One of the most interesting cyber reports every year comes from IBM, and their 2024 Cost of a Data Breach Report has good news and bad news.

The 2024 Cost of a Data Breach Report was released a few days ago and is available for download here. This year’s report, which is 46 pages, is chock-full of useful and informative statistics and graphics. Here are 10+ of the most notable stats in the report:

• The average cost of a data breach jumped to $4.88 million from $4.45 million in 2023, a 10% spike and the highest increase since the pandemic.
• Compared to other vectors, malicious insider attacks resulted in the highest costs, averaging $4.99 million.
• More than half of breached organizations are facing high levels of security staffing shortages. This issue represents a 26.2% increase from the prior year, a situation that corresponded to an average $1.76 million more in breach costs.
• 35% of breaches involved shadow data (i.e., data residing in unmanaged data sources), showing the proliferation of data is making it harder to track and safeguard. Shadow data theft correlated to a 16% greater cost of a breach.
• Nearly half (46%) of all breaches involved customer personal identifiable information (PII), which can include tax identification (ID) numbers, emails, phone numbers and home addresses.
• Ransomware victims that involved law enforcement ended up lowering the cost of the breach by an average of nearly $1 million (which excludes the cost of any ransom paid).
• The average breach cost for healthcare fell 10.6%, to $9.77 million. But it’s still the costliest industry for breaches by far – a spot it’s held since 2011. Financial was second with $6.08 million.
• For the 14th year, the United States had the highest average data breach cost – $9.36 million – among the 16 countries and regions studied. But the costs were down slightly from 2023’s $9.48 million.
• The mean time it took defenders to identify and contain a breach dropped to 258 days (194 days to identify, 64 days to contain), reaching a 7-year low, compared to 277 days in 2023. Still, that means if you experienced a data breach on January 1st, you typically won’t have identified and contained it until September 14th.
• However, credential-based attacks took longer to identify and contain, with stolen credentials attacks taking 292 days to be identified and contained, and malicious insider attacks taking 287 days. That’s October 18th and October 13th respectively to identify and contain a January 1st breach!

Bottom line: the cost of a data breach is still going up, but we are at least seeing some progress in the mean time to contain a breach (overall). That’s at least some good news.

Again, the 2024 Cost of a Data Breach Report is available for download here. Check it out!

So, what do you think? Which stat above concerns you the most? Please share any comments you might have or if you’d like to know more about a particular topic.

Image created using GPT-4’s Image Creator Powered by DALL-E, using the term “robots finding out their data has been breached”.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.