New IBM Report - The Real Cost Of A Data Breach In 2024
Every year, the cost of a security breach gets higher and higher. This year is no exception, according to IBM’s 2024 Cost of a Data Breach report. This blog post uses the latest data to uncover how much a cyberattack could cost your organisation. We also highlight trends in data breaches you should be aware of. Though the topic is heavy, we’ll end on a lighter note with actionable recommendations you can use to improve your orgnaisation’s security and reduce your risk of a data breach.
Short Summary
- Data breaches are becoming more common and more expensive every year. The average cost of a data breach in 2024 was $4.88 million.
- While every kind of organization is vulnerable to data breaches, those providing critical infrastructure and healthcare services are big targets.
- Small businesses are also vulnerable to data breaches, and the consequences can be devastating, often leading to complete shutdowns.
- The most common sources of data breaches are compromised account credentials, phishing, and cloud misconfigurations.
- To prevent data breaches, organizations should prioritize good security practices and educate their employees.
Table of contents
- How the report is made
- Data breaches in Scandinavia
-
Data breaches are becoming more common
- Smaller organizations faced higher data breach costs than last year.
-
All types of organisations are vulnerable to data breaches
-
How data breaches happen
-
How much data breaches cost and why they’re so expensive
-
Data breaches, personal data, and the GDPR
-
Steps you can take to prevent breaches and reduce costs
Recent trends in data breaches
If this sounds like a lot of money, you’re not alone. This cost is nearly a 26.4% increase from the cost of a data breach in 2020. So, data breaches cost a lot and are getting more expensive every year. Since data breaches cost so much money, preventing one by maintaining good security practices should be a priority.
What changed from last year
Compared to the 2023 report, data breaches got more expensive in 2024. Last year, the average cost of a breach was $4.45 million, and this year the average cost is $4.88 million. One explanation for the higher cost is the increase in prices paid by healthcare companies.
This year’s report also offers insight into the effect of extensive security AI and automation on the financial impact of a breach.
Now that we’ve covered some of the main findings from IBM’s 2024 report, let’s talk about how the report was made. Next, we’ll quickly go over IBM’s survey methods and what they found about security breaches in Scandinavia.
How the report is made
To gather data for the report, IBM interviewed 3,556 people from 604 organisations across the world. To best calculate the average cost of a breach, IBM excluded the smallest and largest data breaches, although their report has a section on mega breaches if you are interested in seeing some bigger numbers. Additionally, the majority of the sample came from these industries: financial, services, industrial, and technology.
What this means for small businesses
Because the findings are reported based on averages, it might be hard for small businesses to see themselves in the findings. If that sounds like you, we encourage you to pay attention to the trends in how breaches happen and the impacts they have on businesses, rather than the dollar amount reported.
For example, while it’s unlikely that a phishing attack will cost your business the average ($4.91 million), it is likely that your organisation will face phishing attacks, because they are one of the most common sources of breaches. So, the trends and recommendations will hopefully be useful to you, even if the cost seems unrealistic.
Data breaches in Scandinavia
IBM dropped Scandinavia from the study this year. But we can use last year's data as a reference point.
To put the numbers into perspective locally, Scandinavian companies made up 4% of the sample studied last year. Interestingly, the average cost of a data breach decreased among Scandinavian companies that year. In 2021, the average cost of a breach in Scandinavia was $2.67 million, while in 2023 the average cost was $2.08 million. Only Brazil and Turkey had lower average breach costs than Scandinavia.
Cyber-attacks involving data breaches are becoming more common. The cost of recovering from these attacks is increasing, too.
-
In 2009, estimates showed that a cyber-attack happened every 39 seconds
-
In 2022, the frequency of attacks increased to once every 11 seconds
Since data breaches are happening more often and costing companies more money, it’s safe to say that we should pay attention to this issue.
Smaller organizations face increasing data breach costs
In IBM’s 2023 report it-is clear that organizations face a much higher increse in the cost of data braches. Here are some numbers from the report:
- Organizations with fewer than 500 employees reported that the average impact of a data breach increased to USD 3.31 million or a 13.4% increase from 2022.
- Those with 500–1,000 employees saw an increase of 21.4%, from USD 2.71 million to USD 3.29 million.
