Rising Costs of Data Breaches
Key Points
- The IBM Cost of a Data Breach survey shows the average breach now costs about $4.9 million globally (roughly $10 million in the U.S.), a 10% increase over the previous year, and the figure has been trending upward over time.
- Data is described as the “lifeblood” of modern enterprises; losing it can erode intellectual property, brand reputation, and customer trust.
- The findings are based on a rigorous methodology that includes interviews with roughly 3,500 people across 600 organizations, marking the 19th consecutive year IBM has conducted the study.
- Costs vary significantly by industry, with some sectors experiencing substantially higher breach expenses than others.
- The video promises to share real‑world lessons and practical recommendations for reducing breach impact and controlling these rising costs.
Sections
- IBM Data Breach Cost Overview - The speaker introduces IBM's annual Cost of a Data Breach survey, highlighting the average $5 million breach cost, the study’s methodology involving 600 organizations and 3,500 interviews, and previews key findings, lessons, and recommendations for protecting enterprise data.
- Data Breach Costs by Sector - The speaker outlines average breach costs across the top sectors—energy, technology, industrials, financial and health care (peaking at $9.8 M)—and highlights staffing shortages and unmanaged shadow data as key challenges driving those figures.
- Complexity Fuels Costly Data Breaches - The speaker stresses that prolonged breach containment—especially for identity credential incidents averaging 292 days—escalates costs, and advocates simplifying security systems via the KISS principle to mitigate expenses.
- Mitigating Breach Costs Through Trust, Verification, and Training - The speaker outlines how limited budgets and talent drive reliance on AI, stresses the need to “trust but verify” third‑party and cloud providers, and highlights employee training as a key strategy to lower data‑breach expenses.
- Strengthening Identity, Data, and Response - The speaker outlines key tactics—multifactor authentication, passkeys, data discovery and posture management, visibility dashboards, and involving law enforcement—to reduce breach impact and ransom costs.
Full Transcript
# Rising Costs of Data Breaches **Source:** [https://www.youtube.com/watch?v=c1K6bw5ATzk](https://www.youtube.com/watch?v=c1K6bw5ATzk) **Duration:** 00:14:24 ## Summary - The IBM Cost of a Data Breach survey shows the average breach now costs about $4.9 million globally (roughly $10 million in the U.S.), a 10% increase over the previous year, and the figure has been trending upward over time. - Data is described as the “lifeblood” of modern enterprises; losing it can erode intellectual property, brand reputation, and customer trust. - The findings are based on a rigorous methodology that includes interviews with roughly 3,500 people across 600 organizations, marking the 19th consecutive year IBM has conducted the study. - Costs vary significantly by industry, with some sectors experiencing substantially higher breach expenses than others. - The video promises to share real‑world lessons and practical recommendations for reducing breach impact and controlling these rising costs. ## Sections - [00:00:00](https://www.youtube.com/watch?v=c1K6bw5ATzk&t=0s) **IBM Data Breach Cost Overview** - The speaker introduces IBM's annual Cost of a Data Breach survey, highlighting the average $5 million breach cost, the study’s methodology involving 600 organizations and 3,500 interviews, and previews key findings, lessons, and recommendations for protecting enterprise data. - [00:03:02](https://www.youtube.com/watch?v=c1K6bw5ATzk&t=182s) **Data Breach Costs by Sector** - The speaker outlines average breach costs across the top sectors—energy, technology, industrials, financial and health care (peaking at $9.8 M)—and highlights staffing shortages and unmanaged shadow data as key challenges driving those figures. - [00:06:10](https://www.youtube.com/watch?v=c1K6bw5ATzk&t=370s) **Complexity Fuels Costly Data Breaches** - The speaker stresses that prolonged breach containment—especially for identity credential incidents averaging 292 days—escalates costs, and advocates simplifying security systems via the KISS principle to mitigate expenses. - [00:09:16](https://www.youtube.com/watch?v=c1K6bw5ATzk&t=556s) **Mitigating Breach Costs Through Trust, Verification, and Training** - The speaker outlines how limited budgets and talent drive reliance on AI, stresses the need to “trust but verify” third‑party and cloud providers, and highlights employee training as a key strategy to lower data‑breach expenses. - [00:12:21](https://www.youtube.com/watch?v=c1K6bw5ATzk&t=741s) **Strengthening Identity, Data, and Response** - The speaker outlines key tactics—multifactor authentication, passkeys, data discovery and posture management, visibility dashboards, and involving law enforcement—to reduce breach impact and ransom costs. ## Full Transcript
Your data is really expensive.
How much?
Well, consider: according to IBM's annual cost of a data breach survey,
we found it's on the order of $5 million
every time there's a data breach.
That's the average.
So if you're looking at a bell curve, that's the stuff here.
That means there are plenty more
that are actually a lot more than that.
Well, in this video we're going to take a look at
what were the findings from that survey.
And we've run it many years.
And we're going to take a look at some lessons learned
from real world data breaches
and ultimately some recommendations of what you can do
to guard against this and mitigate this cost.
Data is the lifeblood of a modern enterprise.
If you lose it, you lose your competitive edge.
