What is the cost of a data breach? – Source: www.csoonline.com

For modern businesses regardless of industry or size, the monetary impact of a data breach is substantial. IBM’s latest Cost of a Data Breach report discovered that, from March 2023 to February 2024, the average cost of a data breach globally reached an all-time high of $4.88 million. This figure represents a 10% increase over the same period ending February 2023 and a 26.4% rise from 2018. Over the course of the past decade, data breach costs have risen 39.4%.

“The report highlights trends I have been concerned about since the second half of 2023 when we started seeing organizations cut security staffing and budget,” said David Shipley, CEO and co-founder of Beauceron Security. “These are predictable outcomes of the combination of an out-of-control cybercrime wildfire combined with cutbacks both in cyber fire prevention and firefighting.”

Of the 604 organizations that took part in the study, 70% experienced a significant or very significant disruption to business resulting from a breach.

Defenders substantially improved in the areas of mean time to identify (MTTI) and mean time to contain (MTTC), marking a 7-year low at 258 days combined — and down 7% from the previous year. This improvement was also felt in the average cost of detection and escalation, which remained relatively flat, with a 3% increase to $1.63 million. Lost business costs and post-breach response, however, increased 13.1% and 12.5%, respectively, contributing significantly to the cost increase of the average data breach overall.

Regional costs

Leading the pack for the 14th year (and not in a good way) was the US, whose average breach cost was $9.36 million. While a 1.3% decline from 2023’s $9.48 million, it still outstripped the rest of the world by more than half a million dollars per breach. The Middle East, which considered Saudi Arabia and the United Arab Emirates for the report, was No. 2 of the 16 countries and regions surveyed, at $8.75 million, up 8.4% from 2023. It’s important to note that the number of organizations surveyed from each country can vary considerably — for example, there were 39 respondents from the Middle East and 71 from the US.

Canada ($4.66 million, down 9.2%) and the UK ($4.53, up 7.6%) remain in the top 10 hardest hit, with ASEAN ($3.23 million, up 5.9%), Australia ($2.78 million, up 3%), and India ($2.35 million, up 7.8%) among the top 15.

Countries whose companies saw the largest average cost increases over the past year were Italy (up 22.5% to $4.73 million), Germany (up 13.7% to $5.31 million), and Brazil (up 11.5% to $1.36 million).

Breaches by industry

Healthcare remains the industry with the highest cost per breach by far, at $9.77 million, although it has made progress, shaving off 10.6% compared to 2023. It was one of four sectors out of 17 that managed to reduce its average breach cost in 2024, including research (down 2.5%), education (down 4.3%), and public sector (down 2%).

Average breach cost by industry

What attackers chase when breaching your company

It’s probably no surprise that personally identifiable information (PII) is by far the main type of data snatched during breaches. In 2024, 48% of compromised records were customer PII (down from 52%). Employee PII was second in 2023, at 40%, but dropped to third (37%) in 2024, swapping places with intellectual property (IP). Stolen IP was involved in 47% of breaches in 2024, up significantly from 34% in 2023.

IP theft and loss is a consequential data breach cost, notes Glenn J. Nick, associate director at Guidehouse. The fact that it is on the rise can have major repercussions for most organizations.

“Losing intellectual property can devastate a company’s growth,” Nick says. “Stolen patents, engineering designs, trade secrets, copyrights, investment plans, and other proprietary and confidential information can lead to loss of competitive advantage, loss of revenue, and lasting and potentially irreparable economic damage to the company.”

Corporate data and anonymized customer data round out the top five data types stolen in 2024, which saw a new category was added: shadow data — data stored in unmanaged sources. Around one third (35%) of breaches involved shadow data. Worse, its theft, according to the report, correlated to a 16% higher cost per breach.

“Researchers found storing data across environments proved to be a common storage strategy, accounting for 40% of breaches,” the report noted. “These breaches also took longer to identify and contain. In contrast, data stored in just one type of environment was breached less often, whether that environment was public cloud (25%), on premises (20%) or private cloud (15%).”

