Fraud Management & Cybercrime , Incident & Breach Response , Ransomware
Study: Average Cost of a Data Breach Rises to $4.9 Million
Involving Law Enforcement After Ransomware Attacks Drives Down Costs, Study FindsThere's one tested method for minimizing total cyber incident response costs: Bring in law enforcement to assist.
See Also: Gartner Guide for Digital Forensics and Incident Response
That's one high-level takeaway from IBM's "Cost of a Data Breach Report 2024," which says that organizations hit by ransomware that worked with law enforcement spent on average $1 million less, excluding any ransom paid. That's in part because they were able to investigate and remediate the incident more quickly. Such organizations were also less likely to pay a ransom, and so did not fund criminals.
The 19th annual report from IBM is based on research conducted by Ponemon Institute, which surveyed 604 organizations across 17 different industries and 16 countries or regions that suffered data breaches sometime between March 2023 and February 2024. Researchers interviewed more than 3,500 security professionals and C-suite executives who had first-hand knowledge of their incident. Organizations in the financial services, industrial, professional services and technology sectors collectively comprised 47% of all breached organizations surveyed.
The greatest proportion of breached businesses surveyed are U.S.-based, comprising 12% of all organizations surveyed, followed by organizations based in India at 9%, the U.K. and Germany at 8%, and Brazil and Japan at 7%.
Data breaches continue to grow more costly. The study pinpoints the average cost of a breach at an all-time high of $4.9 million, which is a 10% increase from last year, largely due to business disruption and post-breach customer support and remediation expenses.
Nearly two-thirds of breached businesses expected to pass these costs on to consumers by raising the price of their goods or services, the study says.
Regional variations apply. At the high end, the cost of a data breach for a U.S. organization averaged $9.36 million, and $8.75 million in the Middle East. At the low end of the cost spectrum, organizations in Brazil reported an average breach cost of $1.4 million, followed by India at $2.4 million.
By industry, for the 13th year running, the healthcare sector saw the highest costs as the result of a breach, averaging $9.8 million per incident, followed by financial services at $6.1 million.
The total cost of a breach reflects both direct and indirect costs reported by organizations that lost up to 113,000 compromised records. "Direct expenses included engaging forensic experts, outsourcing hotline support and providing free credit monitoring subscriptions and discounts for future products and services," the report says. "Indirect costs included in-house investigations and communications along with the extrapolated value of customer loss resulting from turnover or diminished customer acquisition rates."
Seventeen of the breached organizations surveyed suffered what IBM classified as a "mega breach" involving 1 million or more records. Mega breaches tend to be orders of magnitude more expensive than non-mega breaches. Due to the small sample size, IBM's average cost of a breach calculation - which is based on the number of records exposed - excludes the mega breaches, as well as very small breaches.
Involving law enforcement isn't the only way that breached organizations reported lower overall breach costs.
The study found that two-thirds of organizations, up 10% from last year, report investing in artificial intelligence and automation capabilities for their security operations centers, or via SOCs they accessed through managed security service providers, which is a service IBM sells. "When deployed extensively across prevention workflows - attack surface management, red-teaming and posture management - organizations averaged $2.2 million less in breach costs compared to those with no AI use in prevention workflows," the study says. "This finding was the largest cost savings revealed in the 2024 report."
What leads to higher costs? The study found that 40% of breached data was being stored in public clouds, which when breached led to higher costs - on average, $5.2 million per breach. In addition, one-third of organizations reported that at least some of their breached information involved "shadow data" being stored without the security team's knowledge either in the cloud or on-premises, sometimes as part of unsanctioned AI models.
Breaches took, on average, 169 days to identify and another 58 days to contain, unless shadow data was involved, which increased those figures to 220 days and 71 days.
"Security teams must now assume their organizations have unmanaged data sources," the report says. "Unencrypted data, including data in AI workloads, further exacerbates the risk. Data encryption strategies must consider the types of data, its use and where it resides to lower risk in case of a breach."
Of the breached organizations surveyed, 63% said they plan to increase their security spending, up from 51% the previous year. The overall top area of spending, at 55% of organizations planning to spend more, was incident response planning and testing, followed by threat detection and response technologies at 51%, employee training at 46% and identity and access management tools at 42%.