IBM Security also provided tips for how to prevent and mitigate data breaches.
Data breach costs rose to $4.45 million per incident in 2023, IBM found in its annual Cost of a Data Breach report. Customer and employee personal identifiable information was the most commonly breached type of data in 2023 and was involved in 52% of all breaches reported.
Jump to:
Average data breach cost rose to $4.45 million per incident
Data breach costs rose to $4.45 million per incident in 2023, up 2.3% from $4.35 million in 2022. Overall, the average cost has increased 15.3% from the $3.86 million average in 2020.
In addition, one in three companies discovered a data breach themselves, as opposed to 67% of breaches reported by a third party or by the attackers.
Last year, IBM saw detection and escalation costs increase, indicating that it was taking longer to investigate breaches. On average, it took 277 days for organizations to detect a breach and return to normal service. This trend has continued in 2023, with the costs of detection and evaluation rising 9.7% to $1.58 million. Lost business cost dropped the most, by 8.5% to $1.30 million.
Cost was calculated using four areas of financial impact:
- Detection and escalation.
- Notification.
- Post-breach response.
- Lost business.
In the U.S., the average cost of a data breach was $9.48 million, which was the highest globally. The U.K. saw a 16.6% drop in cost from $5.05 million to $4.21 million.
Cloud data is involved in most breaches
The way in which an organization distributed data across its cloud environments was found to make a difference: 82% of breaches involved data stored in public, private or a combination of multiple clouds. In 39% of cases, breaches crossed multiple cloud environments and ran a higher-than-average penalty of $4.75 million.
SEE: Explore 10 ways to improve your data security (TechRepublic)
Trickle-down costs decrease slightly
Customers may feel the impact of data breaches. A slight majority (57%) of organizations increased the prices of their business offerings after a data breach — down slightly from 60% in 2022.
How business leaders can avoid data breaches
IBM recommended the following tips for business leaders trying to prevent data breaches.
Build security into all stages of development
Business leaders should keep in mind the importance of providing resources to help developers work under secure-by-design principles, making sure security comes into play in the initial design phase of major technology changes.
App developers who build cloud-native applications can reduce attack surfaces and bolster user privacy in the cloud. Building security into applications during development will also help organizations keep up to date with regulations, IBM said.
Keep an eye on your hybrid cloud
Organizations should be sure they have strong encryption, data security and data access policies when storing data across multicloud and hybrid cloud environments. Organizations would be well-served by looking into data security and compliance tools that can protect data as it moves.
In addition, data activity-monitoring solutions can help security teams gain insight into their data stores and enforce policies automatically. IBM recommended data security posture management, which is a newer service that can identify vulnerable data across structured and unstructured assets within cloud service providers, software-as-a-service properties and data lakes.
Consider how AI and automation make a difference
AI is trendy right now, but it has proven itself in the numbers, IBM found. Companies using extensive security AI and automation were found to have a $1.76 million lower data breach cost on average, as well as a 108-day shorter time to identify and contain the breach.
Security tool sets that can benefit from AI and automation include:
- Threat detection and response tools.
- Data security and identity solutions to detect suspicious behaviors.
IBM also noted that it’s important to use a trusted service that will not introduce bias or blind spots.
Focus on incident response
A dedicated incident response team or partner can make a big difference. Organizations with mature, high levels of incident response had on average $1.49 million lower data breach costs, compared to organizations with low levels or none, and resolved incidents 54 days faster.
For an added layer of security, network segmentation complements diligent incident response well. Incident response can also be boosted by training security teams on simulated breach scenarios or penetration testing.
51% of survey respondents said they planned to increase security investments after a breach. Incident response, planning and testing, employee training, and threat detection and response technologies were the most desirable areas for additional investment.
SEE: TechRepublic Premium’s Incident Response Policy
Survey methodology
The annual Cost of a Data Breach report was written in partnership with the Ponemon Institute. Respondents came from 553 organizations across 16 countries and geographic regions and 17 industries. All of the surveyed organizations were hit by data breaches between March 2022 and March 2023. Information was collected through 3,475 interviews with IT, compliance and information security practitioners from those organizations.