IBM Security Report: Data Breach Costs Hit Record Highs in 2023

Highlights:

• Report highlights include a 42% increase in detection and escalation costs over the past three years.
• The study reveals that 95% of organizations faced multiple breaches, 57% passed costs to consumers, and 51% chose to boost security investments.

According to a new report from IBM Security, the persistent climb in data breach expenses continues unabated in 2023. The average cost of a data breach worldwide is expected to reach USD 4.45 million in 2023, up 15% from the previous three years.

The 2023 Cost of a Data Breach Report is based on a thorough study of the data breaches that occurred at 553 organizations worldwide between March 2022 and March 2023. The Ponemon Institute conducted the study, which has now been released for 18 years running.

The report’s main findings included a 42% increase in detection and escalation costs over the previous three years, which accounted for the largest share of breach costs and suggested a shift toward more involved breach investigations.

The report divides businesses based on their strategies to deal with the rising cost and frequency of data breaches. Even though 95% of the organizations under study had more than one breach, the study found that organizations that had experienced a breach were more likely to pass incident costs onto customers (57%) rather than increase security investments (51%).

Artificial intelligence is also mentioned in the report, and it discusses how important this technology is to automating data breach management. The exciting conclusion is that AI is good for security because organizations that use AI extensively experience a much shorter data breach lifecycle — 108 days less on average — than businesses that do not use AI. The report’s most significant cost-saving measure was AI, reducing average data breach costs by nearly USD 1.8 million.

Despite the positive AI research, there are still issues. During a ransomware attack, many organizations are reluctant to involve law enforcement. Although it may be understandable that some businesses don’t want their security breaches made public out of concern for reputational harm, organizations that didn’t involve law enforcement experienced breach lifecycles that were, on average, 33 days longer and cost an additional USD 470,000.

The report also noted that organizations face significant difficulties in breach detection, with only one-third of breaches being discovered by the organization’s security team or tools. Compared to internal identifications, breaches disclosed by an attacker cost nearly USD one million more and had a lifecycle that was nearly 80 days longer.

Chris McCurdy, General Manager of Worldwide IBM Security Services, said, “Time is the new currency in cybersecurity, both for the defenders and the attackers. As the report shows, early detection and fast response can significantly reduce the impact of a breach. Security teams must focus on where adversaries are the most successful and concentrate their efforts on stopping them before they achieve their goals. Investments in threat detection and response approaches that accelerate defenders’ speed and efficiency – such as AI and automation – are crucial to shifting this balance.”