- In the 1,001– 5,000 employee range, the average cost of a data breach increased from USD 4.06 million to USD 4.87 million, rising nearly 20%.
This is bad news for businesses. Higher costs on top of a loss of customer trust can push customers away, towards competitors.
Cyber criminals are smart. They know what kinds of businesses have the most to lose from a data breach and who can afford to pay ransom requests. Big organisations also end up receiving the largest fines for breaking the GDPR.
With this in mind, it makes sense that big organisations, such as healthcare companies, suffer the highest costs when they experience data breaches. Think about all the personal information about patients that hackers can gain access to. Healthcare organisations need access to patients’ records in order to care for them. Plus, they need to keep their patients’ trust when it comes to their personal health information. The amount of sensitive data healthcare organisations have, and their willingness to pay for control of these records, make healthcare organisations a big target for expensive data breaches.
In fact, the cost of a data breach for a healthcare organisation is more than double the overall average in 2024, at $9.77 million.
Critical services pay a higher price
In addition to healthcare companies, other critical infrastructure organisations are susceptible to data breaches with price tags higher than the average cost of a breach. Critical infrastructure organisations include the following sectors: financial services, industrial, technology, energy, transportation, communication, healthcare, education and public sector industries.Small organisations are also vulnerable
Even though larger companies are more obvious targets for cyber criminals, small businesses also suffer greatly from data breaches. Six months after experiencing a breach, 60% of small companies have to completely shut down. Since small businesses lack the massive IT security budgets and institutional resources that large companies have, they are more vulnerable to business-ending breaches.
This makes sense, especially given that organisations usually pass the consequences of the breach onto their customers in the form of higher prices. It’s easy for customers to choose a new business partner when they lose trust in the company due to a breach, and when the company starts to increase their prices.
To reduce the risk of your organisation falling victim to a data breach, you need to know how data breaches occur in the first place. The three most common sources of data breaches in 2024 are:
- Compromised account credentials
-
Malicious insiders
Any organisation should make it their goal to ensure that their employees are aware of how breaches usually happen, and how to prevent them.
The most frequent way that hackers get into a company’s system is by getting access to an employee’s account information.
These kinds of attacks are the most common, and unfortunately, they also take the longest amount of time to resolve.
To reduce the risk of a breach caused by compromised credentials, it’s important to have strong passwords and know the signs of a phishing email. One way to help your employees recognize phishing emails is through phishing training. You can also add an extra line of defence through either two-factor authentication, password managers, or a combination of both to further increase the cyber security in your organisation.
Recovering from a data breach involves both direct costs and indirect costs. For example, direct costs can include the need to hire an IT forensic team to investigate the breach and repair damaged systems. One big indirect cost is the reputational harm businesses experience after being victims of a breach. Below you can see the different cost areas involved in a breach.
- 30%: lost business costs - reputational harm
- 33%: detection and escalation of the breach - audits and investigations
- 27%: post-breach response - services for victims, e.g., help desk and credit monitoring
- 8%: notification - letting customers and regulators know about the breach via mail, telephone, email, etc.
Let’s dig into the biggest cost area, lost business, a bit further. Regardless of how big your company is, lost business is surely a big threat to your organisation’s future.
Lost business is a major cost
Lost business is a big factor in the overall cost of a data breach. It costs an average of $1.47 million per breach.
Put yourself in a customer’s shoes. As you hear news of the data breach, you begin to lose trust in the business that experienced the cyber-attack. If you are a current customer, you may wish to stop doing business with them. If you are a prospective customer, you might choose a different vendor that provides the same service.
The bottom line is that data breaches are bad for business.
Even after the company recovers all the sensitive data, it can take years for them to regain customers’ trust.
Beyond that, many businesses also suffer lost revenues from the time that their services were down during the breach, leaving customers without access. This is especially the case in ransomware attacks, where the ransomware brings a business “offline” for a period of time.
The total cost of a breach depends mostly on how efficiently an organisation can respond to it. The faster you can react to a breach, the less expensive it will be to manage. A few factors that impact the cost of a breach are:
-
Existing security and detection practices
-
How long it takes to find and contain the breach
-
The amount of information that is compromised
-
Safeguards the company puts in place after the breach to protect its own data and the people whose information was compromised during the attack
Having a breach response plan in place can help your organisation save time once a breach occurs, so it wouldn’t hurt to have one in place.
