Data breach costs now average $4.88 million

Data breach costs have reached a new high. IBM reported that globally the average cost of a data breach reached $4.88 million in 2023, as breaches grow more disruptive and further expand demands on companies' cyber teams.

The 2023 cost figure represents a 10 percent increase over 2022.

Lost business and post-breach customer and third-party response costs drove the year-over-year spike, IBM said. The disruption data breaches are causing extend to the after-effects, with recoveries taking more than 100 days for organizations (an estimated 12 percent) that are able to fully recover from breaches.

IBM's Cost of a Data Breach Report 2024 draws on research conducted by the Ponemon Institute and reflects breaches that occurred in 2023. Ponemon has been researching the cost of data breaches for nearly two decades, and has studied breaches involving more than 6,000 organizations.

"Businesses are caught in a continuous cycle of breaches, containment and fallout response," said Kevin Skapinetz, vice president for strategy and product design at IBM Security. "This cycle now often includes investments in strengthening security defenses and passing breach expenses on to consumers, making security the new cost of doing business."

"As generative AI rapidly permeates businesses," Skapinetz added, "expanding the attack surface, these expenses will soon become unsustainable, compelling business to reassess security measures and response strategies."

Staffing shortages drive up costs

Staffing shortages are a big problem. Better than half the organizations studied for this year's report had severe or high-level staffing shortages in 2023 and sustained significantly higher breach costs as a result. For those reporting high levels of staffing shortages the average breach cost was $5.74 million compared to $3.98 million for those with minimal or no staffing shortages.

This could change, however, as more organizations plan to increase security budgets. Among those studied, 63 percent plan to increase security budgets, compared to 51 percent last year. Employee training was the top planned investment area.

Additionally, investments are planned for incident response planning and testing, threat detection and response technologies, identity and access management, and data security protection tools.

AI: help and hindrance

Skapinetz, in discussing the research findings, noted that as generative AI permeates businesses, it expands the likelihood of attacks, "compelling business to reassess security measures and response strategies."

To get ahead of the breach curve, Skapinetz said businesses should invest in AI-driven defenses. They should also hone new skill sets to address the emerging risks and opportunities presented by generative AI, he added.

Two out of three organizations studied are deploying AI to support their security postures. When AI was deployed extensively organizations studied saw an average $2.2 million less in breach costs, compared to those that did not use AI.

Sixty-seven percent of organizations surveyed have deployed AI and automation, and 20 percent use some form of generative AI security tools. Organizations using AI to support security were able to contain breaches faster—on average 98 days faster than those that did not, according to the report.

The good news is that the global average data breach lifecycle hit a seven-year low of 258 days, down from 277 days in 2022, suggesting AI technologies are helping to put time back on the side of mitigation and remediation.

Shorter breach lifecycles also reflect better internal detection: 42 percent of breaches were detected by in-house security teams or tools last year. Compared to 2022, internal detection shortened the data breach lifecycle by 61 days, Internal detection also saved organizations nearly $1 million in breach costs, compared to breach incidences disclosed by attackers.

Stolen credentials top attack vectors; customers pay the cost

Stolen and compromised credentials were the most common initial attack vector, accounting for 16 percent of breaches. These breaches also took the longest to identify and contain at nearly 10 months, the report noted.

Bringing law enforcement into the mix helped contain a significant number of breaches, particularly when ransomware was involved. Organizations that called upon law enforcement for help saved on average nearly $1 million in breach costs, compared to those that did not. (This excludes any ransom paid.) Most ransomware victims (63 percent) that engaged law enforcement were able to avoid paying ransom, according to the report.

The ultimate cost of breaches is paid by customers. Better than six in 10 (63 percent) of breached organizations stated that they planned to recoup the cost of breaches by increasing the cost of goods and services. That's up from 57 percent in 2022.

Whether you want to upgrade your POS offerings, find a payment gateway partner, bone up on fintech regs or PCI requirements, find an upcoming trade show, read about faster payments, or discover the latest innovations in merchant acquiring, The Green Sheet is the resource for you. Since 1983, we've helped empower and connect payments professionals, starting with the merchant level salespeople who bring tailored payment acceptance and digital commerce tools, along with a host of other business services to merchants across the globe. The Green Sheet Inc. is also a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals.

Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.