Highlights from IBM’s Cost of a Data Breach 2022

By Colin Mo
August 16, 2022

IBM’s yearly Cost of a Data Breach 2022 report is out. The 59 page report by IBM and the Ponemon Institute contains findings based on over 3,600 interviews studying 550 organizations impacted by data breaches that occurred between March 2021 and March 2022. The breaches occurred across 17 countries and regions and in 17 different industries.

Below is a quick infographic highlighting what we found most important, then a quick dive and commentary into some of the more eyebrow raising facts.

🤨 Now on to the facts we at Pomerium found eyebrow raising

Source: IBM’s Cost of a Data Breach 2022

The top five countries or regions with the highest average cost of a data breach were:

  1. The United States — $9.44 million
  2. The Middle East — $7.46 million
  3. Canada — $5.64 million
  4. The United Kingdom — $5.05 million
  5. Germany — $4.85 million

(For the entirety of this post, all monetary figures will be in USD)

While the average cost of a data breach globally is $4.35 million, the average cost of a data breach for USA companies is $9.44 million. This unplanned cost doesn’t bode well for USA companies suffering multiple breaches a year.

😧 Companies are passing breach costs on to customers

  • Eighty-three percent of organizations studied have experienced more than one data breach, and just 17% said this was their first data breach. Sixty percent of organizations studied stated that they increased the price of their services or products because of the data breach.
  • In response to the question [Did the data breach result in your organization increasing the price of products and services?], 60% said they increased prices, and 40% said they didn’t increase prices.

457 of 550 organizations experienced more than one data breach, and over half of these breaches resulted in rising costs for customers. This strongly implies that organizations that experienced multiple data breaches passed on the cost of their breaches to their customers multiple times.

With rising inflation being a hot topic around the world, it makes us wonder if corporate data breaches have a cascading chain effect on increased costs for customers (keep this thought in mind when you read about the industries with highest breach costs).

Further questions arise: is this practice of having customers pay for data breaches sustainable?

💰 Zero trust translates into significant savings

  • In the 2022 study, 41% of organizations said they have deployed a zero trust security architecture, while 59% said they haven’t.
  • Organizations with zero trust deployed saved nearly $1 million in average breach costs compared to organizations without zero trust deployed. The average cost of a data breach was $4.15 million at organizations with zero trust deployed, while the cost of a breach was an average $5.1 million at organizations without zero trust deployed. The difference was $0.95 million, representing a 20.5% savings for organizations with zero trust deployed.

While the industry seems skeptical and treats zero trust as a buzzword, the report finds real savings when it comes to zero trust. An interesting follow-up question would be whether they actually DO have zero trust architecture as outlined by the National Institute of Standards and Technology (NIST), or if they just think they do.

It’s worth noting that zero trust is being adopted and seems to work. Some may recall the White House’s memo earlier this year on moving the US Government towards Zero Trust Cybersecurity principles. For those looking to make the shift, NIST has recently drafted a new Implementing a Zero Trust Architecture guide. We also recommend practitioners to read the NIST and CISA Zero Trust write-ups.

💸 Healthcare industry continues to have the costliest breaches

  • Healthcare breach costs hit a new record high. The average breach in healthcare increased by nearly $1 million to reach $10.1 million. Healthcare breach costs have been the most expensive industry for 12 years running, increasing by 41.6% since the 2020 report. Financial organizations had the second highest costs — averaging $5.97 million — followed by pharmaceuticals at $5.01 million, technology at $4.97 million and energy at $4.72 million.
  • Data breaches in high data protection regulatory environments, such as the healthcare, financial, energy, pharmaceuticals and education industries, tended to see costs accrue in later years following the breach.

This is where we would like a study on the impact of data breaches and healthcare costs (assuming 60% of breaches have costs being passed on to customers), but unfortunately this is beyond the scope of the report. It is, however, noteworthy that the highly regulated healthcare sector is leading the pack when it comes to the undesirable crown of expensive breaches. The lagging costs following the breach may be a result of these regulations, increasing the total costs of these breaches.

Healthcare companies in the USA, Middle East, Canada, UK, and Germany are statistically experiencing breach costs far above the global average of $10.1 million. As mentioned earlier, these companies are also likely passing on these breach costs to customers.

📞 Remote work is correlated with higher costs for data breaches

  • There was a strong correlation between remote working and cost of a data breach, where more employees working remotely was associated with higher data breach costs.
  • The average total cost of a data breach was nearly $1 million greater when remote work was a factor in causing the data breach.

We’ve written on this before: Remote work continues to be a preference for workers and a nightmare for SecOps teams. Organizations trying to retain employees and reduce churn through offering remote/hybrid work options absolutely need to figure out how to secure remote work.

🌩️ Cloud providers cannot be trusted to prevent breaches

  • Breaches that were deemed the responsibility of the cloud provider had the highest average total cost of a breach based on cloud provider.
  • Breaches in the public cloud were costliest.

One might think that cloud providers have a vested incentive to protect their customers when it comes to data breaches, but we would like to remind you that your security is ultimately your responsibility alone. Relying on third-parties to take your security seriously is ill-advised, particularly when they’re getting breached and probably passing the costs on to you.

An organization implementing zero trust architecture should not implicitly trust a third party to ensure its own safety. Organizations should insulate themselves from third-party breaches.

🔑 Compromised credentials remains the most common initial attack vector

  • The most common initial attack vector in 2022 was stolen or compromised credentials, responsible for 19% of breaches in the study, at an average cost of $4.50 million.
  • The costliest initial attack vector in 2022 on average was phishing at $4.91 million.

Please implement Multi-Factor Authentication and context-aware access to potentially save your organization an average of $4.5 million per breach. We’ve written on the shift to passwordless authentication models to discuss the benefits of having credentials that are harder to steal.

🕵️ Companies still have difficulty identifying and containing breaches

  • Attack vectors with longer mean times to identify and contain, such as phishing or business email compromise, were also among the most expensive types of breaches.
  • Stolen or compromised credentials were the initial attack vector with the longest mean time to identify and contain the breach, at 327 days. That time is 16.6% greater than the overall mean time to identify and contain a data breach.

While the average lifecycle of a breach shortened by 10 days, data breaches remain difficult to identify or contain, generally spanning multiple financial quarters. The cost of a data breach remains proportional to the amount of time it takes to contain the breach.

🔒 Prevention is easier than detection, response, and recovery

As companies struggle with the aftermath of breaches, Pomerium remains a top choice for companies looking for an open-source context-aware access gateway for managing secure, identity aware access to applications and services. Our customers depend on us to secure clientless access to their web applications everyday.

Organizations can easily deploy Pomerium with their existing infrastructure to adopt a secure identity and context-driven access to their internal services. IT management teams can easily use Pomerium to provision access and ensure security for all users without sacrificing productivity.

Context-aware access is increasingly necessary as the workforce shifts to remote-work and organizations open their internal infrastructure up to the dangers of the internet.

Check out our open-source Github Repository or give Pomerium a try today!

Revolutionize Your Security: Achieve Compliance Hassle-Free!

Embrace Seamless Resource Access, Robust Zero Trust Integration, and Streamlined Compliance with Our App.

Download Now
Download Now