The average cost of a data breach has risen to a record high, according to a new study by the independent research firm Ponemon Institute. The study found that the global average cost grew from $4.24 million per incident in 2021 to $4.35 million in 2022, an increase roughly 2.6%. Moreover, the global average cost has increased 12.7% compared to the 2020 average of $3.86 million.
These trends are alarming. What’s your organization doing to fortify its defenses against cyberattacks?
Cyber data — including financial records, sensitive customer information and employee files stored on the cloud or on the company’s technology devices and networks — is one of the most valuable assets many organizations own. Each year, management should evaluate what’s being done to protect these intangibles, where vulnerabilities exist and how to make the assets more secure. Here are some more cybersecurity best practices to consider.
Vet your vendors. Hacks are often perpetrated through the victim’s small or midsize vendors. That’s because smaller companies often lack the resources to put strong security measures in place — and hackers are ready, willing and able to take advantage.
Some companies limit outside access to their computer networks, refusing supplier and customer requests to share data. Others require vendors to verify their network security protocols. Some companies are establishing cybersecurity ratings — similar to credit scores — based on the amount of traffic to a company’s website coming from servers that are linked to cybercrime. As those ratings become more refined, managers may choose to avoid doing business with high-risk customers and suppliers.
Limit access. Companies often have more devices to be connected to the internet than management realizes. Moreover, when employees take devices out of the office or work from home, they expose data less-than-secure home networks and public hotspots that provide wireless internet access.
Evaluate which devices need to be connected to the internet and take steps to minimize off-site risks. Consider limiting which employees can work from home, educating employees about the risks of cyberbreaches and installing encryption softwares on devices that link to external networks. Encryption may create compatibility issues when sharing data with other companies and slow down data transmission. But it can be a powerful and cost-effective tool in a battle against cybercrime.
Adopt a continuous-improvement mindset. Protecting against cyberthreats is an ongoing challenge, not a one-time event. Every time a software, hardware or application manufacturer releases an update or patch, install it immediately on every device in a systematic fashion. Why? Hackers constantly troll for the latest patches and updates because they show where vulnerabilities exist. If hackers are nimble, they can exploit these vulnerabilities to steal data before customers have a chance to install the fix.
Another useful prevention strategy is requiring periodic changes to log-in passwords. Hacked passwords can cause a domino effect, because people tend to use the same password for multiple accounts. Some companies also use a security question or require users to authenticate their identity using a smartphone as another layer of verification.
Cover your assets. Another popular security measure is cyber liability insurance. Professional and general business liability insurance policies generally don’t cover losses related to a hacking incident. Cyber liability insurance can cover a variety of risks, depending on the scope of the policy. It typically protects against liability or losses that come from unauthorized access to your company’s electronic data and software.
Instead of purchasing a standalone cyber liability policy, you might be able to add a cyber liability endorsement to your errors and omissions policy. Not surprisingly, the coverage through the endorsement isn’t as extensive as the coverage in a standalone policy.
Seek outside help. Cybersecurity is an important task that few organizations can handle exclusively in-house. Consider seeking outside resources to reinforce your current information technology (IT) policies and procedures. For example, a growing number of small and midsize companies use outside computer security companies to evaluate vulnerabilities in their networks and test how well in-house IT professionals are securing their networks.
For More Information
Risk assessment is also an important part of year-end audit procedures. Accountants are familiar with ways to identify and reduce cyber-risks. Failure to protect valuable intangibles against the risk of cyberattacks can turn these valuable assets into costly liabilities.
More Alarming Statistics
The Ponemon Institute has been studying cyberattacks for the last 17 years. The latest version of its annual study, Cost of a Data Breach Report 2022, was published in July. In addition to estimating the average cost of a data breach for the 12-month period ending in March 2022 ($4.35 million), the study breaks down of the average cost as follows:
|Cost category||Average cost|
|Lost business (including business disruption and revenue losses from system downtime, cost of lost customers and acquiring new ones, reputation losses and diminished goodwill)||$1.42 million|
|Detection and escalation (such as forensic and investigative activities, assessment and audit services, crisis management, and communications to executives and boards)||$1.44 million|
|Post-breach response||$1.18 million|
Note: The reported costs for ransomware attacks exclude any ransom paid to the perpetrator.
Other eye-opening trends from the report include:
- 83% of organizations have experienced more than one data breach,
- 60% of victim-organizations increased their prices because of the breaches,
- 19% of breaches occurred because of a compromised business partner, and
- 45% of breaches were cloud-based.
The study also found that ransomware attacks are increasingly prevalent. In 2022, nearly one in five breaches involved ransomware, an increase of 41% from 2021.
In addition, the report showed that breaches related to remote working arrangements cost an average of $600,000 more per incident than those that didn’t involve remote working. This is an important statistic to remember when deciding whether to allow employees to work from home.
The average cost of a data breach varies significantly, depending on the organization’s industry and where it’s located. For example, the report includes responses from 17 industrialized nations, but the country with the highest average cost is the United States ($9.44 million in 2022). And, of the 17 industries covered by the study, the sector with the highest average cost is health care ($10.1 million in 2022). The runner-up industries were:
- Financial ($5.97 million),
- Pharmaceutical ($5.01 million),
- Technology ($4.97 million), and
- Energy ($4.72 million).
This is the twelfth consecutive year that the United States and the health care industry have topped their respective lists.