Dreamstime Images
Dreamstime L 59250691

How Much Does a Data Breach Really Cost?

Sept. 13, 2023
New report reveals that the average cost of a data breach reached an all-time high of $4.45 million this year.

Download this article in PDF format.

After reaching an all-time high in 2021, the number of data compromises in the U.S. fell to 1,802 last year, according to the Identity Theft Resource Center. The number includes more than 1,700 data breaches, 18 data exposures that impacted more than seven million victims and 10 “unknown compromises,” the company reports.

“While we did not set a record for the number of data compromises in the U.S. last year, we came close,” the organization’s president and CEO, Eva Velasquez, said. “These compromises impacted at least 422 million people.” Velasquez also said that people remain “largely unable to protect themselves from the harmful effects of data compromises.” This, in turn, has fueled an epidemic of identity fraud committed with compromised or stolen information.

Data Breach Costs are Rising

As governments, organizations and individuals work to protect their data and information from the “bad actors” that so badly want to compromise them, IBM has been doing its research on the financial impacts of these data breaches.

In its new Cost of a Data Breach Report 2023, the company says that the average cost of a data breach reached an all-time high of $4.45 million (USD) this year. This represents a 2.3% increase over 2022’s cost of $4.35 million. Compared to IBM’s 2020 report, over the last three years the average cost of a data breach has increased by 15.3% from $3.86 million.

Here are some of the other interesting findings from the IBM report: 

  • Internal security teams need to be doing more. Just one-third of companies that IBM surveyed discovered the data breach through their own security teams, highlighting a need for better threat detection. The company also says that 67% of breaches were reported by a benign third party or by the attackers themselves. This detection method is costly: When attackers disclosed a breach, it cost organizations nearly $1 million more compared to internal detection.
  • The price goes up when law enforcement isn’t involved. IBM says that companies spend an average of $470,000 more on ransomware attacks that don’t involve law enforcement. While 63% of IBM’s survey respondents said they did involve law enforcement, the 37% that didn’t also paid 9.6% more and experienced a 33-day-longer breach lifecycle.
  • Healthcare is a big target. Since 2020, healthcare data breach costs have increased by 53.3%. IBM says that the highly-regulated healthcare industry has seen a “considerable rise in data breach costs” since 2020. And for the 13th year in a row, the healthcare industry reported the most expensive data breaches, at an average cost of $10.93 million.
  • Bad actors like the cloud. IBM says cloud environments were frequent targets for cyberattackers in 2023. Attackers often gained access to multiple environments, with 39% of breaches spanning multiple environments and incurring a higher-than-average cost of $4.75 million.
  • The longer it takes to fix, the more expensive the breach. Time to identify and contain breaches—known as the breach lifecycle—continues to be integral to the overall financial impact of those breaches, according to IBM. For example, breaches with identification and containment times of under 200 days cost organizations $3.93 million. On the other hand, those breaches that took more than 200 days to contain cost companies $4.95 million, or a difference of 23 percent.

Making Security a Core Requirement

To companies that want to minimize the financial and operational impacts of a data breach, IBM says the first step is to build security into every stage of software development and deployment. Then, be sure to test regularly.

Organizations of all types should look to ensure that security is at the forefront of the software they’re developing as well as commercial off-the-shelf software that they’re deploying,” the company adds.

“Application developers must continue to accelerate the adoption of the principles of secure by design and secure by default,” it continues, “to ensure that security is a core requirement that’s considered during the initial design phase of digital transformation projects and not simply addressed after the fact.”

Voice your opinion!

To join the conversation, and become an exclusive member of Supply Chain Connect, create an account today!

About the Author

Bridget McCrea | Contributing Writer | Supply Chain Connect

Bridget McCrea is a freelance writer who covers business and technology for various publications.