3 Key Findings from IBM’s Cost of a Data Breach Report
A recent report from IBM delves into significant trends in cyber attacks. These statistics can help risk managers and IT leaders collaborate to identify the value in their security investments and risk profile.
September 25, 2023
In its 18th year of publication, IBM’s Cost of a Data Breach Report studied 553 organizations, measuring the impact of cyber incidents, organizational preparedness, and how breaches are identified. The analysis they provide can help organizational leaders find areas of opportunity and limit potential losses.
“Cyber criminals are using cloud vulnerabilities, poor data management, and poor overall cyber hygiene to their advantage,” said Jeremy Schumacher, Director of Cyber Underwriting at Safety National. “Many of these cyber attacks exploit vulnerabilities that were previously discovered but were not patched by the organization, creating a path for threat actors to gain access. As this report details, incident response planning and patch prioritization should be a key part of your cyber defense structure to help prevent extraordinary costs related to a cyber incident.”
Here, we dive into a few of the most notable numbers from their report and how organizations can respond.
1. The average cost of a data breach hit an all-time high, at $4.45 million per incident.
Representing a 15.3% increase since 2020, this number has continued to rise yearly. Notably, 67% of these breaches were detected by either a third party or the attacker, not the organization. On average, incidents cost nearly $1 million more when not caught internally. Budget constraints, staffing issues, and training can inhibit an internal team from detecting an incident.
However, a cyber insurance carrier can provide critical remediation services. In addition to a breach coach that has managed thousands of cyber attacks and can help negotiate the terms of a ransom, a cyber policy can cover associated costs, like system and data recovery and legal aid. It can also assist with regulatory fines, reputational damage and liability matters. Leveraging these specialized resources can help a company get back to business in a timely matter.
2. Organizations with high levels of incident response (IR) planning saved $1.49 million compared to those with low levels.
IR planning has quickly become a priority spend in organizational budgets. According to IBM, “the most effective IR strategy for reducing the duration of a data breach was to combine the formation of an IR team with testing the IR plan.” When comparing a plan that involved both of these elements to those with neither, an organization detected breaches 54 days earlier on average.
When seeking cyber insurance coverage, your carrier may require you to have a well-defined IR plan to mitigate the impact on business operations. A proper plan will involve leadership teams, including the C-suite, defining roles and responsibilities for responding throughout the course of an attack. This also includes a plan for press relations post-event, especially involving matters of public trust.
3. Across industries, healthcare reported the highest costs for the 13th year in a row, increasing 53.3% since 2020.
While the across-industry average per incident is $4.45 million, healthcare data breaches cost over double that figure, weighing it at $10.93 million per incident. Costs have notably increased since the pandemic, growing 53.3% in the last three years. Considered critical infrastructure by the U.S. government, healthcare faces considerably higher levels of regulation. Combined with the complexities and volume of sensitive patient information, these breaches are exceptionally costly. Additionally, four of the top five industries with the highest associated data breach costs are all considered critical infrastructure, including financial, energy, and industrial services.
Stealing personal health information (PHI) has a higher incentive for threat actors, given that it is much more valuable on the black market. So, what preventative measures can help? Start by limiting access to patient information related to the user’s position. Do not provide unnecessary permissions. Healthcare organizations rely on third-party vendors for a suite of services and, as such, should have an extensive vetting process. Additionally, standard procedures like annual risk assessments, updating infrastructure, and having critical staffing levels are essential to prevention.