. Breaches outside that range were not included.