IBM Finds Data Breach Costs Rise to $4.3M - And Firms Are Passing the Cost to Customers

According to IBM’s 2022 research of 550 organizations impacted by data breaches this past year, the average cost of a data security breach rose to $4.35 million and found that 60% of businesses were increasing the price of their products and services to cover the loss.

Report Findings:

  • The average cost of a data breach reached a record high in 2022 - $4.35 million

  • The global per record cost of a data breach in 2022 was USD $164. A 12.3% increase from 2020

  • The US was the costliest country for total cost of a data breach for the 12th year in a row

  • Healthcare was highest cost industry for the 12th year in a row

  • Detection and escalation costs surpassed lost business, for the first time in six years

  • Most organizations in the study have experienced more than one data breach

  • A majority (60%) of organizations in the study said they increased the price of their products and services as a result of the data breach

  • The most common initial attack vector in 2022 was stolen or compromised credentials

Experts weighed in on the report and what it means for organizations looking to mitigate risk and secure valuable data.


Brad Hong, Customer Success Manager, Horizon3ai:

“For at least the last decade, there have been warning signs left and right that data breaches are an imminent part of business. While everyone in the industry now operates, or should operate, under the impression of when, not if, they will be breached, I have to wonder what these 550 organizations were doing. Every report on the state of cyber during the last five years all reflect that the most common initial attack vector continues to be stolen or compromised credentials. Think for a second about your coworkers—how many do you know that just do not care about sacrificing accessibility for security?

It’s already a breach of confidence to lose the confidential data of customers, and sure there’s bound to be an organization across those surveyed who genuinely did put in the effort to protect against and curb attacks, but for those who did nothing, those who, instead of creating a disaster recovery plan, just bought cyber insurance to cover the org’s operational losses, and those who simply didn’t care enough to heed the warnings, it’s the coup de grâce to then pass the cost of breaches to the same customers who are now the victims of a data breach. I’d be curious to know what percent of the 60% of organizations who increased the price of their products and services are using the extra revenue for a war chest or to actually reinforce their security—realistically, it’s most likely just being used to fill a gap in lost revenue for shareholders’ sake post-breach. Without government regulations outlining restrictions on passing cost of breach to consumer, at the least, not without the honest & measurable efforts of a corporation as their custodian, what accountability do we all have against that one executive who didn’t want to change his/her password? It’s a scary world out there, but what’s scarier are the IT leaders who think they won’t get hacked and allow their infrastructures to atrophy by failing to test its effectiveness.”

John Gunn, CEO, Token:

“The report is unique in the way it presents a granular view of where organizations are taking the biggest hits and where future investments in cybersecurity should be made, and once again one of the fastest, easiest, and least costly paths to a stronger security posture is multifactor authentication.”

Shawn Surber, VP of Solutions Architecture and Strategy, Tanium:

Shawn responded to several of the key findings in the IBM report:

  • Detection and escalation costs surpassed lost business costs as the largest of four cost categories comprising the cost of a data breach, for the first time in six years.

“The specialized tools security vendors have been building and selling for the past two decades will never provide the type of holistic risk management and security resilience needed to protect against today’s sophisticated cyber threats. Disparate point solutions across EPP, EDR, XDR, and elsewhere make it difficult to collect and assess data in the moment and, in most cases, additional solutions are required to remediate known and unknown vulnerabilities, which adds to the complexity and expense-in-depth spending that too often accompanies layered defense strategies. In other words, it’s not surprising that companies are spending more and more on detection and response but not seeing the results they'd like.”

  • Healthcare was highest cost industry for the 12th year in a row

“Healthcare continues to suffer the greatest cost of breaches but has among the lowest spend on cybersecurity of any industry, despite being deemed 'critical infrastructure.’ The increased vulnerability of healthcare organizations to cyber threats can be traced to outdated IT systems, the lack of robust security controls, and insufficient IT staff, while valuable medical and health data— and the need to pay ransoms quickly to maintain access to that data— make healthcare targets popular and relatively easy to breach. Unlike other industries that can migrate data and sunset old systems, limited IT and security budgets at healthcare orgs make migration difficult and potentially expensive, particularly when an older system provides a small but unique function or houses data necessary for compliance or research, but still doesn’t make the cut to transition to a newer system. Hackers know these weaknesses and exploit them. Additionally, healthcare orgs haven’t sufficiently updated their security strategies and the tools that manufacturers, IT software vendors, and the FDA have made haven’t been robust enough to thwart the more sophisticated techniques of threat actors.”

  • Time to detection of a breach remains steady at about 8 months, which indicates that detection mechanisms are failing.

“94 percent of today’s enterprises find at least 20 percent of their endpoints are unprotected, while the many tools sitting on those endpoints adversely affect performance and visibility—all of which contributes to the lack of efficacy of many detection mechanisms. Organizations would be better served by investing in cyber hygiene tools and threat hunting skills than to keep throwing money at point solutions that continue to fail them.”

  • The most common initial attack vector in 2022 was stolen or compromised credentials, responsible for 19% of breaches

“This is a tough vector to stop as it essentially gives the attacker 'legitimate' access to the environment. CIOs have millions of globally distributed heterogeneous assets they need to see and control in real time, but most of them can’t quickly answer basic questions around how many endpoints or devices they have, or what applications run on each of them, or whether they have the right access controls across them. To prevent threat actors from exercising privilege escalation and/or lateral movement, CIOs and CISOs should know what rights users have and what machines they can access to better secure their environments from credential loss. Effective management of administrator rights is critical to successfully securing every environment.”

Shawn Surber, VP of Solutions Architecture and Strategy, Tanium:

“Post-attack remediation is costly and time consuming and in many cases leads to system slowdowns or shutdowns that can adversely affect patient safety. With U.S. healthcare spend at more than $3 trillion annually—that’s trillion, with a “t”—the more than $125 billion expected to be spent on cybersecurity by 2025 is barely a third of what it should be to combat these threats effectively. Especially when you consider HCOs suffer up to three times more cyberattacks than financial services companies—and those orgs spend an average of 10% of their IT budgets on security initiatives according to research by Deloitte. In other words, HCOs combat three times more attacks but spend three times less on protecting against them. Former prosecutor Lisa Rivera’s estimates on industry spend are even higher; in a recent Cybersecurity Ventures report, she notes that four to seven percent of a health system’s IT budget is spent on cyber, compared to about 15 percent for other sectors like financial services.”


###