$4.45 Million: The Cost of a Data Breach in 2023, Says IBM

IBM released its hotly anticipated 2023 Cost of a Data Breach Report surveying 553 organizations that experienced a data breach from March 2022 to March 2023. This report is extensive, with participating companies from 16 countries or regions across 17 industries.

Here are a few key findings:

• The global average data breach cost in 2023 was $4.45 million, a 15% increase over 3 years.

• In response to a breach, 51% of organizations plan to increase security investments including incident response planning and testing, employee training, and threat detection tools.

• Only one in three companies discovered the data breach through their own security teams. The remaining 67% were reported by benign third parties or attackers.

• Breaches discovered from outside the organization cost companies nearly $1 million more compared to internal detection.

If this sounds dire, it is. The frequency and cost of cyberattacks are on the rise.

But it’s not all bad news. The report finds that organizations extensively investing in security AI and automation enjoyed an average savings of $1.76 million compared to organizations that didn’t.

The takeaway is clear: The more organizations invest in security technologies that reduce manual workloads and automate crucial processes such as threat detection, the better. Let’s examine some of the costly specifics of data breaches and what organizations can do to better protect themselves.

There are several reasons why data breaches are so financially damaging, including—costs of remediation, legal and regulatory fines, potential lawsuits and settlements, loss of proprietary information, and disruption of normal business operations.

In addition, the longer the breach goes undetected, the larger the fallout. Companies that discovered the compromise within 200 days lost $3.93 million compared to companies that identified the issue after 200 days with $4.95 million.

Organizations using security AI and automation identified and contained breaches 108 days faster than their peers without these tools, resulting in reduced costs to address the issue. On average, it took 204 days to identify a data breach and another 73 days to contain it in 2023—nearly a full year to detect, investigate, and remediate one of the most damaging security events an organization can experience.

The impacts of a data breach are not evenly distributed across industries. Healthcare is far and away the most impacted sector with $10.93 million in losses in 2023, followed by the financial ($5.90 million), pharmaceutical ($4.82 million), energy ($4.78 million), and industrial ($4.73 million) industries. According to IBM's threat intelligence, manufacturing is the most commonly targeted industry. It is also worth noting that since the COVID-19 pandemic, healthcare has seen higher average data breach costs.

Smaller organizations with fewer than 500 employees suffered higher data breach costs in 2023 ($3.31 million) than in the previous two years ($2.92 and $2.95). While, of course, the largest organizations suffered the most costly breaches due to the size of their data footprints, this cost increase in the small business segment of the market illustrates that attackers—often highly opportunistic operators—will target any and all organizations.

A resounding 82% of breaches involved cloud storage. Interestingly, 39% of breaches spanned multiple cloud environments—including public and private clouds—incurring a higher-than-average cost of $4.75 million.

As remote, hybrid, and dispersed workforces become the norm, organizations naturally lean on cloud-based technologies to foster communication and collaboration. Sadly, attackers see these sprawling environments as prime opportunities for exploitation.

Phishing (16%) and compromised credentials (15%) were the two most prevalent attack vectors for data breaches in 2023. They also ranked among the top four costliest incident types ($4.76 million and $4.62 million) along with malicious insiders (at 6% but costing an average of $4.9 million) and business email compromise (at 9% with an average cost of $4.67 million).

The share of data breaches originating from a software supply chain attack was 12%. Preying on the goodwill between organizations and their suppliers, threat actors using supply chain attacks enjoyed a longer time to detection and resolution (294 days) compared to other attacks (269 days).

But simply knowing your attack surface isn’t enough. Organizations must be able to defend themselves against these costly attacks.

IBM stresses that AI and automation dramatically improve security measures, which makes sense when you understand that threat actors use automation and AI tools to launch their attacks too. Plus, AI technologies work faster than a human team ever could.

Yet only 28% of organizations used security AI extensively in 2023. This is an incredibly expensive oversight that causes security teams to miss red flags, experience slow response times, and increase the fallout of a data breach. Robust AI-powered cybersecurity solutions reduce costs and speed up containment efforts.

Innovative technologies like Abnormal use AI and machine learning to create a baseline of normal, known-good behavior across your cloud email environment. Why is this important? By understanding good behaviors, Abnormal proactively identifies bad behaviors that may indicate risks to your cloud-email environment.

Stop bad actors in their tracks to better secure your data, sign-in credentials, and cloud email environments. It’s all about facing risks before they become problems.

Prevent costly data breaches by detecting and mitigating email account takeovers in real time. Explore our Email Account Takeover Protection data sheet or schedule a demo today!