IBM on the cost of a data breach.
By Tim Nodar, CyberWire senior staff writer. (The CyberWire editorial staff also contributed to this article.)
Jul 25, 2023

The healthcare sector has been hit especially hard by cybercriminals..

IBM on the cost of a data breach.

IBM has published its Cost of a Data Breach report for 2023, finding that the average cost of a breach in 2023 is $4.5 million. The researchers state, “This represents a 2.3% increase from the 2022 cost of USD 4.35 million. Taking a long-term view, the average cost has increased 15.3% from USD 3.86 million in the 2020 report.”

The healthcare sector sees a big jump in breach costs.

The healthcare industry, however, has seen a 53.3% increase in data breach costs since 2020: “The highly regulated healthcare industry has seen a considerable rise in data breach costs since 2020. For the 13th year in a row, the healthcare industry reported the most expensive data breaches, at an average cost of USD 10.93 million.”

The report also found that victims of ransomware attacks often saved significant sums of money if they involved law enforcement in the response: “Ransomware victims in the study that involved law enforcement saved $470,000 in average costs of a breach compared to those that chose not to involve law enforcement. Despite these potential savings, 37% of ransomware victims studied did not involve law enforcement in a ransomware attack.”

Industry experts explain why healthcare remains a favorite target.

Limor Kessem, a senior cybersecurity consultant for IBM Security, sees this unfortunate trend as likely to continue. “We're seeing a very big increase for healthcare organizations, probably because they're really in the crosshairs of attackers. And there is no relenting so far.” Kessem added, “Security folks are going to work for places where they could get the bigger paycheck, and it's not always going to be a healthcare organization. It's a tough industry to get very skilled staff.”

Carol Volk, EVP at BullWall, recommends that organizations look to automation to reduce costs and increase security. “Work smarter, not harder,” Volk admonished. “There is good affordable automation available (and coming) in the cybersecurity field. Even the best cybersecurity teams get overwhelmed by too many alerts, so there is a serious effort to automate the filtering of those "alerts" to just those requiring immediate human interaction, effectively slowing down the alert pace to a manageable, human speed. This is why the automation of detection and containment of attacks is more and more the focus. The attack is slowed or stopped before data can be affected, allowing defenders time to respond. The application of AI is expected to greatly accelerate this effort of determining what must be reviewed by humans for response.”

Emily Phelps, Director at Cyware, noted the reasons for healthcare’s current attractiveness to attackers. “Healthcare will always be an attractive target for threat actors because of the valuable data they collect and store,” Phelps wrote. “Adversaries don't only outnumber available cybersecurity pros; they collaborate effectively too. To mitigate the risks, healthcare organizations should leverage automation tools that enable lean security teams to efficiently address threats; they should ensure they invest in regular security awareness training so employees are armed to recognize and avoid common threat tactics such as phishing attacks; and they should consider partner with security providers that can act as an extension of their teams, gaining expertise that is more difficult to resource and retain internally.”

Stephen Gates, Principal Security SME at, sees the healthcare sector’s defenders as outnumbered and overmatched by their adversaries. “The healthcare industry is being impacted by an enormous threat landscape with vast numbers of threat actors who are looking to breach organizations' networks, steal their data, hold them for ransom, and potentially destroy their businesses. The defensive technologies they have in place are proving to be insufficient in blocking today's attacks.” Gates recommends an approach to security. “Continuously assessing your network attack surface, finding your weaknesses, remediating them immediately, and verifying that your remediations worked is the best way organizations can stay ahead of attackers. Consider attacking yourself daily, then fixing what matters most.”

