Whatever the cost of a data breach, it doesn't pay to pay: IBM study

31st July 2022
Whatever the cost of a data breach, it doesn't pay to pay: IBM study
Inside an IBM Command centre monitoring web traffic

Bangalore, July 31, 2022: IBM Security has released its  annual Cost of a Data Breach Report, revealing costlier and higher-impact data breaches than ever before, with the global average cost of a data breach reaching an all-time high of $4.35 million for surveyed organizations.
With breach costs increasing nearly 13% over the last two years of the report, the findings suggest these incidents may also be contributing to rising costs of goods and services. In fact, 60% of studied organizations raised their product or services prices due to the breach, when the cost of goods is already soaring worldwide amid inflation and supply chain issues.
The perpetuality of cyberattacks is also shedding light on the “haunting effect” data breaches are having on businesses, with the IBM report finding 83% of studied organizations have experienced more than one data breach in their lifetime. Another factor rising over time is the after-effects of breaches on these organizations, which linger long after they occur, as nearly 50% of breach costs are incurred more than a year after the breach.
The 2022 Cost of a Data Breach Report is based on in-depth analysis of real-world data breaches experienced by 550 organizations globally between March 2021 and March 2022. The research, which was sponsored and analyzed by IBM Security, was conducted by the Ponemon Institute.
India Findings
Rs 176 million: Average total cost of a data breach

Reaching an all-time high, the cost of a data breach averaged 176 million in 2022. This represents a 6.6% increase from last year, when the average cost of a breach was 165 million. The average cost has climbed 25% from 140 million in the 2020 report.
Rs 6,100: Average per record cost of a data breach hit an eleven-year high.
India’s average per record cost of a data breach in 2022 was 6,100, a 3.3% increase from 5900 in 2021. The increase from 5522 in 2020 is an increase of 10.4%.
29,500: Average records breached in 2022
Top three industries per record cost- Industrial:Rs  9024; Services: Rs 7085; Technology Sector: Rs 6900
Industrial (Chemical processing, engineering, and manufacturing companies) was highest cost industry. The average total cost of a breach in industrial industry, comprised of chemical, engineering and manufacturing organizations, was reported at Rs 9,024 in 2022.
Following industrial industry were the Services industry comprised of professional services such as legal, accounting and consulting firms and technology industries comprising software and hardware companies. The services industry reported average total cost of a breach at Rs 7,085 while the technology industry, reported average total cost of a breach at Rs 6,900
Post Breach response costs surpassed other costs as the largest of four cost categories comprising the cost of a data breach, continuously for the 6th year

Broken down into four cost categories — lost business, detection and escalation, notification and post breach response — the largest share of data breach costs in 2022 was post breach response, at Rs 71 million. Post Breach response costs increased from Rs 67.20 million in 2021 to Rs 71 million in 2022, an increase of 5.65%
Top three primary initial attack vector for data breach- stolen or compromised credentials – Rs 216 millions; Phishing - Rs 206 millions; Accidental data loss or lost device – Rs 190 millions
The average mean time to identify a data breach decreased from 239 to 221 days and the average mean time to contain a data breach increased from 81 to 82 days
Further, IBM witnessed organizations with less than 50% remote work adoption took 212 days as the average mean time to identify a data breach and 75 days as the average mean time to contain a data breach
However, organizations with over 50% remote work adoption took 266 days as the average mean time to identify a data breach and 91 days as the average mean time to contain a data breach
Impact of zero trust on total cost of a data breach
Organizations in India that are in the mature stages of adopting zero trust deployment witnessed Rs 151 million as the total cost of a data breach as compared to organizations who have not yet started zero trust deployment and witnessed Rs 246 millions as the total cost of data breach. This cost was Rs 95 million more than breaches at mature organizations, a difference of 62.9%.
Factors that may increase or decrease the cost of a data breach
AI platforms, engaged red team testing and Extended detection and response or XDR technologies were the three factors associated with the highest cost decrease|
Third party involvement, occurrence of cloud migration (when the organization is in the process of migrating to the cloud) and IoT and OT (Operational technology) environment being impacted were the three factors associated with the highest cost increase.
State of security automation comparing three levels of deployment
Fully deployed security automation was 30% in 2022. The share of organizations with partial or no security automation deployed was 35%.
Breaches at organizations with mature cloud security, cost an average of Rs 160 million, compared to Rs 190 million at mid-stage organizations, Rs 192 million at early-stage organizations. The cost difference between mature stage and early stage represented a 16.6% savings for mature stage organizations.
Global findings
Critical Infrastructure Lags in Zero Trust –
Almost 80% of critical infrastructure organizations studied don’t adopt zero trust strategies, seeing average breach costs rise to $5.4 million – a $1.17 million increase compared to those that do. All while 28% breaches amongst these organizations were ransomware or destructive attacks.
It Doesn’t Pay to Pay – Ransomware victims in the study that opted to pay threat actors’ ransom demands saw only $610,000 less in average breach costs compared to those that chose not to pay – not including the cost of the ransom. Factoring in the high cost of ransom payments, the financial toll may rise even higher, suggesting that simply paying the ransom may not be an effective strategy.
Security Immaturity in Clouds – Forty-three percent of studied organizations are in the early stages or have not started applying security practices across their cloud environments, observing over $660,000 on average in higher breach costs than studied organizations with mature security across their cloud environments.
Security AI and Automation Leads as Multi-Million Dollar Cost Saver – Participating organizations fully deploying security AI and automation incurred $3.05 million less on average in breach costs compared to studied organizations that have not deployed the technology – the biggest cost saver observed in the study.