“This risk of shadow data will become even more elevated in the AI era, with data serving as the foundation on which new AI-powered applications and use-cases are being built,” adds Jennifer Kady, vice president of security at IBM. “Gaining control and visibility over shadow data from a security perspective has emerged as a top priority as companies move quickly to adopt generative AI, while also ensuring security and privacy are at the forefront.”

Reputational damage still a big cost of being breached

In many ways immeasurable, reputational damage remains among the most significant costs in the wake of a breach. “Ultimately, customer trust is very easy to break, and very difficult to build,” Allie Mellen, senior analyst at Forrester, tells CSO.

Bob Dutile, chief commercial officer at UST, agrees: “The cost of a data breach is typically realized in relative competitive change in the marketplace. Companies find that their brand does not command the same price premium, customer conversion costs are higher, and market share is lost. For a public company, the near-term assessment of the cost impact is reflected in stock price movement.”

According to Dutile, research shows that between $8 million and $10 million is a good planning number in the US for a midsize business facing a modest breach of under 250,000 records. About a third of that cost will be loss of business due to reputation damage.

How a company responds to and communicates a breach can have a large bearing on that reputational impact, Forrester’s Mellen notes. “Understanding how to maintain trust with your consumers and customers is really critical here,” she adds. “There are ways to do this, especially around building transparency and using empathy, which can make a huge difference in how your customers perceive you after a breach. If you try to sweep it under the rug or hide it, then that will truly affect their trust in you far more than the breach alone.”

Severe business downtime can cost millions

Business downtime can be significantly costly for a breached organization, depending on the level and extent of the downtime and how technology-dependent the firm is, Jason Hicks, field CISO at Coalfire, tells CSO. “Often a breach is not going to take a company completely offline, but it can happen. The more critical systems that are taken down, the more significant the cost.”

Manufacturing tends to have the best metrics around this, as it’s relatively simple to measure the cost per minute if an assembly line is down, Hicks says. “This can translate into millions of dollars a day for a large manufacturing company. This can be more nebulous for other industry verticals, but there are models to get a reasonable feel that can be applied to each vertical.”

Regulation and litigation add to data breach costs

Increasingly strict data protection and privacy laws along with litigation are seeing a growing number of companies issued large fines, paying hefty settlements, and stumping up for legal fees following data breaches and non-compliance. This has played out several times recently. Chinese ride-hailing firm Didi Global was fined 8.026 billion yuan ($1.19 billion) by the Cyberspace Administration of China after it decided the company violated the nation’s network security, data security, and personal information protection laws.

Meanwhile, Amazon was penalized $877 million for breaches of GDPR cookie rules, T-Mobile agreed to pay $350 million to settle a consolidated class-action lawsuit following a data breach from early 2021, and Google agreed to pay $60 million in penalties for misleading Australians users about obtaining location data.

“Regulated industries suffer not only the immediate cost of responding to, containing, and remediating vulnerabilities but also the long-term effects of additional penalties from their regulatory bodies and legal settlements,” Nick says. Highly regulated industries, such as healthcare and financial services, typically run one and two in order of cost per breach because they will pay more non-compliance fines than others, he adds.

“Investigation and adjudication often take years for the victim organization to reach a monetary settlement with affected parties.” Legal costs are one of the largest expenditures organizations face in data breaches, Nick states. “Organizations rarely have the legal and privacy expertise in-house. To ensure compliance, they must hire outside counsel to lead their reporting.”

The role of cyber insurance

Cyber insurance is one way companies mitigate the cost risks of being breached. Sharp increases in the costs of cyber insurance premiums have been stabilizing of late, but even organizations covered by insurance can expect to dole out extra cash to make good after a breach. One definite cost hit will be a hike in their insurance premiums, Guidehouse’s Nick says .

“Some organizations have reported post-breach increases in premiums of approximately 200%,” he adds.

Insurers are also implementing more coverage limitations, meaning that even with a policy in place, businesses could find themselves financially responsible for certain breach-related costs.

In fact, Forrester’s Mellen says any notion that policies will allow organizations to fully recover financially from a cyberattack is folly. “In reality, it’s not going to cover all of the costs associated with any type of cyberattack, and we see some insurance firms not even covering ransomware at this point as part of their payouts,” she adds.

Another factor to consider is that cyber insurance providers typically have a list of approved service providers such as lawyers and forensics firms, Hicks says.

