The Ponemon Institute recently published their Cost of a Data Breach 2022 Report. For 17 years the Institute has released its compiled findings of its annual study, providing risk management and security leaders insights into the monetary cost structure of data breaches. This year, Ponemon studied 550 organizations located across 17 countries. A total of 17 industries were represented by them.. The information was collected from more than 3,600 interviews with individuals across the affected organizations. The common denominator for the organizations used in this study was that they had been impacted by a data breach between March 2021 and March 2022.
Each year the makeup of the report changes slightly. This year’s report placed a greater emphasis on the issues that are contributing to higher data breach costs. Some of these issues include supply chain compromises, remote and hybrid work strategies, ransomware, and other destructive attacks in addition to how the security skills gap continues to challenge the industry. Below we have summarized the key findings revealed by the study.
Record Costs Experienced in 2022
It seems that the price of nearly everything has risen in 2022 and that goes for data breach costs as well. On average, the cost of a data breach today has reached an all-time record at 4.35 million in 2022. This represents as a 2.6% increase over the previous year and a 12.7% increase over two years. Keep in mind that this is the average global cost. Organizations in the United States experienced the highest average cost of any nation ($9.44 million). Canada ranked #3 at $5.64 million.
The Ponemon report identifies a special category called critical infrastructure organizations, which includes organizations in industries such as financial services, energy, communication, transportation, healthcare, industrial, education, and the public sector. The average data breach costs for organizations in these industries were $1 million more than the average cost for organizations deemed non-critical. For the 12th year in a row, healthcare was the costliest industry at $10.10 million, an increase of 41.6% over the 2020 report. Financial service organizations, pharmaceuticals, technology firms and energy companies rounded out the top five.
Data breach costs have become a cost of doing business which usually means those costs are passed on to the customer in some way. The study found that 60% of the data breaches experienced by organizations resulted in price increases.
Root Causes of Breaches
Fraudulent use of stolen or compromised credentials remains the most common cause of a data breach, contributing to 19% of all data breaches covered in the study. These breaches had the longest lifecycle as well, taking a full 243 days to discover the breach and an additional 84 days to contain it. Phishing was the second most common attack vector, attributing to 16% of the breaches and these breaches proved the costliest at $4.91 million. Ransomware was responsible for 11% of breaches. Not all breached organizations were directly targeted for attack. Nearly one in five breaches were attributed to some sort of supply chain attack which is why it isn’t just about your own cybersecurity measures, but the efforts of all your business partners, service providers and vendors.
Incident Response Plans and Other Strategies Prove Valuable
Almost 75% of all organizations in the study said they had an incident response plan (IRP), with 63% of them affirming that their plans are regularly tested. Those organizations that had a tested IRP faired far better than those without one as they experienced a savings of $2.66 million dollars in lower data breach costs compared to their counterparts. That constitutes a 58% cost savings for organizations with Incident Response Plans over those without formalized, tested IRP’s.
Similarly, zero-trust strategies are showing a definite return on investment (ROI). More than 40% of organizations in the study had a deployed zero-trust security architecture. This was up 6 percentage points from the year prior. These organizations realized a cost savings of almost $1 million in average breach costs compared to those with no such strategy. This represented a savings of just over 20 percent. What’s more, those organization that had reached a mature stage in their zero-trust strategy implementations reported a savings of $1.5 million. Integration of artificial intelligence (AI) automated security proved to be the biggest cost differentiator. A full 70% of organizations reported implementing AI technology in some capacity in 2022, up from 65% the year prior. Those integrated AI technologies experienced a 65.2% savings in reported data breach costs.
Other Key Findings in the Report
Not all key findings were monetary related. An astounding 83% of the studied organizations reported experiencing more than one data breach. This shows the harsh reality that a data breach is not a singular event. Clearly the cloud is not the end-all be-all when it comes to cybersecurity as 45% of the reported data breaches were cloud based. Interestingly enough, the cost of a breach involving a public cloud exceeded that of private clouds ($5.02 million compared to $4.24 million). Another key finding in the report showed that the continued practice of remote work strategies is contributing to the rising costs of data breaches as remote work-related breaches averaged $600,000 more than the global average of all breaches.
Summary
You can view the report in its entirety here. The trend is clear. Data breaches are becoming more costly year over year. Well implemented security strategies and tools are paying big dividends by reducing those costs should a breach occur.
Update your Incident Response Readiness (IRR) to prepare for this changing threat landscape. A security assessment will identify areas of risk and the opportunities for improvement to prevent or limit the impact of successful Cyber Security events.