Cost of data breach climbs 10%, but AI helping to limit some damage
The cost of a data breach in 2024 has clocked the biggest year-on-year increase since the pandemic, but companies that use artificial intelligence (AI) tools are mitigating some of the financial damage from the fallout.
The global average cost of a data security breach now clocks at $4.88 million, up 10% from $4.45 million last year, according to the latest findings from IBM’s annual Cost of a Data Breach Report, which analyzed breaches experienced by 604 organizations worldwide between March last year and February 2024. Conducted by Ponemon Institute, the study included interviews with 3,556 security and business professionals from the breached organizations, and across 16 countries and regions.
Some 70% of respondents said the breaches they encountered had caused significant or very significant disruption to their business, IBM noted. Losses included operational downtime, lost customers, and the cost of post-breach responses, such as staffing customer service desks and regulatory fines.
Also: Cyberdefense will need AI capabilities to safeguard digital borders
Stolen or compromised credentials were the most common initial attack vector, accounting for 16% of breaches, and took the longest to identify and contain at nearly 10 months.
This year organizations from the healthcare sector recorded the highest cost incurred from a breach at $9.77 million.
Across the board, 40% of breaches involved data stored across different environments, including public and private cloud and on-premises, and resulted in at least $5 million on average in damages. They also took the longest to identify and contain, clocking at 283 days, compared to the overall average of 258 days.
That global figure, though, is at a seven-year low and down from last year’s average of 277 days companies took to identify and contain a breach.
Also: Businesses’ cloud security fails are ‘concerning’ – as AI threats accelerate
Most of these breaches, at 46%, involved customers’ personal identifiable information, which included tax identification numbers, phone numbers, and home addresses. Another 43% involved intellectual property data, the cost of which climbed to $173 per record, up from $156 per record last year.
The study also found that 35% of breaches involved shadow data, with theft from such cases resulting in 16% more in cost from the breach.
In addition, breaches that took longer to eradicate were more costly, and those with a lifecycle of more than 200 days cost the most at an average of $5.46 million.
However, organizations that used AI-powered and automation security tools extensively incurred on average $1.88 million less in cost from a breach, at $3.84 million. In comparison, companies that did not use AI and automation saw average losses of $5.72 million. While those that had limited use of AI and automation also saw lower costs from a breach of $4.64 million.
Also: Automation driving AI adoption, but lack of right skillsets slowing down returns
The IBM study looked at organizations’ use of AI and automation across four areas of security operations: prevention, detection, investigation, and response. These included attack surface management, red-teaming, and posture management.
Two of three respondents said they had deployed in their security operations center, up 10% from last year. Some 31% used AI and automation extensively in their security processes, while 36% did likewise on a limited basis. Some 33% have yet to use any AI or automation.
Companies that suffered a ransomware attack were able to reduce their losses by an average of $1 million when they involved law enforcement, to $4.38 million. This figure excluded the amount paid up in ransom, according to IBM. Bringing in law enforcement further cut the time needed to identify and contain breaches from 297 to 281 days.
Some 63% of ransomware victims who turned to law enforcement were able to avoid paying a ransom.
Also: 91% of ransomware victims paid at least one ransom in the past year, survey finds
Without law enforcement, organizations clocked an average of $5.37 million in cost from a ransomware attack, excluding ransom payments.
More organizations this year said they would pass the losses amassed from a breach to consumers, with 63% planning to increase the cost of goods or services, up from 57% that did likewise last year.
Organizations that had severe or high-level staffing shortages also experienced higher breach costs as a result, acquiring $5.74 million in losses, compared to $3.98 million for those with low levels or no staffing shortages.
However, 63% of respondents indicated plans to increase their security budgets, up from 51% last year, with employee training highlighted as the top investment.
Also: AI is changing cybersecurity and businesses must wake up to the threat
Another 55% revealed plans to invest in incident response planning and testing, while 51% pointed to threat detection and response technologies. Some 42% would invest in identity and access management, and 34% would do so for data security protection tools.
“Businesses are caught in a continuous cycle of breaches, containment, and fallout response, [which] now often includes investments in strengthening security defenses and passing breach expenses on to consumers — making security the new cost of doing business,” said Kevin Skapinetz, vice president of strategy and product design for IBM Security. “As generative AI rapidly permeates businesses, expanding the attack surface, these expenses will soon become unsustainable, compelling businesses to reassess security measures and response strategies.”
To stay ahead, Skapinetz urged organizations to invest in AI-driven defenses and develop the skills needed to address the risks and opportunities brought about by generative AI.