(Added, 2:45 PM ET, July 25th, 2023. Colin Little, security engineer at Centripetal, thinks the reported performance wouldn't cut it if you were a short-order cook flipping burgers. “While I personally find the statistic that 1 in 3 data breaches are identified by an organization's own internal security team better in the defender's favor than I expected, it is still an astoundingly poor metric. If I work for a restaurant, and 1 in 3 burgers I serve are actually cooked to specification, I probably wouldn't last long in this position. If, however, this was the case because I didn't have the proper tools to do the job, I could replace the cook every single day and it wouldn't make much of a difference." Little added that the report confirms what a lot of people have felt. "I believe the research behind this statistic speaks strongly towards a fact that many feel intuitively, and many know academically, that a different approach to network, asset, and breach protection is required. The key to this different approach is in the fact that a number of the undiscovered breaches are identified by benign third parties. How did these third parties discover a compromise, being external to an organization and having no sensor equipment in my network? I believe the answer is in the intelligence they use to observe traffic to the internet." And Little thinks the civilian security workforce should take a page from military intelligence's book. "What needs to happen to achieve better network, asset, and breach protection is this: we need, as defenders, to adopt the intelligence fundamentals that the military utilizes. Specifically, we need to leverage multiple sources of intelligence, and we need to do so on a much grander scale than we have, and we need to effectively prevent attacks with these intelligence sources while ensuring some flaw in the data doesn't stop business services. This is easier said than done, of course - I have lived this effort for 5 years. The reason why it is so hard for the common defender is that, for so long we have relied on vendors of cyber defense technologies to simply handle the intelligence piece for us. We have been raised as overly-entitled consumers, similar to the overly-entitled children whose parents go crazy trying to do everything for them, and the sad fact is those days are over. Even those mighty defenders are now just single sources of intelligence, all with different collection methods which need to be used in conjunction with, and corroborated with multiple other trusted sources. It's time for us all to grow past this, and we can." He concludes, "My advice to the industry is that we must operationalize threat intelligence to protect organizations from every known cyberthreat. It’s time to be proactive. By applying intelligence powered cybersecurity to your security stack, you are ensuring comprehensive protection against the latest cyberthreats based on the most current threat intel.”

Darren James, senior product manager at Specops Software, is struck by the sectors that continue to attract criminal attention. “Healthcare once again appears to be the main target for data breach attacks and the costs associated are roughly double that of other industries. Customer and employee PII being the most coveted of data stolen," James writes. "The energy sector has also proven to be a more popular target this year. After hitting the headlines with the global energy crisis, and the huge profits made by many energy companies this has proven to make them a lucrative target. Also interesting is that the Industrial sector, and in particular manufacturing, is now in the top five." James is also struck by the evidence of room for improvement. "The report shows that there hasn’t been much progress in detecting a breach, still at 200-plus days. This also demonstrates that the tactic of breaching and then moving laterally across the network is still very much standard operating procedure of threat actors. This means that we still need to improve detection of threats and strengthen our internal network controls, not just the perimeter. And fixing the problem after discovery is still taking 70-plus days, so more effort needs to be made in the disaster recovery and contingency planning areas." Looking at the initial attack vectors, they're familiar. "Phishing and stolen credentials are still the most common initial attack vectors, and certainly, enabling a stronger passphrase (as opposed to password) policy is inexpensive to implement alongside a continuous scan for breached passwords. Phishing can also be thwarted by implementing strong MFA and compulsory Security Awareness Training that can adapt the behavior of users to be more cyber aware. Insider attacks, although relatively rare did prove to be the costliest to resolve, again zero trust and MFA even when inside the perimeter of the network is a must. Misconfigured cloud configuration and both known and unknown (zero day) vulnerabilities were also prevalent. Alongside this, the fact that only 33% breaches were detected by the companies themselves, means there’s a lot of work to do around pen testing, auditing, and threat intelligence." And there are some unaddressed problems that continue to trend among organizational vulnerabilities. "The Cost Amplifiers chart showed that the lack of security skills, complexity of securing the network and noncompliance with regulations as the most important factors. The non-compliance issue is the most frustrating as it shows that guidance and process has already been identified, but has failed to be implemented – it would be interesting to know how much poor password hygiene or authentication played a part in that statistic.”)