“If your preferred provider is not on their list, you may have to work with them to get them included, or potentially have to change providers. This can be costly, as firms are often leveraging their existing service providers to secure the maximum discounts based on the volume of work done with the partners. Also, if for some reason you can’t get them added, you could end up having to pay the costs directly versus having your insurance cover it.”

Organizations increasingly open to paying ransoms

Evidence suggests that companies are increasingly open to paying ransoms as part of their breach response, even setting aside millions of dollars for this purpose.

“One of the first questions I often get is, ‘Should we set up a Bitcoin wallet to prepare for having to pay ransom?’” Mellen tells CSO. “At the end of the day, a ransomware attack can be an existential event for a company if their backups are not in a secure place or are not up to date, so they 100% do prepare for the reality of having to pay the ransom.”

[ Related: “To pay or not to pay: CISOs weigh in on the ransomware dilemma” ]

Threat actors look to determine the amount a business might be prepared to pay to continue operations. Data from ExtraHop indicates that 83% of businesses affected by ransomware in 2022 chose to pay a ransom at least once.

Involving law enforcement in response to a ransomware attack can impact the overall cost of a breach, according to the survey. In 2024, 52% of ransomware victims called in law enforcement, and of those, 63% avoided paying a ransom. They also ended up saving almost $1 million (excluding any ransom paid) compared to those who did not involve law enforcement, with breach costs of $4.38 million ($4.64 million in 2023). The average cost of a breach without law enforcement involvement in 2024 was $5.37 million ($5.11 million in 2023).

Law enforcement involvement also sped up the identification and containment of a ransomware attack, cutting it from 297 to 281 days on average.

Insufficient security staffing leads to higher breach costs

According to IBM’s latest report, the security skills shortage is one of the biggest data breach cost amplifiers, with the average additional cost of data breach due to cyber skills shortage pegged at $1.76 million. With a 26.2% year-over-year increase in cyber skills shortages, escalating data breach costs should be expected in the future.

If insufficient security staff equates to greater data breach costs, organizations should heed Mellen’s warning about the impact a poorly handled data breach can have on employees.

“If they don’t feel like the organization is able to protect them or customers in the event of a breach, or that they blame their employees for a breach, then they’re likely going to start looking for jobs elsewhere because it creates a bit of a hostile environment for them,” she says. “It is very important for organizations to recognize that they need to accept responsibility and protect both their employees and their customers.”

Among factors that can help decrease the cost of a data breach, IBM cites employee training No. 1, reducing the average cost by around $260,000.

Security AI and automation

In the face of staff and skills shortages, CISOs are increasingly turning to AI and automation to close the gap. According to IBM’s latest report, the average cost saving per breach for organizations using security AI and automation tools was $2.22 million, up from $1.76 million in 2023.

“While data breach costs have continued to rise over the majority of the history of this report, we’ve also seen adoption and investment in key security technologies and approaches improving,” IBM’s Kady says. “More and more organizations are adopting AI and automation-based security approaches focused on speeding response times — which is one of the top factors linked to reducing data breach costs.”

Other technologies and techniques that have an impact in reducing the cost of a data breach, according to the report, include, in descending order of impact: security information and event management (SIEM); incident response planning; encryption; threat intelligence; identity access management (IAM); security orchestration, automation, and response (SOAR); and endpoint detection and response (EDR) tools.

Preparedness is key to managing data breach costs

No matter the specific costs involved, experts agree that preparedness is key to mitigating the financial repercussions of a breach.

“Faster incident response continues to be a clear driver for lowering the cost of a breach,” UST’s Dutile says. “The worst losses are those that go undetected for an extended time or have a slow or ineffective response.”

Modern cybersecurity requires a post-breach mindset which understands that, eventually, a successful data breach is going to occur, Forrester’s Mellen adds.

“Operating under those conditions, you need to figure out how you’re going to handle that and build your resiliency to respond better and faster. This isn’t just about the security function either, and it needs to be spread across an organization, considering what marketing is going to do, what sales is going to do, etc. — how, as a business, you can demonstrate you value your customers and that you want to make it right as quickly and effectively as possible,” she says.