An IBM analysis of 604 organizations published today finds the average cost of each breach, including lost revenue, has now reached $4.9 million.

A separate survey of 3,556 security and C-suite business conducted by The Ponemon Institute on behalf of IBM additionally finds a full 63% of respondents work for organizations that plan to pass the cost of security breaches along to customers.

The size of the breaches analyzed ranged from 2,100 to 113,000 compromised records, with 70% of respondents reporting a breach caused significant or very significant disruption to their operations, with the mean time to identify and contain a breach being 258 days. Only 12% of respondents said their organization had fully recovered from their data breaches.

The most common type of data stolen or compromised was personally identifiable information (PII) belonging to customers (46%), with malicious attacks accounting for 55% of all breaches, compared to 23% caused by an IT failure or 22% attributed to human error. More than a quarter of all breaches (27%) involved intellectual property. Costs associated with incidents are estimated to be $173 per record.

Security teams detected those breaches 42% of the time, compared to benign third parties at 34% and cyberattackers themselves at 24%, the survey found. When a breach was disclosed by an attacker, the average cost was $5.53 million, compared to $4.55 million when discovered by a cybersecurity team, the survey found.

Only 16% of breaches involved stolen/compromised credentials, but at 10 months those types of breaches required the most time to contain.

A full 40% of breaches involved data stored across multiple environments including public cloud, private cloud and on-premises IT environments. These breaches cost more than $5 million on average and took the longest to identify and contain (283 days).

Limor Kessem, global lead for IBM X-Force cyber crisis management at IBM, said as more data is stored in both managed and unmanaged locations the probability of a breach only increases. Shadow data stored in applications not managed by IT teams are especially vulnerable, she added.

Overall, the top three factors that amplified breach costs in this analysis were security system complexity, security skills shortage and third-party breaches. More than a quarter of respondents (26%) also noted they work for organizations with severe security staffing shortages, which on average resulted in $1.76 million in higher costs.

Using AI to Improve Security

The report also notes that 67% of respondents work for organizations that already make use of artificial intelligence (AI) and automation to improve security, with 20% already having some form of generative AI capability. On average, these organizations were able to detect and contain a security breach 98 days faster than organizations not using these technologies. Organizations not using AI and automation had average costs of $5.72 million, compared to $3.84 million for organizations making extensive use of AI and automation.

Additionally, organizations that engaged law enforcement (63%) reported they were able to avoid having to make a payment. Those that did make a payment on average saved nearly $1 million in costs compared to those who didn’t.

On the plus side, 63% of respondents said their organization plans to increase security budgets, with employee training leading the way in terms of investment priorities.

It’s not clear to what degree organizations are now prioritizing data security versus continuing to invest in perimeter security. However, the one clear thing is that as the cost of a data breach continues to rise cybersecurity budget dollars that are being allocated will increasingly be up for review.