The average cost of a data breach continues to grow, according to IBM’s annual survey of 16 countries and regions during a recent 12 month period.
The study, released today, shows that the average breach cost the 553 organizations studied US$4.45 million in the 12 months ending Mar. 30, a 2.3 per cent increase from the same period in 2022.
The average cost has increased 15.3 per cent since the 2020 report. Those are incident recovery costs, and don’t include any ransomware or extortion payments organizations may have made.
In a separate report that breaks down results for Canada, the cost of data breaches at 28 organizations studied was down slightly from the previous year (C$6.9 vs C$7 million). That put Canada as the geography with the third highest breach costs among the organizations studied. First was the U.S., followed by a grouping of Middle East countries.
In U.S. dollars, the average cost of a breach among Canadian firms studied in this edition was $5.13 million in the study — higher than Germany, Japan the U.K., France and Italy. By comparison, the average cost of a breach in Australia was $2.7 million.
Asked why the cost in Canada was so much higher than Australia, Chris Sicard, a partner in IBM Canada’s security consulting and delivery practice, speculated that many of the Canadian organizations included in this year’s study were regulated industries, where recovery costs are higher.
And while the cost in this country has gone up and down since it was included in the global study nine years ago, the overall trend during those years is up.
“Overall we’re seeing the trend continue to go in the wrong direction,” Sicard said in an interview.
There are very telling nuggets of information in the study. For example, only one-third of the 553 companies discovered their data breach through their own security teams. Or, put another way, 67 per cent of breaches were reported by a third party, like a police force, or the victim firm only learned when the attackers announced a successful breach.
In other words, firms were more likely to learn from an outside source they were successfully breached than from their own IT staff.
“It is telling,” commented Sicard. “It means we still don’t have the right level of monitoring and insights in terms of what is going on within the network … You can’t protect what you don’t see.”
Here’s another statistic: On average, the cost of a data breach among organizations with application development teams with high DevSecOps adoption was US$1.68 million less than those who paid little or no attention to this process.
The next three corporate strategies that lowered the average cost of a data breach were employee awareness training, having and testing an incident response plan, and benefiting from artificial intelligence or machine learning insights.
And another number: The mean time among the 553 organizations studied to both identify (204 days) and to contain data breaches (73 days) saw only marginal changes from last year’s study.
The most effective things that lower the cost of a data breach are still the basics, Sicard said: Employee awareness training, using threat intelligence, having a strong identity and access management process, setting up a zero-trust IT architecture, having a strong incident response plan, and running table-top cyber attack exercises. It also includes using artificial intelligence/machine learning solutions to relieve the workload on infosec pros, he added.
Research for the study was conducted by the Ponemon Institute. It included over 3,475 interviews with individuals at 553 organizations that suffered a data breach between March 2022 and March 2023. Interviewees included IT, compliance and information security practitioners familiar with their organization’s data breach and the costs associated with resolving the breach. For privacy purposes, organization-specific information wasn’t collected.
The global report is available here. Registration is required.
