A data breach’s average cost has increased to $4.88 million; critical infrastructure entities have the highest breach costs. The most expensive breaches involved healthcare companies. Healthcare data breach costs dropped by 10.6% year-over-year with 2023’s $10.93 million to 2024’s $9.77 million. Though the cost for healthcare data breaches decreased, healthcare remains number one on the list of the most expensive breaches since 2011.
The 10% growth in average data breach costs was the biggest yearly increase since the COVID-19 outbreak. The increase was because of more disruptive cyberattacks and greater costs of post-breach customer service. The disruption created extends the consequences of breaches, making the full recovery longer than 100 days for the majority of breached companies, though just 12% of breached companies could completely recover. As per IBM, 70% of breached companies in 2024 reported struggling with disruption because of a breach. 63% of breached companies (compared to 57% in 2023) reported passing on the burden of data breach costs to clients.
This is IBM’s 19th year to publish its yearly report about the Cost of a Data Breach, which is based on Ponemon Institute’s research. The IBM 2024 Cost of a Data Breach Report compiled a review of 604 companies in 17 sectors and 16 nations/regions that experienced a data breach from March 2023 to February 2024. Aside from the survey, IBM conducted interviews with 3,556 security and C-suite company officials who got direct information about data breaches at their companies. The breaches involved 2,100 to 113,000 exposed records. Mega data breaches involving 1 million+ records were treated individually. IBM states that the cost of the smallest mega breach is 9 times the global average.
The factors that contribute to the two-digit increase (11% year-over-year) in data breach costs include
- growing expenses of lost business
- operational outages
- cost of response after a breach,
- loss of customer loss
- manning customer support helpdesk
- higher regulatory penalties
These costs hit $2.8 million on average, the biggest in the last 6 years.
One of the major issues encountered by companies is the lack of cyber skills. Over fifty percent of breached companies had security personnel shortages. Since 2023, the skills gap increased by 26.2%. The shortage of skilled personnel is causing an increase in data breach costs by about $1.76 million. One of the primary means that companies are handling the cybersecurity skills shortage is by utilizing Gen AI security tools to boost productivity and effectiveness.
Companies are using AI and automation more throughout their security operations facilities. Two-thirds of surveyed companies stated they are using AI. AI and automation tools have a big effect on breach costs. Using AI tools throughout the prevention workflows, such as red teaming, attack surface management (ASM), and posture management resulted in a $2.2 million decrease in breach costs. Employee cybersecurity and HIPAA training were important for lowering costs, particularly in stopping and addressing phishing attacks. Security Information and Event Management (SIEM), encryption, and incident response planning are also important.
Businesses are found in a nonstop cycle of data breaches, control, and breach response. This cycle frequently involves spending money on improving security protection and passing breach costs on to customers. With the spread of generative AI in businesses, broadening the attack surface, the costs will eventually be unsustainable. Businesses will need to reflect on security options and response tactics. To move forward, companies need to spend money on new AI-driven protection and acquire the abilities required to deal with the surfacing risks and opportunities introduced by generative AI.
The 2024 report explored a few new areas like shadow data, the data found in unmanaged locations, which is more difficult to trace and protect. Information stored in environments makes up 40% of breaches, and those breaches took more time to discover and control and led to 16% higher breach costs than data controlled in one environment.
The Federal Bureau of Investigation (FBI) tells cyberattack and data breach victims to inform their area FBI field office right away after an attack and the support offered can be very helpful. This year, IBM investigated the expenses of data breaches at companies that had alerted law enforcement. Typically, companies that alerted the authorities ended up saving $1 million in data breach costs, excluding any ransom payment. Besides those cost benefits, 63% of companies that alerted law enforcement had not paid a ransom. Law enforcement participation reduced the typical time to determine and control a data breach from 297 to 281 days.
The biggest breach costs:
- $4.99 million due to malicious insider attacks
- $4.88 million due to business email compromise
- $4.88 million due to phishing
- $4.81 million due to stolen or compromised credentials
- $4.77 million due to social engineering
In 16% of breaches, the initial access vector was stolen credentials. It took 292 days to identify and contain these attacks. Identifying and containing phishing attacks took 261 days, while social engineering attacks took 257 days.
Breach costs increased to about $5.53 million when the attacker disclosed the breach. In these types of attacks, the damage had been carried out and the attacker had accomplished their goals. These attacks usually entail stolen data and data encryption. These attacks took more time (289 days) to identify and control, but compared to last year’s 320 days, this year’s time considerably shortened the time from last year. In general, the time to recognize and control a breach dropped to its lowest in 7 years, from 277 to 258 days.