With the median cost per incident coming in at $130,000, most data breaches do not cross the $1 million threshold.
Based on a review of 2,400 cyber incidents between 2017–2022 at 1,700 companies, cyber risk monitoring firm Black Kite concluded the average cost, excluding outliers, of a data breach today is $15 million.
According to Black Kite’s 2022 report, The Cost of a Data Breach: A New Perspective, when outliers are factored in, the average data breach cost soars to $75 million. With cyber breach costs rising at 10% per year on average, the total global cost of cybercrime could reach $10 trillion in the next three years, the report said. This is up $7 trillion from 2015’s $3 trillion figure.
For companies with remote workers, the average cost per breach is $1 million higher than companies without remote workers.
Most data breaches do not result in multi-million dollar losses, the report said. Just over half (51%) fall between $10,000 and $1 million, the report said. Fifteen percent fall between $1–10 million, 9% fall between $10–100 million, and 3% come in between $100 million and $1 billion. The remainder exceeds $1 billion in total costs.
One in four organizations suffered a cyberattack in the past year, the report said. Many were attacked via third parties, as attackers “island-hopped” their way into target organizations. All the companies analyzed for the report, 100%, were vulnerable to attack due to outdated systems or software.
Organizations that experience data breaches are more susceptible to future attacks. After fixing the initial vulnerability that caused the breach, too many stop looking for more issues, the report said.
“Once an adversary has found a vulnerability to exploit, they become more confident and may escalate to more severe attack methods,” the report said.
SEE: Mobile device security policy (TechRepublic Premium)
Top threat actors
The ransomware group REvil that is tied to the Colonial Pipeline attack has reemerged after the Russian Federal Security Bureau’s intelligence agency (FSB) seized 14 members of the gang along with their stashes, halting operations. REvil attacks accounted for 3% of the total ransomware attacks in 2021, the report said.
The next most frequent and financially devastating threat actor was Conti, which accounted for 10 attacks averaging at $85M per incident.
While the North Korea-based Lazarus Group was responsible for a smaller number of attacks, the average cost per incident was significantly higher than the rest, coming in at $220 million.
“Infamous ransomware groups such as Conti and REvil have invested money in their weaponry to gather more information about their targets and find valuable assets such as PII,” said Ferhat Dikbiyik, head of Research at Black Kite, in the report. “Even if these groups dissolve, we will continue to see a higher cost impact in years to come from attacks that have already occurred in 2022.”
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Industries targeted by cyberattackers
Because they hold so much sensitive data, finance and insurance are the most target industries. Combined they experienced the highest number of breaches at 445 at an average cost of $35 million per incident.
“Both industries are also subject to the growing Internet of Things (IoT) challenge, where new technologies like mobile banking, chatbots, and online claims processing mean more interconnectivity than ever,” the report said. “Many of these organizations use email to conduct financial transactions, presenting an opportunity for adversaries to insert themselves into the process.”
Because of limited resources and the malicious intent of attackers to disrupt the daily lives of average people, state and local governments also are prime targets. With 326 reported attacks costing $6 million each, these entities came in second on the list.
Other key findings:
Black Kite Research conducted a global data breach cost analysis curated with OSINT techniques, encapsulating 2,400 data breach incidents from 2017–2022 at 1,700 companies. The cost analysis included information on regulatory fines, court settlements, paid ransom, victim notification and business loss.