You could, for instance, lose your intellectual property.
You could lose things like your company's reputation.
And ultimately, you can lose these folks ... customers.
You don't want to lose those.
So it's really important that we not lose that information,
that we're able to maintain that and keep it secure.
So that's why IBM has conducted, for the 19th year in a row,
the Cost of a Data Breach survey.
And we produce a report which you can take a look at
in detail and see those findings.
In this video, we're going to take a look at what some of those major findings were.
And to give you an idea of the methodology behind this.
They actually went out and talked to about 600 organizations
and interviewed in the range of 3500 people.
So there was a lot of work that goes behind this, a lot of data.
I don't want you to think that they just went and cherry picked a few people.
These are all people that experienced real world data breaches.
So when we talk about what the survey tells us, it tells us a lot.
It tells us what real world data breaches actually were like.
Okay, let's take a look at the cost and see what the trend has been over time.
If we look at the last number of years,
you can see generally the trend is working its way up.
Not a huge surprise.
Everything's more expensive.
It turns out your data is as well.
Last year we were at about 4.5 million
on average for a data breach worldwide.
Well, this year I have some bad news to report.
We're now at about 4.9 million, which is an increase of around 10%.
So that's not what we want to see happen.
We'd like to see these costs going down.
But they're not, they're continuing to increase.
Oh and by the way,
if you think that's a tolerable number, if you're in the U.S.,
you can pretty much multiply it by two
because the U.S. numbers are about twice this.
So again, not really what we want to see.
We'd like to see these numbers come down.
We'll talk later in the video about what we could be doing
that will actually contribute to that.
But let's also take a look at this from an industry perspective.
Were there are certain industries that did better or did worse?
Or that it was more expensive or less expensive?
Based upon if their data was breached.
Well, we'll start off with with the first.
These are the top five.
By the way, there are others that were lower than this.
But if we're looking at just the top five at 5.3 million,
that's where you're going to see the energy sector.
At 5.5 million, just a little bit up from that,
that's where you're going to see the technology sector.
And then up from that, the industrials,
industrial area 5.6 million per data breach.
Then as we're building financial comes in at 6.1.
Now who was the winner?
Well, I don't know, maybe loser.
But if you look at this way up here
at 9.8 is where the health care industry came in.
So information in that space is really important.
And it's reflected in the numbers here.
So what were the challenges that contributed to those kinds of numbers?
Well, it turns out staffing shortage was a big one.
That is, we've got these folks on board.
But how about the others that we don't have?
It turns out that a lot of organizations, in fact, more than 50%,
reported staffing shortages
as one of the major challenges that was contributing.
That number is up 26% from last year's report.
So that's not trending in the right direction.
Another one.
Let me ask you, do you know where your data is really?
Well, you might know about this,
but this other stuff,
the shadow data where somebody has made a copy of the data,
or maybe they created new data and didn't tell you about it,
and yet it's still sensitive.
And if this gets compromised, we're still in trouble.
Well, that's an area that also turned out to be a challenge.
And in fact, this area is not going to get better, I expect.
When we start adding AI into the picture, we're going to see AI models
that will be shadow versions as well,
and we're going to need to discover those also.
So keep an eye on that.
How about some of the causes,
the attack vectors, the top attack vectors.
The top two were in fact the same as they were last year.
It was phishing.
And it was credential theft.
And in fact, if you think about it,
a lot of phishing attacks are really about stealing credentials anyway.
So very similar that those two things came out.
Number one, a lot of other things that contributed.
And you can look at the report to see the details of other
aspects that were exploited in this.
But these were the two that stood out.
So if we want to make a big difference,
obviously we need to focus here.
And what is that?
That's all about identity and access management,
at least the credential part.
Okay, let's take a look at one other aspect
where we actually saw a little bit of good news, but it wasn't a great deal.
Nothing really to write home about.
Meantime to Identify -
how long does it take for you to figure out
that the bad guy is in your system?
That number has remained about the same for the last decade or so.
It's about 200 days, which is way too long.
Meantime to Contain - actually get the problem taken care of.
That has remained at about 70 days.
So you look at those together and you end up with about 270 days,
which is about three fourths of a year.
That is way too long.
And again, that's the average.
That means that there are a number of these that are taking well beyond that,
maybe more than a year before we realize and get the situation contained.
That's an intolerable situation, I think, going forward.
And we found that if, in fact, the cause of the data breach
was dealing with these identity credentials,
that the number was actually even higher, it was 292 days.
So let's focus on these kinds of things
and we'll take a look at some recommendations.
Okay, enough of the gloom and doom.
How about a little sunshine?
What can we do to improve the cost of a data breach?
Well, it turns out there were three things that the report told us
based upon the real world data that were lessons learned,
that told us these are the things that actually contribute
to the cost of a data breach and make it worse.
And I'm going to give you five things, and then even a few bonus topics
that will decrease the cost of the data breach.
So stay through till the end.
Number one on this list was complexity.
Complexity of the security system.
It turns out complexity is the enemy of security.
So whatever we can do to follow what I refer to as the KISS principle:
"Keep It Simple, Stupid".
That's going to be to your benefit.
