IBM’s 2022 Cost of a Data Breach Report reveals that for the first time ever, the average cost of a healthcare data breach is in two digits – from more or less $1 million to $10.1 million. That is 9.4% higher than in 2021 and 41.6% higher than in 2020. Across all industries, the average data breach cost increased 2.6% year over year at $4.35 million. That is the largest average cost in 17 years and is 12.7% greater than in 2020.
For the report, IBM Security investigated 550 companies in 17 nations and regions and 17 various industries that experienced data breaches from March 2021 to March 2022. More than 3,600 interviews had been conducted with people in those companies. 83% of companies that participated in the study have encountered one or more data breaches, and 60% of companies stated the data breach resulted in a higher price of their goods and services.
Overview of Data Breach Costs in 2022
- $4.35 million Global average cost of a data breach
- $164 million Global average cost per breached record
- $9.44 million Average cost of a data breach in the U.S.
- $10.1 million Average cost of a healthcare data breach
- $49 million Average cost of a 1 million record data breach
- $387 million Average cost of 50-60 million record data breach
- $4.54 million Average cost of a ransomware attack
- $4.91 million Average cost of phishing as the preliminary attack vector
In 2022, this is the first time that the major part of the data breach costs was discovery and escalation, amounting to $1.44 million; it was $1.24 million in 2021. Following was lost business with an average cost of $1.42 million in 2022, it was $1.59 million in 2021. The post-breach response is slightly higher at $1.18 million from $1.14 million 2021. There was a slight increase in costs of notification at $0.31 million from $0.27 million in 2021.
Usually, 52% of the breach costs are sustained during the first year, 29% during the second year, and 19% right after two years. In very regulated industry sectors like healthcare, a lot bigger percentage of the costs are suffered with 45% of costs during the first year, 31% during the second year, and 24% after the second year, which was credited to regulatory and legal expenditures.
The report looked into the various preliminary attack vectors and discovered that the most prevalent entry path was the usage of stolen credentials (19% of all data breaches) with an average data breach costing of $4.5 million. 16% of all data breaches were phishing attacks, the most expensive attack vector with an average cost of $4.91 million. 6% of all data breaches were business email compromise attacks with an average cost of $4.89 million. 15% of data breaches were due to cloud misconfigurations with an average cost of $4.14 million. Lastly, 13% of data breaches were due to vulnerabilities in third-party software with an average cost of $.55 million per breach.
In 2022, the average time to discover a data breach was 207 days. It was 212 days in 2021. The average time to control a data breach was 277 days; it was 287 days in 2021. With a shorter time to discover and control a breach, also called the data breach lifecycle, there is a reduced breach cost. Data breaches that have a lifecycle below 200 days cost 26.5% ($1.12 million) lower on average compared to data breaches that have a lifecycle above 200 days.
A crucial step necessary to boost security is to undertake zero trust techniques, however, just 59% of companies had implemented zero trust, and about 80% of critical infrastructure companies had not yet implemented zero-trust strategies. The average breach cost for critical infrastructure companies that have not implemented zero trust was $5.4 million. It was $1.17 million higher compared to those that had applied zero trust strategies.