The average cost of a data breach in 2022 has risen to $4.35 million and $9.4 million in the United States, according to the 2022 Cost of a Data Breach Report from IBM. For the past 17 years, IBM has been releasing annual reports that track the average cost of data breaches. 2022 has set new records for breach costs, with the average global cost of a data breach 2.6% higher than in 2021, and almost 13% higher than in 2020. This year’s study was conducted on 500 organizations in 17 countries and 17 industry sectors and involved more than 3,600 interviews with staff members in the breached organizations.
Data breaches are incredibly costly for companies, and those costs are often passed on to consumers. 60% of the organizations surveyed said they were forced to increase the prices of their products and services as a result of suffering a data breach. As has been the case in previous reports, the highest data breach costs are incurred in highly regulated industries, with healthcare data breaches the costliest at an average of $10.1 million per incident. 2022 was the 12th successive year where the industry has recorded the highest data breach costs out of any industry sector, with the average cost in 2022 almost $1 million more than in 2021.
Ransomware attacks increased significantly in 2022. In 2021, ransomware attacks accounted for 7.8% of all data breaches, and in 2022 the percentage increased to 11%. IBM does not factor in the cost of the ransom demand into its figures. The average cost of a ransomware attack, not including the ransom, was $4.5 million, which was slightly lower than last year. It is common for ransomware victims to pay the ransom to ensure a faster recovery; however, IBM says its figures show that while it may be possible to recover more quickly, there is little in the way of a cost advantage to paying the ransom. On average, the breach costs – not including the ransom payment – were only $610,000 lower when the ransom was paid. Factor in the now sizable ransom demands, which are often millions of dollars, and not paying the ransom would be better financially.
The highest breach costs in terms of the attack vector came from phishing. When phishing was the initial attack vector, the breach costs were $4.9 million on average, with business email compromise-related breaches also costly at $4.89 million. 45% of organizations said they had experienced a data breach in the cloud, with 43% of those organizations stating they were in the early stages of cloud adoption and had not fully implemented a cloud security strategy. Those that had not fully implemented a cloud security strategy paid $600,00 more in breach costs than those that had.
There have been several massive data breaches reported in the past year, and these breaches are typically incredibly expensive to mitigate. The average cost of a data breach involving 1 million records is now $49 million, whereas a breach of 50 million records costs an average of $387 million to resolve. The faster a breach is detected and mitigated, the lower the cost is likely to be. The average time to detect a breach reduced slightly from 2021 to 207 days, and the average time to contain a data breach fell by 10 days to 277 days. When the total time to detect and contain a breach was less than 200 days, the breach costs were 26.5% lower than when it took more than 200 days.
IBM also investigated the main factors that reduce breach costs. The main way that costs can be reduced is by having fully deployed security AI and automation, which reduced breach costs by $3.05 million on average. Having an incident response team and a regularly tested incident response plan reduced the cost by $2.66 million. The adoption of zero trust reduced breach costs by $1.5 million on average; however, IBM found that critical infrastructure organizations have been slow to adopt zero trust. Only 20% of critical infrastructure organizations represented in the study had implemented zero trust strategies. Extended detection and response (XDR) technologies were also shown to make a huge difference in response times, shaving off almost a month (29 days) from the response time