Make the system as simple as you possibly can.
Let me give you an example of what I mean by that.
Let's take a look at in the identity and access management space.
What typically happens in organizations is we will have
a different identity management system directory, what have you.
For each application or at least for a few different applications,
different OS's and so forth.
So that means I need an administrator for each one of these
that is not following the KISS principle.
This would be simplifying
is if I put a layer here for identity and access management above.
Then I can have an administrator up here
who administers all of these systems
through a central console, through a common interface.
And then maybe I don't need as much of this.
I can use those people on other areas where their skills are best utilized.
The same thing applies in the data space.
So if I've got data security, well,
I'm securing each one of these databases using the native access control capabilities.
But what if instead I use a common data security layer?
Then I could have an administrator up here who administers through that, and then it pushes all these out.
And again, it allows me to reduce the the impact that I have
where I don't have enough staffing
and it gives me a more consistent, more simple interface.
So keep that in mind as a possibility.
What else?
Well, the skills shortage I mentioned that earlier.
Turns out the skills shortage is causing the cost of a data breach to go up.
So again, if I can do things here,
it mitigates a lot of what would be otherwise a particular issue.
Now, in a perfect world, I'd just hire more people.
But we're not going to be able to hire all the people we want.
We don't have the money to for it,
and there are not enough skilled people out there.
So what else could we do?
Well, let's see what AI and automation can do for us.
More on that later.
Another thing that contributed to the cost of a data breach in a big way
was third party issues.
That is when you connect your system into others.
You also inherit some of the risk that goes along with their systems.
You might do a perfect job of security,
but if they don't, you get to now downstream.
Bring in all of the problems that they have as well.
And we found that was a major area that was contributing to cost.
So what should you do about that?
Well, trust but verify.
I need to go in and make sure that everything they're doing
that they said that they're doing in their security as much as possible.
I need to verify that that's the case.
Make sure that their policies match my policies,
their expectations, my expectations, and so forth.
So that's a big area as well.
And one of those third parties could in fact be your cloud provider as an example.
All right.
What are the things that we could do that will actually contribute
to bringing the costs down.
Those are the things that contributed to making it go up.
So we'll look at the flip side of this.
Well, number one on the list was employee training.
This was maybe a little bit of a surprise for a lot of people,
but training your employees so that they become part of your security system
and not another weak link can make a big difference.
What else could we do?
Well, we could also, as I said before, use more AI and automation.
And what the report showed us is that organizations that do that.
We're able to save, in the order of $2.2 million on the cost of a data breach.
That's significant.
If the overall number is about 4.9,
and you're able to save this much
by doing any particular thing, that's a big difference.
So that's a $2.2 million savings by organizations
that had extensive use of automation in AI a
s compared to those who didn't.
So this is a big one that can make a huge difference, as we see.
Having a good security information and event management system
in place is important.
You can't secure what you can't see.
So you need a system that monitors
all the different things that would be out there.
So a good SIM helps you with that
Incident Response Planning: that is, knowing in advance
where the fire extinguisher is
so that you're not searching for it at the moment that your hair is on fire.
That's the way you want to approach this.
So you want to plan out what all the contingencies would be
and make sure that you have the plans, the tools, the processes all in place
and you know how to do it in that moment when it occurs.
And then obviously, if we're talking about data that is sensitive, encrypt it.
That way, if someone does get into your system and copies that out,
well, they can only do so much with it because it's encrypted.
Hopefully you've encrypted it well and it will still be covered for you.
So those are the kinds of things that make a lot of sense for us to do.
But what else could we do?
I told you I would give you some bonus topics in this space as well.
Well, some other things that turned out to be very important.
I mentioned earlier that credentials were a big part
of what was causing these data breaches to occur.
So whatever I can do to improve my identity and access management
would make a big difference.
What kinds of things could we do there?
Well, how about multifactor authentication?
How about using pass keys?
Those are the kinds of things that if I use pass keys,
no one can steal my password because I don't have one in the first place.
And if you say, well, I'll just steal a passkey.
Take a look at the video I did on Passkeys
and you'll see how much more difficult something like that would in fact be.
What are some other things you could do?
How about data security?
Posture management?
Know where all your data is.
Discover it all.
Especially in cloud instances that shadow data that I mentioned earlier.
We need to know where it is or we can't secure it.
Also, I want to be able to make sure that I have the controls in place o
nce I've found it, and that we've automatically verified that.
And we have a dashboard that shows us all of that visibility.
Very important.
And then ultimately leverage law enforcement.
It turns out that the organizations that did
that two thirds of them that brought in law enforcement
in a ransomware case, paid - are you ready for this?
$0 in ransom.
That's a nice number.
So it's not a guarantee,
but it certainly puts the odds in your favor if you have a ransomware attack.
This reduces the likelihood, and it turns out
it also reduce the cost of a data breach.
So there you go.
The cost of a data breach, unsurprisingly, is up.
But the good news is there are some things you can do
to lessen those costs and lessen your risk.
Take a look at the full report and you can learn more.
If you like this video and want to see more like it,
please like and subscribe.
If you have any questions or want to share your thoughts about this topic,
please leave a comment below.