Data breach recovery has gotten more expensive
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Aïda Amer/Axios
Recovering from data breaches has gotten more expensive for companies over the last year, according to an IBM report out Tuesday.
Why it matters: Data breaches are on the rise, meaning more companies are losing revenue from operational downtime, post-breach investigations and potential lawsuits.
- At least 1 billion records have already been stolen as part of incidents so far this year.
- A series of hacks targeting vulnerable Snowflake databases and the ransomware attack against UnitedHealth's Change Healthcare have increased totals in 2024.
By the numbers: The average cost of a data breach was $4.88 million among organizations that faced incidents between March 2023 and February 2024 — a 10% jump from the $4.45 million average during the prior-year period.
- This is the biggest annual increase IBM has seen since the pandemic.
Between the lines: Hackers are stealing larger troves of data, prompting additional cleanup costs, Troy Bettencourt, head of IBM's X-Force threat intelligence team, told Axios.
- Those costs include not only those associated with searching through compromised data to see who's affected and sending notifications to them, but also the costs of credit monitoring services that individuals may be offered after the fact, Bettencourt said.
The big picture: Post-pandemic, most companies use a mix of cloud servers, on-premise systems and container storage to warehouse essential data.
- This means essential data is getting "pushed closer and closer to the edge" of a network, making it more accessible from the internet, Bettencourt said.
Zoom in: The new report is based on an analysis of 604 organizations impacted by data breaches between March 2023 and February 2024, including interviews with 3,556 business leaders.
- Most of the data breach costs come from "detection and escalation" efforts, which include forensic investigation activities, crisis management and security assessments to understand what was stolen and how the event happened.
- On average, an organization spends $1.63 million on detection and escalation activities and loses $1.47 million in business costs (including customer sales and costs to reputational damage) to data breaches, according to the report.
The intrigue: More than half of breached organizations said they're facing cyber staff shortages, the report said.
- "It's been tough times in the security industry," Bettencourt said. "There's been tons of layoffs, which means a lot of companies could arguably be said to be understaffed."
Yes, but: Emerging AI and automation tools could help bring costs down and fill in staffing gaps.
- Companies that said they use AI extensively experienced the smallest data breach totals, with the average incident costing $3.84 million.
- Companies with limited AI use had an average of $4.64 million, and those that didn't use AI at all spent $5.72 million on average per breach.
- Defenders are also detecting data breaches faster than they have in seven years, according to the report. It now takes about 258 days to spot a breach and 64 days to contain the threat.
The bottom line: The easiest thing companies can do is make sure they have the basics down, Bettencourt said.
- Most hackers use stolen login credentials to breach organizations, so multifactor authentication is even more critical now, he added.
