The cost of a data breach continues to rise every year as new attack methods, new vulnerabilities, and new risks appear. According to IBM’s Cost of a Data Breach Report 2023, the average cost of a data breach in 2023 was USD $4.45 million, a 2.3% increase from 2022’s cost of $4.35 million.
Because the threat landscape is constantly changing, businesses may find it increasingly challenging to secure their data and systems if they don’t have an effective attack surface management (ASM) or third-party risk management (TPRM) program in place. Industries or companies that have a higher risk of becoming a victim of a cyber attack must understand how to protect their assets, or they may end up losing millions of dollars through damages, data theft, reputational damage, and more.
We’ve collected and summarized data and findings from the following reports to help you better understand the risk that you and your organization may be facing in today’s digital world.
- IBM Cost of a Data Breach Report 2023
- Crowdstrike 2023 Global Threat Report
- Verizon 2023 Data Breach Investigations Report
Find out how UpGuard can help protect you from a data breach >
Key Insights from Data Breach Reports in 2024
Below is a list of key findings from the three data breach reports and investigations:
1. The average cost of a data breach reached USD $4.45 million in 2023, a 2.3% increase from 2022 of $4.35 million (IBM Cost of a Data Breach Report 2023)
Since 2020, the average cost of a data breach has increased 15.3% from $3.86 million. Based on this trajectory, the costs are expected to reach $5 million within the next few years.
2. Malware and destructive attacks accounted for 24% and 25% of all cyber attacks (IBM Cost of a Data Breach Report 2023)
Costs and damages from malware attacks averaged USD $5.24 million, while costs from destructive attacks reached USD $5.13 million. These two types of attacks accounted for the largest percentage of all malicious attacks across 500+ organizations researched by IBM and Ponemon Institute.
While malware attacks can have a number of goals, such as data theft or extortion, destructive attacks have the sole purpose of destroying data, cripple systems, or cause irreversible damage. Nation-states or state-sponsored attackers are typically behind destructive attacks and carry these out through zero-day vulnerabilities, destructive malware, or ransomware.
3. It takes 84 seconds from an initial system breach by a threat actor to make another lateral movement (CrowdStrike 2023 Global Threat Report)
It takes as little as 84 seconds for a threat actor to move laterally to another system. While many companies may focus their efforts on breach prevention, this suggests that many of those companies do not have strong access control or internal network segmentation policies. This means that cybercriminals that are able to gain unauthorized access to systems initially have free roam once they are in.
4. Criminals are shifting away from using malware to gain access to systems (CrowdStrike 2023 Global Threat Report)
In Crowdstrike’s 2023 Global Threat Report, only 29% of breach detections involved malware in 2022, down from 38% in 2021. This suggests that threat actors are using more methods to steal valid credentials and execute vulnerability exploits to gain access to systems. The threat actors also rely on the organizations' poor detection abilities and response times to carry out their attacks.
5. Companies that invest in automation or security AI data breach detection services or tools have lower data breach costs and shorter breach lifecycles (IBM Cost of a Data Breach Report 2023)
Companies with automatic or AI breach detection services had an average of $1.76 million lower data breach costs than those companies that did not. Additionally, they also had roughly a 108-day shorter breach lifecycle, which includes the initial detection of the threat, containment, and resolution from start to finish.
6. Organizations that did not involve law enforcement in ransomware attacks experienced higher costs and breach lifecycles (IBM Cost of a Data Breach Report 2023)
Organizations affected by a ransomware attack but chose not to involve law enforcement experienced an average of $470,000 higher costs and damages and an additional 33 days in their breach lifecycle. This suggests that law enforcement can help ransomware victims significantly to help recover data and minimize damages.
7. The healthcare industry had the most expensive data breach costs (IBM Cost of a Data Breach Report 2023), followed by:
The healthcare industry had the highest data breach costs in 2023, reaching an average of USD $10.93 million, far surpassing the second-highest industry in Financials, which had an average of USD $5.9 million in data breach costs. The top five industries with the highest average costs in USD, were:
- Healthcare - $10.93 million
- Financials - $5.9 million
- Pharmaceuticals - $4.82 million
- Energy - $4.78 million
- Industrial - $4.73 million
8. Critical infrastructure averaged $5.04 million in data breach costs, while non-CI industries averaged $3.78 million (IBM Cost of a Data Breach Report 2023)
Critical infrastructure organizations naturally have higher data breach costs because of the type of information and data they handle. In fact, the top five industries with the highest data breach costs were all in CI sectors, which include healthcare, financials, energy, and more. Non-CI sectors typically include industries such as Consumer Goods, Food and Drink, or Travel/Tourism.