Also, a breach can become more expensive when ransom is involved, which is often the case in ransomware attacks. That’s because the company must recover from the breach itself and potentially pay a ransom to the cyber criminals. Without paying the ransom, the company may have trouble regaining access to its systems and important files.
Because of the added cost, ransomware attacks are more expensive to recover from than breaches that do not involve ransomware.
Although it can seem like you have to pay the ransom if you are part of a ransomware attack, we do not suggest sending money to the cyber criminals. This is because you might not get your data back in its original condition and your willingness to pay could encourage future attacks. The best thing you can do is prevent an attack.
We all know the saying, “time is money.” Seriously though – when it comes to data breaches, every day a breach goes undetected, the cost of resolving it increases.
The reality is that it takes much longer to identify a breach than it takes to contain one, but both processes can be lengthy. In 2024, it took an average of 258 days to identify and contain a breach. In other words, an average breach takes about ¾ of a year to recover from. Detecting breaches is easier if you use practices such as SIEM and log management. Technical solutions like these can be useful for smaller organisations, which may have fewer human resources in the IT department.
AI and automation has been a central topic throughout 2024. And it is have also shown an positive impact on data breaches because with AI and automation organization are 100 days faster to identify and contain a data breach than organizations with no use.
This means identifying and containing a breach with extensive use of security AI and automation took just 61% of the time it took organizations with no use.
In the 2024 report, only 31% of organizations used security AI and automation extensively in their operations, which means many organizations have a significant opportunity to improve their speed, accuracy and efficiency. Extensive use of security AI and automation saved nearly USD 1.88 million in data breach cost and accelerated the time to identify and contain a breach.
If a data breach happens in your organisation, the GDPR has a few requirements related to notifications you must give. For example, you have to notify the national supervisory authority immediately and no more than 72 hours after you become aware of the breach, unless it is highly unlikely that personal data was compromised during the breach. In this notification, you’ll have to describe the nature of the breach, the type and amount of data compromised, the contact information of your Data Protection Officer, the expected consequences, and the actions you have already taken or plan to take in response. You’ll also have to notify the individuals whose data was impacted by the breach without unnecessary delay if you decide they could be at high risk.
So, we’ve covered how breaches happen and why they’re so expensive. Now, let’s move on to ways you can protect your organisation from breaches and reduce the cost of a breach if it does happen.
It goes without saying that the best way to reduce the cost of a breach is to avoid one in the first place. Preventing data breaches is a big topic, so we won’t go into too much depth on it in this post. We cover a lot of different prevention methods in depth in other blog posts. Some examples of ways you can prevent a breach are:
-
Make sure the software on all your devices is up to date
-
Train your staff to be aware of security best practices
-
Conduct risk assessments
-
Encrypt personal data
-
Encourage the use of strong account credentials/passwords
Adopting these practices can strengthen your security culture and make your organisation less vulnerable to a security breach.
Hopefully, your organisation will not be the victim of a data breach. But, since data breaches are on the rise, it is likely that your organisation could be the target of a breach.
We’ve learned that our employees are our biggest resource when it comes to preventing and detecting data breaches. One way to reduce the likelihood and cost of a breach occurring in your company is to create a strong cyber security culture. Since many data breaches happen because of human error, like clicking on a link in a suspicious email, employees are our first line of defense.
But how can you reduce human error? Aware employees are less likely to make the mistakes that lead to data breaches. That’s why it’s important to create and maintain awareness about cyber security and proper data handling in your organisation. It can be done in many ways, for example through awareness training activities, simulations, and regular exposure to keep your employees sharp. A few ways CyberPilot can help you achieve a stronger security culture are:
- Free best practice posters/digital screensavers to keep in your office
- Awareness training that is quick and pain-free, with new lessons available regularly to keep your employees updated on new security threats they should know about
- Phishing training exposes your employees to simulated phishing attacks, teaching them to recognize a phishing email in a low-stakes scenario
Building a strong security culture does not have to be hard or time consuming. Plus, it can really reduce your risk of a data breach. Aware employees are safe employees, and when it comes to data breaches – that’s a cost you want to avoid.
You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.