IBM Report: Consumers Pay as Data Breach Costs Reach All-Time High

60% of affected organisations hiked product prices post-breach; most essential infrastructure lags in zero trust adoption. $550k in extra expenditures for understaffed businesses

The annual Cost of a Data Breach Report published by IBM Security revealed that data breaches are becoming more costly and have a greater impact than ever before. The report also found that the global average cost of a data breach has reached an all-time high of $4.35 million for organisations that were studied. The findings imply that these events may also be contributing to growing expenses of products and services because the costs of data breaches have increased by approximately 13 percent over the previous two years covered by the research. In point of fact, sixty percent of the companies analysed increased the costs of their goods or services as a direct result of the breach. This comes at a time when the cost of goods is already on the rise globally owing to inflation and challenges with supply chains.

The ongoing nature of cyberattacks is bringing to light the "haunting effect" that data breaches are having on businesses. According to a survey by IBM, 83 percent of the enterprises that were analysed have had more than one data breach in their history. Nearly half of the costs associated with a breach are not incurred until more than a year after the event that caused the breach. This is another factor that is becoming increasingly important over time. The aftereffects of breaches on these organisations continue long after the events that caused the breaches.

The Cost of a Data Breach Report for 2022 is based on an in-depth research of real-world data breaches that occurred between March 2021 and March 2022 and were experienced by 550 businesses throughout the world. The Ponemon Institute was in charge of the study, and IBM Security was the organisation that funded it and assessed the results.

The research from IBM from 2022 includes the following as some of its major findings:

• Critical Infrastructure Lags in Zero Trust – Almost 80 percent of critical infrastructure firms that were evaluated do not employ zero trust methods. As a result, average breach costs have risen to $5.4 million, which is an increase of $1.17 million in comparison to those who do. In the meanwhile, ransomware or other damaging assaults accounted for 28% of the breaches that occurred within these firms.
• It Does Not Pay to Pay - Ransomware victims in the research who elected to pay threat actors' ransom demands saw just $610,000 less in average breach costs compared to those who chose not to pay the ransom, and this does not include the cost of the ransom itself. When the high cost of ransom payments is factored in, the financial toll may increase even higher; this suggests that just paying the ransom may not be a viable tactic because it might encourage further hostage-taking.
• Security Immaturity in Clouds – 43 percent of the studied organisations are either in the early stages of applying security practises across their cloud environments or have not started doing so at all. These organisations observe breach costs that are over 660,000 dollars higher on average than the studied organisations that have mature security across their cloud environments.
• Security AI and Automation Takes the Lead as a Multi-Million Dollar Cost Saver Participants' organisations that fully deployed security AI and automation incurred $3.05 million less on average in breach costs when compared to studied organisations that have not deployed the technology; this was the largest cost saver observed in the study.

Businesses need to go the offensive with their security measures in order to get a head start on potential attackers. It is time to prevent the enemy from completing their goals and to begin minimising the damage caused by attacks. According to Charles Henderson, the Global Head of IBM Security X-Force, "the more firms strive to perfect their perimeter instead of investing in detection and response, the more breaches can fuel cost of living hikes." This paper demonstrates that utilising the appropriate methods in conjunction with the appropriate technology may help make all the difference when it comes to protecting organisations against cyber-attacks.

Putting too much faith in organisations responsible for critical infrastructure

It would appear that concerns over the targeting of vital infrastructure have been growing on a worldwide scale over the course of the past year, with the cybersecurity agencies of several nations advocating more vigilance against assaults that may prove disruptive. The fact that ransomware and destructive attacks comprised 28 percent of breaches amongst critical infrastructure firms investigated by IBM highlights the reality that threat actors are attempting to break the global supply networks that rely on organisations like IBM. Companies providing industrial goods, medical services, and transportation services, amongst others, are included in this category.

According to the report, only 21 percent of the critical infrastructure organisations that were studied use a zero-trust security model. This is in spite of the call for caution, which came a year after the Biden Administration issued a cybersecurity executive order that emphasises the importance of adopting a zero-trust approach to strengthen the nation's cybersecurity. The order centres around the importance of adopting a zero-trust approach to strengthen the nation's cybersecurity. In addition to this, 17 percent of security breaches that occurred at firms responsible for critical infrastructure were triggered by a business partner being originally compromised. This further demonstrates the dangers that over-trusting environments have to information security.

Companies that pay the ransom are not getting a "Deal" in any sense of the word.

According to research published by IBM in 2022, companies who paid the ransom demands made by threat actors experienced an average reduction in breach expenses of $610,000 compared to those that elected not to pay the ransom. This figure does not include the amount of money that was paid. However, when the average ransom payment is taken into account, which Sophos estimates reached $812,000 in 2021, businesses that choose to pay the ransom could end up incurring higher total costs. This is in addition to the fact that they will inadvertently be funding future ransomware attacks with capital that could be used for remediation and recovery efforts as well as investigating potential federal offences.

The industrialization of cybercrime is a major contributor to the continued prevalence of ransomware, despite great efforts being made all around the world to stop it. The duration of business ransomware attacks has decreased by 94 percent over the past three years, according to research conducted by IBM Security X-Force. This represents a decrease from more than two months to just under four days. Because of these exponentially shorter attack lifecycles, cybersecurity incident responders are left with very small windows of opportunity to identify and contain assaults. This might motivate attackers to launch attacks with a bigger effect. Because the amount of time it takes to pay a ransom has shrunk to a matter of hours, it is very necessary for organisations to prioritise the thorough testing of their incident response (IR) playbooks in advance. On the other hand, the analysis reveals that up to 37 percent of the firms that were researched and that possess incident response plans do not test them on a regular basis.

Hybrid Cloud Advantage

In addition to this, the survey highlighted hybrid cloud environments as the infrastructure that is most commonly used (45 percent) among the companies that were researched. Businesses that adopted a hybrid cloud model experienced significantly lower costs associated with data breaches, with an average of $3.8 million. This is in comparison to businesses that relied solely on public or private cloud models, which incurred an average of $5.02 million and $4.24 million respectively. In point of fact, those that used hybrid cloud computing were able to discover and stop data breaches on average 15 days sooner than the worldwide average of 277 days for participants.

The fact that the cloud was the location of 45 percent of the examined breaches is highlighted in the research, which emphasises the significance of cloud security. On the other hand, a substantial 43 percent of reporting firms claimed that they are simply in the early stages of establishing security policies to secure their cloud systems, or that they have not started doing so at all, seeing greater breach costs2. When compared to companies that consistently apply security policies across all of their domains, those businesses who did not deploy security practises throughout their cloud environments took an average of 108 more days to discover and control a data breach.

The study from IBM in 2022 includes the following additional findings:

• Phishing Becomes the Costliest Breach Cause – While compromised credentials continued to reign as the most common cause of a breach (19 percent), phishing was the second most common cause (16 percent) and the costliest cause, leading to $4.91 million in average breach costs for responding organisations. Phishing became the costliest cause because it was the second most common cause of a breach.
• Healthcare Breach Costs Hit Double Digits for the First Time Ever – For the 12th year in a row, healthcare participants saw the costliest breaches amongst industries. The average breach cost in healthcare increased by nearly $1 million to reach a record high of $10.1 million, setting a new benchmark for the industry.
• Inadequate Staffing Levels for Security Sixty-two percent of the organisations that were studied stated that they do not have sufficient staffing levels to meet their security needs. These organisations incurred an average of $550,000 more in breach costs than the organisations that stated that they have sufficient staffing levels.