83% of organizations in the study have experienced more than one data breach in their lifetime. The cost of a data breach? On average, $4.4 million - an all-time high. This is a growth of 2.6% compared to 2021. Because it is an increasing problem, the Ponemon Institute and IBM Security® prepare a report every year. This is called the Cost of a Data Breach Report. Recently, the Ponemon Institute released the 2022 report. We have, of course, reviewed this report for you and below is a handy summary full of insights and tips for preventing a data breach.
Who is this report for and what is its purpose?
Of course, everyone in an organization can do their part to prevent a data breach. However, the information below is most relevant to the CEO, CISO, IT staff, risk management and security managers. The report serves as a tool to better assess and understand data breach risks and mitigate potential losses.
How was this report created?
For this report, the Ponemon Institute and IBM Security® studied 550 organizations affected by a data breach between March 2021 and March 2022. These included organizations from 17 countries/regions and 17 different industries. To calculate the average cost of a data breach, this study excluded very small and very large data breaches. The data breaches examined in the 2022 study ranged in size from 2,200 to 102,000 so-called 'compromised records' (a compromised record is, for example, an email address).
Data breaches are calculated in this report based on 4 cost items:
- Detection and escalation. Activities related to detecting the data breach.
- Lost business. Activities that mitigate financial losses, such as customer and revenue loss.
- Notifications. All communication around the data breach, with authorities and external experts.
- Recovery after a data breach. All activities to help those affected by a data breach.
Highlights from the Cost of a Data Breach 2022 report
Data breach costs vary by country
The average cost of a data breach is $4.4 million. However, the costs vary considerably by country. These are the 5 countries with the highest costs:
- The United States - USD 9.44 million.
- The Middle East - USD 7.46 million.
- Canada - USD 5.64 million.
- The United Kingdom - USD 5.05 million.
- Germany - USD 4.85 million.
Healthcare sees the costliest breaches and hits double digits
For the 12th year in a row, healthcare was the industry with the highest costs. The average cost of a data breach in healthcare increased from USD 9.23 million in 2021 to USD 10.10 million in 2022, hitting double digits for the first time ever.
Healthcare is one of the most heavily regulated industries worldwide (for example, the NTA 7516 in The Netherlands or the HIPAA in the US) and is even considered a critical infrastructure by the U.S. government.
The top five sectors with the highest data breach costs are joined by the financial, pharmaceutical, technology and energy sectors.
Organizations pass losses on to customers
More than half of the organizations (60%), indicated during the survey that they increased their prices in response to a data breach. In other words, the cost of a data breach is passed on to the customer.
A long data breach lifecycle
It takes organizations an average of 207 days to identify a data breach and 70 days to resolve the data breach. The data breach lifecycle (from identification to resolution) is therefore 277 days. It goes without saying that if this lifecycle is shortened, the costs will also be lower.
A data breach lifecycle of 200 days costs an average of USD 3.74 million and a data breach lifecycle longer than 200 days costs an average of USD 4.86 million. A 'saving' of no less than USD 1.12 million.
Phishing is the most costly cause of a data breach
Phishing is by far the most costly cause of a data breach. In 2022 an average of USD 4.91 million was lost on phishing as the initial attack vector. After phishing, compromised business email addresses accounted for USD 4.89 million, vulnerabilities in third-party software cost an average of USD 4.55 million, and compromised login credentials accounted for USD 4.50 million.
However, the most common initial attack vector in 2022 was stolen or compromised credentials, responsible for 19% of breaches in the study.
Lack of a zero trust model
59% of organizations have not implemented a zero trust model. While this is seen as the most effective method for preventing a data breach, the zero trust model assumes that every user, device and connection point is a potential risk, both inside and outside the corporate network. Therefore, every request for access to the system must be authenticated, authorized and encrypted.
$1 million can be traced back to remote working
The study found a clear correlation between remote working and the cost of a data breach. Organizations with the highest proportion of remote workers - 81% to 100% - were spending an average of $5 million on a data breach. Organizations with the smallest proportion of remote workers - less than 20% - lost an average of USD 4 million to and data breach.
5 tips for preventing a data breach
- Use a zero trust security model to prevent unauthorized access to sensitive data. Results of the study show that organizations with a mature zero trust security model, lost USD 1.5 million less to a data breach.
- Protect sensitive data in cloud environments with policy and encryption. With the increasing amount and value of data hosted in cloud environments, organizations must take steps to protect databases hosted in the cloud.
- Use tools that help you protect and monitor your remote workers.
- Create an "incident response" plan to test and possibly tighten your data security measures.
- Invest in risk management and prepare your organization for any data breach.
The full 'Cost of a Data Breach Report' can be viewed here.
Download our whitepaper “Keep your organization free of data breaches” and learn the best practices to protect your data.