For 19 years, IBM’s annual Cost of a Data Breach Report has provided insights into the increasingly consequential reality of data security. Based on research studying 604 organizations in 16 countries and regions across 17 industries that were impacted by data breaches between March 2023 and February 2024, this year’s report highlights some intriguing trends.
First off, the average total cost of a breach is up 10% this year, from $4.45 million USD to $4.88 million – the highest since the pandemic, and the continuation of a steep upward trend. In the August 13th webinar IBM Security’s Sam Hector highlighted that increased business disruption is a significant contributor to these higher costs. “Not necessarily the direct cost of the data breach to an organization,” he explained, “but actually the knock-on impacts of a breach like not being able to process sales orders, for example, or a shut down in manufacturing or production facilities.”
Industries Affected by Breaches
The healthcare industry had the costliest breaches by far, even though the average healthcare breach cost fell 10.6%, to $9.77 million. It has held the top spot since 2011 because the healthcare industry is highly vulnerable – depending as it often does on outdated technologies, while holding very sensitive patient data – making it a tempting target for attackers, especially as healthcare systems struggle to recover from the effects of the global pandemic.
Geographically, the United States has the highest average breach costs. Among many reasons, Hector pointed out that the “culture of litigation” in the US is driving the cost of a breach upward due to class action lawsuits. The Middle East region is a close number two, experiencing a big jump in the last year. This region’s proportion of global corporations, increasing quickly over the last decade, has led to technological jumps without a corresponding increase in IT infrastructure. This demonstrates that changes can occur rapidly, and it is important to implement controls and have them in place before growth occurs, or you will end up playing catch-up.
Use of AI
One statistic highlighted in the report is the growth of the cyber skills shortage, up 26.2% since last year’s report. More than half of organizations in the study are facing high security staffing shortages, leading to an average of $1.76 million in breach costs. AI and automation are helping to fill in the gap with some positive effect, but the gap remains. Organizations have gotten the message, with 2 in 3 now adopting AI and automation – a 10% jump. While far from solving the skills shortage gap, extensive use of AI and automation is making a difference, representing an average savings of $2.2 million per breach cost.
Many CSOs and IT teams are skeptical of AI, but it can be used responsibly to strengthen security. The other side of the machine learning coin, however, is the fact that generative AI (GenAI) is also playing a role in creating phishing attacks. Additionally, you can open yourself up to data insecurity by using a fully public GenAI model since some of these models memorize up to 30% of training data, creating a weak point.
What's the cost?
Even as costs have continued to escalate generally, firms are taking this issue more seriously and outsourcing to trusted security and management services to very positive effect. In addition, increasingly sophisticated and integrated detection and analytical tools are catching threats earlier, and predictably the longer the breach goes on without detection the worse the effects will be. In 2024 breaches with a lifecycle of over 200 days (about 6 and a half months) averaged $5.46 million, compared with $4.07 million for breach lifecycles under 200 days – a significant difference.
In the August 13th webinar, Diana Kelley of Protect AI points out, “it really comes down to how quickly we can identify something that is going on.” The earlier something is detected, and how it is detected can have a huge impact on the cost of a breach. When the attackers themselves report the breach, for example, there is an associated $1 million average increase in cost.
Not exactly a barrage of good news, but there are effective measures to avoid ever getting breached in the first place. This was stressed in the webinar, where the importance of having a strong “human firewall” was emphasized. Breaches involving stolen credentials and other similar user-level strategies take much longer to detect and can be approached proactively by not only educating your workforce but testing them regularly. As Kelley put it, “when you’ve got that muscle memory…(to) the part of your brain that is responding to the phycological stress, the muscle memory is calming.” No one likes repetitive data security training, but the familiarity is the point.
There are so many different and eye-opening data points in the report, we encourage you to dive deep into it. The webinar is also now available for streaming and offers some useful insights on proactive and reactive measures that can be taken to combat this problem. The more we learn and talk about cyber security in general, the more prepared we will be.
A comprehensive enterprise mobile management solution such as emSentry is an easy method to enforce strict security protocols on the devices your employees use.