know about this Data breaches cost more: what companies need to know
in complete details.
The United States was the most expensive country by average total cost of a data breach for the 12th consecutive year at $9.44 million, an increase of 4.3% from 2021. Canada was third at $5.64 million, 4.4% more than last year.
Also in the top five was the Middle East, in second place with $7.46 million. The United Kingdom and Germany completed the list, with $5.05 million and $4.85 million respectively.
IBM studied 550 organizations affected by data breaches between March 2021 and March 2022. The breaches occurred in 17 countries and regions and across 17 different industries.
“This year is the first in which we have seen organizations pass on the cost of data breaches to customers,” Hamilton said, noting that 60% of organizations said they increased the prices of their goods or services in response to a violation.
Another unique finding was that 83% of the organizations in the study have experienced more than one data breach in their lifetime. This “disturbing effect” is expected to get worse with security teams handling more cyber incidents each year.
IBM found that the impact also lingers on organizations long after cyberattacks occur, with nearly half of breach costs incurred more than a year after the event.
“When an organization is compromised, much more attention is typically paid to the security program and closing vulnerabilities. That process often takes time, especially if an organization has a lot of legacy infrastructure that requires manual code updates,” explained Hamilton.
“Sometimes you can’t release new software without testing it across the entire environment, making sure it will work accordingly. So it can take weeks, if not months, to go through that process.”
‘Not worth paying’
Hamilton also found it “baffling” that many organizations fell for a ransomware scheme, only to fall for the same attack a second time weeks or months later. Ransomware was responsible for just 11% of the breaches IBM studied this year, but the average cost of a ransomware attack, not including the ransom itself, was $4.54 million, higher than the overall average cost of a data breach.
Hamilton explained what factors influence organizations’ decision to pay a ransom: “Some organizations have a very strong resiliency plan. They have disaster recovery and business continuity plans that they have tested and implemented. They realized [after a data breach] that [they] you can resume critical business processes.
“Others don’t have those disaster recovery plans. They do not have data backups. Either they pay a ransom in the hope of recovering some data that the threat actors exfiltrated, or they start over, and starting over without a backup can take weeks, months, depending on the complexity of the environment.”
Organizations that paid cybercriminals a ransom paid around $610,000 less in average breach costs compared to those that chose not to pay. But the average ransom payment in 2021 was $812,000, according to the Sophos State of Ransomware report, meaning ransom payers have higher total net costs. Worse yet, they are inadvertently funding future threat actor attacks and contributing to the vicious cycle.
“We have seen a substantial shift towards organized criminal groups hacking businesses. The organized crime front has certainly moved on, particularly on ransomware,” Hamilton noted.
The average life cycle of a ransomware attack has also been significantly reduced, from more than two months to just under four days, IBM reported. Shorter durations mean less and less time for cybersecurity incident responders to detect and contain attacks, which can lead to higher payouts for organizations.
Impacts of COVID-19
This year’s report on the cost of data breaches is IBM’s third since COVID-19 hit. Hamilton said a byproduct of the pandemic is taking a heavy toll on organizations’ cybersecurity: remote work.
“One of the strengths [in the report] there was a strong correlation between remote work and the cost of a data breach. More employees working remotely were associated with higher costs of noncompliance,” said Hamilton.
For organizations with more than 80% of their employees working remotely, the cost of the data breach was $5.10 million. For those with less than 20% of employees working remotely, the average price was $3.99 million.
“Many organizations tried to change overnight, implementing remote work policies, hosting Zoom and WebEx meetings, and taking what was a potentially closed environment and pushing it. Combine that with the number of employees potentially working around the world,” added Hamilton.
When it comes to protecting IT infrastructure, multi-factor authentication is “absolutely critical” for organizations, according to Hamilton. Businesses should also install endpoint security software, which allows critical data to be remotely wiped from a laptop or device in the event of loss or theft.
The IBM study also highlighted the hybrid cloud approach, where a company’s IT architecture uses at least one public cloud and one private cloud, helped organizations reduce their data breach costs. With nearly half (45%) of data breaches occurring in the cloud, the security of these environments is paramount.
Additionally, organizations that fully implemented AI and security automation incurred $3.05 million less in average breach costs, the largest cost savings seen in the study, IBM said.
For Hamilton, cybersecurity awareness among employees, especially those working remotely, is a strong and easy way to reduce the risk of data breaches.
“As more people work remotely, not everyone is sitting in their home office or at the kitchen counter. Some people go to coffee shops or co-working spaces. Making sure the employee is practicing good cyber hygiene, locking down their laptop, and making sure people aren’t shoulder surfing are critical things an employer needs to consider to mitigate cyber risks,” said Hamilton. Insurance business.