9. 82% of breaches occurred in the cloud environment, with 39% of cloud security breaches spanning multiple environments (IBM Cost of a Data Breach Report 2023)
82% of all data breaches involved data that was stored in the cloud, whether they were public or private, and 39% of these breaches spanned multiple environments. Additionally, cloud security breaches were strongly correlated with higher data breach costs, as it took businesses longer to identify and contain.
When a breach occurred across multiple environments, the average costs reached $4.75 million. It’s also important to note that breaches that occurred over the public cloud space averaged about $4.54 million, 17% higher than breaches that occurred in the public or on-premise storage environments at $3.98 million.
10. Breach lifecycles that were contained within 200 days had an average cost of $3.93 million, while breach lifecycles that lasted longer than 200 days had an average cost of $4.95 million (+23%) (IBM Cost of a Data Breach Report 2023)
Two hundred days was the drop-off point for most data breach lifecycles. Companies affected by a data breach that was able to identify, contain, and resolve data breaches quickly saw a far lower data breach cost than companies that took longer than 200 days to resolve their issues. Breach lifecycles that lasted longer than 200 days had an average of $4.95 million in data breach costs, representing nearly 23% higher costs <200-day breach lifecycles in $3.93 million.
11. The average breach life cycle was 277 days in 2023(IBM Cost of a Data Breach Report 2023)
In 2023, the average time to identify a breach in 2023 was 204 days. The average time to contain a breach in 2023 was 73 days, which brings the total breach lifecycle to 277 days. The average breach lifecycle in 2022 was also 277 days, which is a +0% change. The highest average breach lifecycle year was in 2021, with an average of 281 days.
12. Larger organizations saw a decrease in data breach costs in 2023, while smaller organizations saw a significant increase in data breach costs (IBM Cost of a Data Breach Report 2023)
Larger organizations (>5000 people) typically have more established security programs and are more well-equipped to handle any potential data breaches. While larger organizations may have more valuable data, it will be increasingly more difficult for cybercriminals to steal or compromise data from them. We saw this in IBM’s report, where companies with at least 10,000 employees saw anywhere between a 1-2% drop in costs.
Instead, threat actors are shifting their focus to small or mid-sized enterprises (<5000 people) that are not as well protected and are more likely to be breached. Companies between 500-5000 people saw at least a 20% jump in data breach costs from 2022.
13. The most common type of data stolen or compromised was customer PII (IBM Cost of a Data Breach Report 2023)
The top five types of data that were stolen or compromised in 2023 were:
- Customer PII
- Employee PII
- Intellectual property (IP)
- Customer data (non-PII)
- Corporate data
14. 74% of security breaches involved a human element (Verizon Data Breach Investigations Report 2023)
An overwhelming majority of security breaches involve a human element, which includes human error, stolen credentials, privilege misuse, or social engineering.
15. Stolen/compromised credentials (15%) and phishing (16%) were the two most common attack vectors in 2023 (IBM Cost of a Data Breach Report 2023)
- Breaches using stolen or compromised credentials took an average of 328 days to identify and contain, followed by malicious insider (308 days) and social engineering (298 days) (IBM Cost of a Data Breach Report 2023)
16. More than 32% of Log4shell incidents occurred within the first 30 days of its release (Verizon Data Breach Investigations Report 2023)
Although the Log4shell vulnerability was a serious global incident that affected many large enterprises, most Log4j vulnerabilities have since been patched and have not affected many organizations in the last two years. However, because of the widespread use of Log4j applications, many experts believe it will still be a prevalent vulnerability for years to come.
17. Hacktivist activity has grown significantly over the last two years and will continue to rise (Crowdstrike 2023 Global Threat Report)
Since the war in Ukraine began in late 2022, Crowdstrike has found a significant rise in hacktivist activity originating from Russia, affecting multiple countries around the world. It is not the only hacktivist activity that has come out of 2023 — there have been multiple reports or incidents coming out of Taiwan that have claimed that China or Chinese-affiliated has been deploying many hacktivist attacks against them.
18. The top attack vector for ransomware attacks is Email (Verizon Data Breach Investigations Report 2023)
Nearly 35% of ransomware attacks originated from a breached email account, which involves an unsuspecting user opening and running the malware on their own. The next two attack vectors are Desktop Sharing and Web Applications.
What is the Average Cost of a Data Breach by Country?
The USA had the most expensive data breach costs in the world (IBM Cost of a Data Breach Report 2023). Data breaches from the USA continue to be among the highest in the world, most likely because of the wealth of companies, economy, and amount of data handled in the United States.
However, one area to note is that in 2022, the Middle East averaged $6.46 million in average data breach costs. In 2023, that number reached $8.07 million, which is nearly a +20% increase, showing a significant jump in costs.
The top 5 countries/regions with the most expensive data breach costs were:
- USA - $9.48 million
- Middle East - $8.07 million
- Canada - $5.13 million
- Germany - $4.67 million
- Japan - $4.52 million
