In its 2023 report on the cost of data breaches, IBM Security outlines several strategies that can either mitigate or exacerbate the financial impact on organizations facing such incidents.
According to the IBM Cost of a Data Breach 2023 Report, the average cost of a data breach in 2023 is $4.45 million USD (all figures are in US dollars). The report identifies 19 methods, factors, or tools that can help reduce the average cost of a breach, while eight factors can actually increase costs.
The three most effective cost-mitigation factors are adopting a DevSecOps (Development, Security, and Operations) approach, employee training, and planning and testing incident response (IR) strategies.
DevSecOps is a practice that integrates security measures into every phase of the software development lifecycle, from initial design through integration, testing, delivery, and deployment, as explained by IBM Security. For example, organizations with a DevSecOps approach saw an average cost reduction of $249,000 compared to the average cost of a data breach.
Employee training is another critical factor, reducing the average cost of a breach by $232,867. Similarly, incident response planning and testing offer nearly identical savings, reducing costs by $232,008.
Of the 19 methods that reduce costs, insurance coverage ranks 11th, contributing an average of $196,452 in cost savings per breach.
On the other hand, key factors that increase costs include the complexity of security systems, lack of security skills, and non-compliance with regulations. For instance, breaches in organizations with complex security systems averaged $241,000 more than the average cost of a data breach, totaling approximately $4.69 million.
The time factor
The lifecycle of a data breach consists of two critical phases: the time it takes to detect the incident and the time required to resolve the situation and restore service levels to pre-breach conditions.
In 2023, the average lifecycle of a breach remained at 277 days, unchanged from the previous year. The longer a breach persists, the higher the costs tend to climb. For breaches that lasted less than 200 days, the average cost was $3.93 million, compared to $4.95 million for incidents extending beyond 200 days.
Company size
In 2023, according to the IBM Security report, the average cost of a data breach increased by 13.4 per cent for companies with fewer than 500 employees. Companies with 500 to 1,000 employees (21 per cent) and those with 1,001 to 5,000 employees (20 per cent) also experienced a rise in the average cost of a breach in 2023 compared to the previous year.
However, the average cost decreased for companies with more than 5,000 employees, as shown in the chart below. For organizations with 5,001 to 10,000 employees, the average cost of a breach dropped by 16 per cent in 2023 compared to the previous year.
This article is a Magazine Supplement of the July issue of the Insurance Journal.