• Joseph Assaf Turner

The Cost of a Data Breach

A recent research by Ponemon Institute and IBM studied 550 organizations impacted by data

breaches that occurred between March 2021 and March 2022. The breaches occurred across 17 countries and regions and in 17 different industries.


Not to keep anyone hanging on the edge of their seat, I'll start with a few stats, highlighted in the research:

  • 83% of the 550 organizations studied have had more than one data breach.

  • 60% of organizations’ breaches led to increases in prices passed on to customers.

  • 19% of breaches occurred because of a compromise at a business partner.

  • 45% of the breaches were cloud-based.

  • USD 4.35 million - Average total cost of a data breach.

  • USD 4.82 million - Average cost of a critical infrastructure data breach.

Obviously there are many more figures we could show and discuss but if you look beyond the numbers and figures, you start getting an eerie feeling, like this is something you've come across.

The basic stats remain similar throughout the passing years and different surveys. The cost of a data breach is staggering. Even for large enterprises. Year by year, these figures grow and year by year - the companies which suffer the most are the ones with insufficient cybersecurity investment.

What hit me this time while reading the report is how much it feels like the

elections. There are those who are convinced that cybersecurity is someone else's problem and will never hit them even though statistics show otherwise. It feels like a state of mind that is extremely difficult to change.

The "experts" are preaching cybersecurity to the quire but those companies that are lacking most, seem to remain in the dark righty until they're hit with a devastating cyber attack. Sometimes even after that.

Eventually, regulation will catch up and mandate proper cybersecurity risk management, like the SEC's intention to mandate cybersecurity competency in board meetings. For many companies this will be a case of "too little, too late" as many companies are not under SEC or any other significant regulation.


The more senior managers take charge of the state of cybersecurity in their company and manage the related risk - the more companies will be resilient and entire industries will be less profitable to operate in for hackers.

6 views0 comments