In our January 2023 blog post, Study Finds Average Cost of Data Breaches Reaches All-Time High in 2022, we highlighted the key findings of the Ponemon Institute’s Cost of a Data Breach Report 2022. Each year, the report sets forth a vast dataset analyzing data breaches at hundreds of organizations to spot trends and developments in security risks and best practices. Recently, Ponemon Institute published its Cost of a Data Breach Report 2023, showing an increase in data breach costs in many areas of business.
The key findings of the report include the following:
- Reaching an all-time high, the average cost of a data breach globally was $4.45 million in 2023, representing a 2.25% increase from 2022, when the average cost was $4.35 million. However, organizations with more robust risk-based analysis and management, such as vulnerability testing, penetration testing, and red teaming, only experienced an average breach cost of $3.98 million.
- For the 13th year in a row, the United States led all counties and regions globally with an average cost per data breach of $9.48 million in 2023, representing a 0.4% increase from 2022 when the average cost of a breach was $9.44 million.
- The other top five countries and regions globally experiencing the highest average costs of a data breach were the Middle East at $8.07 million, Canada at $5.13 million, Germany at $4.67 million, and Japan at $4.52 million.
- The industry with the highest average cost of a data breach in the United States continued to be healthcare, which saw costs jump to an average of $10.93 million, an increase of 8.2% from 2022 when the average cost of a breach in the industry was $10.10 million. By contrast, the financial industry came in second place with an average cost of $5.9 million per breach, while the public sector came in last place with an average cost of $2.6 million per breach.
- Phishing and stolen or compromised credentials were the most common initial attack vectors, responsible for 16% and 15% of breaches, respectively. Breaches caused by phishing had an average cost of $4.72 million. Conversely, breaches attributed to system error were the least costly, at an average cost of $3.96 million per breach, and the least common, at 5% of all occurrences.
- While 33% of data breaches were actually identified by internal teams and tools, 27% of breaches were disclosed by an attacker as part of a ransomware attack. The average cost of a ransomware attack was $5.23 million, representing a 19.5% increase from 2022 when the average cost was $4.54 million.
- In 2023, it took an average of 204 days to identify a data breach and an additional 73 days to contain such breach, which was an increase of three days from 2022. Data breaches with lifecycles of less than 200 days cost $3.93 million on average, while data breaches with lifecycles of more than 200 days cost $4.95 million on average, a 23% difference.
As concerns about the costs associated with data breaches continue to be the focal point of many services agreement negotiations, the Cost of a Data Breach Report 2023 can help organizations determine the actual financial risks associated with the data being exchanged under such agreements.