Share this article on:
Research from IBM’s Cost of a Data Breach Report 2023 shows breaches are costing more, especially if tackled without the help of law enforcement.
IBM’s annual Cost of a Data Breach Report has just dropped, and its findings show the costs of a breach are rising.
However, some data points show costs can be kept lower – but data breaches remain an expensive threat even for the most prepared organisation.
The average cost of a data breach is now at its highest, a trend that is now more than a few years old. For 2023, the average cost of a breach was US$4.45 million, up only 2.23 per cent from last year’s figure of US$4.53 million. But it’s a significant increase over a longer time frame; back in 2020, the cost was “just” US$3.86 million, making this year’s cost figure a 15.3 per cent increase.
In some countries or regions, however, the average costs are far higher. The US is top of the list of the most expensive places to suffer a breach, with an average cost of nearly US$10 million. The Middle East and Canada are next and also more expensive than the global average. By comparison, organisations in Australia are better off, with data breaches costing Australian organisations, on average, US$2.7 million – actually a touch lower than last year and placing Australia 13th overall for costs.
Despite the rising costs, only 51 per cent of impacted organisations said they were planning to increase their cyber security spending.
“While data breach costs continued to rise, report participants were almost equally split on whether they plan to increase security investments because of a data breach,” IBM said in its report. “The top areas identified for additional investments included incident response (IR) planning and testing, employee training, and threat detection and response technologies.”
The report also found several mitigating factors that could increase or even lower the cost of post-breach recovery.
One of the key drivers of upward costs was the decision not to involve law enforcement. While most organisations did make the right choice and engage the proper authorities, the 37 per cent of organisations that did not end up with 9.6 per cent higher costs on average. Recovery time also increases if law enforcement is kept out of the picture, with breach cycles lasting 33 days longer compared to those who call for help.
Overly complex security systems also have a negative impact, driving recovery costs up 36.1 per cent compared to organisations with less complex solutions in place. The time to resolve a breach also makes a difference – a breach cycle longer than 200 days can cost 23 per cent more than one resolved within 200 days.
It’s not all entirely bad news, though, as some steps can keep costs down.
Automating cyber security and using artificial intelligence-enhanced security products saves, on average, US$1.76 million from recovery costs, with the added benefit of dropping recovery time by well over 100 days. Being able to detect a breach internally – rather than having it reported by a well-meaning third party or even the hacker themselves – also makes for a considerable saving. The 33 per cent of companies polled that detected a breach themselves managed to shave nearly a million off the cost of recovery.
Embedding security testing in software development – DevSecOps – is arguably the greatest investment a company can make.
“Organisations with high DevSecOps adoption saved US$1.68 million compared to those with low or no adoption,” IBM said. “Compared to other cost-mitigating factors, DevSecOps demonstrated the largest cost savings.”
Having proper incident response planning in place can also save a lot of money. IR planning and testing can lead to dropping US$1.49 million from the data recovery total cost.
The report also breaks down regional trends, details of attack vectors, and a lot more when it comes to analysing what makes a data breach tick. You can read the full report here.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.