IBM Security has released its annual Cost of a Data Breach Report, which reveals that UK organisations pay an average of £3.4m for data breach incidents. The study also finds that the use of artificial intelligence (AI) and automation have the biggest impact on UK businesses’ speed of breach identification and containment, reducing the average breach lifecycle by 108 days compared to studied organisations that haven’t deployed these technologies.
According to the 2023 study, organisations that deployed security AI and automation extensively – meaning throughout security operations, and within several different toolsets and capabilities – paid an average of £1.6 million less in data breach costs than organisations that didn’t leverage these technologies. Yet, only 28% of UK organisations surveyed are currently deploying security AI and automation extensively, with a further 37% not yet adopting these technologies.
This year’s report shows a decrease in the total average cost of a data breach in the UK from £3.8 million in 2022 to £3.4 million today - but this is still a 9% increase since 2020. Martin Borrett, Technical Director, IBM Security UK & Ireland, said: “With a 108-day average reduction in the breach lifecycle, security AI and automation may be the driving force needed to help defenders bridge the speed gap with attackers. The slight decline from last year in the overall cost of a data breach in the UK suggests the powerful impact security AI and automation may already be having on early adopters.”
The 2023 Cost of a Data Breach Report is based on in-depth analysis of real-world data breaches experienced by 553 organisations globally between March 2022 and March 2023. The research, sponsored and analysed by IBM Security, was conducted by Ponemon Institute and has been published for 18 consecutive years.
Some additional key UK findings in the 2023 IBM report include:
· Industry Impacts – The UK industries with the highest average cost of data breaches were financial services (£5.3 million), services (£5.2 million) and technology (£4.9 million).
· Initial attack vectors – Stolen or compromised credentials was the most common entry point for attackers at 13%. Malicious insiders were the most expensive initial attack vector (£3.9 million), followed by business email compromise (£3.86 million) and phishing (£3.85 million).
Globally, the 2023 IBM Cost of a Data Breach Report found:
· Security investment divide – The global average cost of a data breach reached an all-time high of $4.5 million this year – yet while 95% of those surveyed have experienced more than one breach, only 51% plan to increase their security investments.
· The Cost of Silence – Ransomware victims in the study that involved law enforcement saved $470,000 in average costs of a breach compared to those that chose not to involve law enforcement. Despite these potential savings, 37% of ransomware victims studied did not involve law enforcement in a ransomware attack.
· Detection Gaps – Only one third of studied breaches were detected by an organisation’s own security team, compared to 27% that were disclosed by an attacker. Data breaches disclosed by the attacker cost nearly $1 million more on average compared to studied organisations that identified the breach themselves.
· Breaching Data Across Environments – Nearly 40% of data breaches studied resulted in the loss of data across multiple environments including public cloud, private cloud and on-premises – showing that attackers were able to compromise multiple environments while avoiding detection. Data breaches studied that impacted multiple environments also led to higher breach costs ($4.8 million on average).
· Critical Infrastructure Breach Costs Break $5 Million – Critical infrastructure organisations studied experienced a 4.5% jump in the average costs of a breach compared to last year – increasing from $4.8 million to $5 million – $590K higher than the global average.