60% of breached companies raised product prices after the breach; the vast majority of critical infrastructures are lagging behind in adopting zero trust; $550,000 in additional costs for understaffed businesses
Jul 27, 2022
CAMBRIDGE, Mass., July 27, 2022 /PRNewswire/ –IBM (NYSE: IBM) Security today published the annual report Cost of a data breach report,1 revealing more costly and higher-impact data breaches than ever before, with the global average cost of a data breach reaching an all-time high of $4.35 million for the organizations studied. With breach costs rising nearly 13% over the last two years of the report, the findings suggest that these incidents could also be contributing to rising costs of goods and services. In fact, 60% of the organizations studied increased the prices of their products or services due to the breach, while the cost of goods is already skyrocketing worldwide due to inflation and supply chain issues. supply.
The perpetuity of cyberattacks also highlights the ‘haunting effect’ data breaches have on businesses, with IBM’s report revealing that 83% of organizations surveyed have suffered more than one data breach in their lifetime. . Another factor that increases over time is the aftermath of breaches on these organizations, which persists long after they occur, as almost 50% of breach costs are incurred more than a year after the breach.
The Cost of a Data Breach 2022 report is based on an in-depth analysis of actual data breaches suffered by 550 organizations worldwide between March 2021 and March 2022. The research, which was sponsored and analyzed by IBM Security, was conducted by the Ponemon Institute.
Some of the key findings from the IBM 2022 report include:
- Critical infrastructure lags behind in Zero Trust – Nearly 80% of critical infrastructure organizations surveyed are not adopting zero-trust strategies, leading to increased average breach costs $5.4 million – a $1.17 million increase compared to those who do. Meanwhile, 28% of breaches among these organizations were ransomware or destructive attacks.
- It doesn’t pay to pay – Ransomware victims in the study who opted to pay threat actors’ ransom demands only saw $610,000 lower average breach costs compared to those who chose not to pay – not to mention the ransom cost. Considering the high cost of ransom payments, the financial cost may increase even more, suggesting that simply paying the ransom may not be an effective strategy.
- Cloud security immaturity – Forty-three percent of the organizations surveyed are in the early stages or have not started implementing security practices in their cloud environments, observing more than $660,000 on average higher breach costs than organizations surveyed with mature security in their cloud environments.
- Heads of AI and security automation as Savings of several million dollars – Participating organizations fully deploying security AI and automation engaged $3.05 million less on average in breach costs compared to the organizations studied that did not deploy the technology – the biggest cost saver observed in the study.
“Companies need to put their security defenses on the attack and beat the attackers to the punch. It’s time to prevent the adversary from achieving their goals and start minimizing the impact of attacks. The more companies try to perfecting their perimeter instead of investing in detection and response, the more breaches can fuel increases in the cost of living.” said Charles Henderson, Global Head of IBM Security X-Force. “This report shows that the right strategies paired with the right technologies can help make all the difference when businesses are under attack.”
Over-trusting critical infrastructure organizations
Concerns over the targeting of critical infrastructure appear to be growing globally over the past year, with many governments cybersecurity agencies calling for vigilance against disruptive attacks. In fact, the IBM report reveals that Ransomware and destructive attacks accounted for 28% of breaches among the critical infrastructure organizations studied, highlighting how threat actors seek to fracture the global supply chains that rely on these organizations. This includes financial services, industrial, transportation and healthcare companies, among others.
Despite the call for caution, and a year after the Biden administration issued a executive decree on cybersecurity which revolves around the importance of adopting a zero-trust approach to strengthening the country’s cybersecurity, only 21% of critical infrastructure organizations surveyed adopt a zero-trust security model, according to the report. Additionally, 17% of breaches in critical infrastructure organizations were caused by the initial compromise of a business partner, highlighting the security risks posed by over-trust environments.
Companies paying the ransom aren’t doing ‘good business’
According to the 2022 IBM report, companies that paid threat actors’ ransom demands saw $610,000 lower average breach costs compared to those who chose not to pay – not to mention the amount of ransom paid. However, when considering the average ransom payment, which according to Sophos achieved $812,000 in 2021, companies that choose to pay the ransom could face higher total costs, while inadvertently funding future ransomware attacks with capital that could be allocated to remediation and recovery efforts and reviewing potential federal violations .
The persistence of ransomware, despite major global efforts to prevent it, is fueled by the industrialization of cybercrime. IBM Security X-Force discovered the duration of studied enterprise ransomware attacks shows a 94% decline over the past three years, from more than two months to just under four days. These exponentially shorter attack lifecycles can trigger higher impact attacks, as cybersecurity incident responders are left with very short windows of opportunity to detect and contain attacks. With “ransom time” falling to hours, it is critical that organizations prioritize rigorous testing of Incident Response (IR) playbooks in advance. But the report says that up to 37% of organizations surveyed that have incident response plans don’t test them regularly.
Advantage of hybrid cloud
The report also featured hybrid cloud environments as the most common infrastructure (45%) among the organizations surveyed. Average $3.8 million in breach costs, companies that adopted a hybrid cloud model observed lower breach costs compared to companies with a public or private cloud-only model, which experienced $5.02 million and $4.24 million respectively on average. In fact, the hybrid cloud adopters studied were able to identify and contain data breaches 15 days faster on average than the global average of 277 days for participants.
The report highlights that 45% of breaches studied occurred in the cloud, highlighting the importance of cloud security. However, 43% of reporting organizations said they were only in the early stages or had not started to implement security practices to protect their cloud environments, observing higher breach costs.2. The companies surveyed that did not implement security practices in their cloud environments took an average of 108 days longer to identify and contain a data breach than those that consistently enforce security practices across their domains.
Additional findings from the IBM 2022 report include:
- Phishing Becomes Costliest Cause of Breach – While compromised credentials remained the most common cause of a breach (19%), phishing was the second (16%) and costliest cause, leading to $4.91 million average breach costs for responding organizations.
- Costs of healthcare breaches hit double digits for the first time ever– For the 12e consecutive year, healthcare participants have seen the costliest breaches among industries with average breach costs in healthcare increasing by nearly $1 million to achieve a record $10.1 million.
- Insufficient security staff – Sixty-two percent of organizations surveyed said they did not have enough staff to meet their security needs, on average $550,000 more in violation costs than those who report having sufficient staff.
- To download a copy of the 2022 Cost of a Data Breach report, please visit: https://www.ibm.com/security/data-breach.
- Learn more about the report’s key findings in this IBM Security Intelligence Blog.
- Register for the IBM 2022 Webinar on The Security Cost of a Data Breach at Wednesday, August 3, 2022at 11:00 a.m. ET here.
- Contact the IBM Security X-Force team for a personalized review of the results: https://ibm.biz/book-a-consult.
About IBM Security
IBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services. The wallet, backed by world-renowned IBM Security X-Force® research, enables organizations to effectively manage risk and defend against emerging threats. IBM operates one of the world’s largest security research, development, and delivery organizations, monitors more than 150 billion security events per day in more than 130 countries, and has been awarded more than 10,000 security patents in the world. For more information, please checkwww.ibm.com/securityfollow @IBMSecurityon Twitter or visitIBM Security Intelligence Blog.
IBM Security Communications
1 Cost of a Data Breach Report 2022conducted by the Ponemon Institute, sponsored and analyzed by IBM
2 Average cost of $4.53Mcompared to the average cost $3.87 million in participating organizations with advanced cloud security practices