The real cost of a data breach in 2024

The true cost of a data breach may be significantly more than you think, according to the latest report by IBM. The technology firm found that the average data breach cost victim organizations a record-high $4.88 million in 2024, up from $4.45 million in 2023.

This figure includes direct costs that are easily measured, such as fines or lawsuits, as well as indirect costs, such as reputational damage which can have serious, long-lasting financial impacts.

It's no surprise that data breaches can be devastating. However, this report serves as a big reminder that there are many ways to reduce the risk of experiencing a data breach, and just as many ways to reduce the damage and consequences should one still occur.

But before we can look at how to lower the cost of a breach, let's look at how the numbers add up.

How the costs of a data breach add up

Incident response and post-breach recovery

Let’s start with a positive: IBM found that the mean time to identify and contain a breach has dropped to a seven-year low of 258 days. Despite that, the overall cost of detecting and escalating a breach has increased from $1.58 million in 2023 to $1.63 million in 2024.

The more troubling figure revolves around post-breach activities. IBM notes that it is one of the two key contributors to the increase in data breach costs. Post-breach response activities, which spiked from $1.2 to $1.35 million, may include things like:

• Setting up and staffing new customer support channels
• Providing free credit monitoring or theft protection services
• Offering financial compensation, refunds, or discounts

Data breaches are only one cost to consider. Get our tips for streamlining your budget.

Download now

And organizations are feeling the squeeze of these increased costs. Nearly two-thirds of organizations said they were planning to pass breach costs onto customers, up from 57% saying the same in 2023.

Compromised intellectual property (IP) and customer data

Customer data is the most common type of record stolen during data breaches but the per-record cost for this type of data has decreased slightly. According to the IBM report, 46% of breaches involved customer personal data such as names, email addresses, phone numbers, and more.

But companies that avoid losing personally identifiable information (PII) during a breach still run the risk (and costs) of having IP, such as patents and trademarks, compromised. The cost of IP records jumped up to $173 per record from $156 in 2023. Importantly, IP can account for up to 90% of a company's value.

Ransom demands

The average cost of a ransomware attack was $4.91 million in 2024—higher than average but still lower than other extortion-based attacks. Unsurprisingly, the cost of a ransomware attack is significantly lower when law enforcement is involved.

This, however, may be due in part to shortened containment times. The total time to identify and contain a ransomware attack is 281 days with law enforcement's involvement and 297 days when law enforcement isn't involved. Longer containment times force companies to allocate more resources, like labor hours, toward dealing with the breach.

A separate study found that 84% of surveyed organizations agreed to pay a ransom demand after being breached. While it may seem tempting to pay the ransom and avoid extended operational downtime, reputational harm, and various fees associated with a public breach, the transaction isn't always as flawless as the attacker wants the victim to believe.

Consider the ransomware attack on Colonial Pipeline. The organization paid the hacker group $4.4 million for a tool to decrypt systems and fast-track recovery. However, the tool was reportedly so slow that the victim organization continued using its own data backups to restore its systems.

Cybercriminals don't always stick to their word, either. A recent study from TELUS found that under 50% of Canadian companies that paid a ransom to get their data back actually did. Paying your attackers does not guarantee recovery.

Lost business and reputation damage

Recall earlier when we noted that post-breach recovery was one of two contributing factors to higher breach costs? Lost business is the second key contributor.

Lost business soared to $1.47 million in the 2024 IBM report. And while it’s not the highest it has been in recent years; it is up from 2023.

Some of the costs associated with this aspect of a data breach include:

• Missed sales due to system downtime
• Cancelled contracts with third parties or other business partners
• Activities to minimize customer loss (e.g., hosting a customer appreciation sale)
• Lost customers due to reputation damage
• Higher costs to acquire new customers (e.g., additional marketing spend)

Studies confirm that public perception changes drastically after an incident. For example, 60% of survey respondents reported being less likely to do business with a retailer or brand that has suffered a data breach, and 21% said they would change companies outright after a data breach.

Legal and noncompliance penalties

Legal and regulatory penalties associated with data breaches can vary depending on several factors. The size of the breach, the types of data stolen, your industry or geographical location, and your company's initial incident response will all inform legal costs.

For example, your legal situation may need a dozen billable hours or hundreds. Depending on the extent of the damage, you may decide to enlist a PR firm for long-term support. In some cases, you could even face individual lawsuits from the victims or major class action proceedings.

Fast-track your path to compliance with the insights in this white paper.

Download now

Companies in highly regulated industries, such as healthcare and financial services, will pay greater noncompliance fines than others. For example, healthcare data breaches are far more expensive than the average breach, likely due to the industry's extensive data privacy policies.

Those in highly regulated countries will also see higher penalties. Canadian organizations can be fined 100,000 Canadian dollars under the Personal Information Protection and Electronic Documents Act, with similar fines for European Union members governed by the General Data Protection Regulation.

How to protect against a data breach

We've covered the different expenses your company may experience if it becomes the victim of a data breach. Now let's look at steps you can take to lower the cost of a breach or, ideally, avoid one entirely.

Raise awareness company-wide

Raising companywide awareness about data breaches is a smart first step. While some breaches are intentional and malicious, many are purely accidental. Boosting cybersecurity education and training can help prevent these types of mishaps.

Picture this: an employee accidentally sends confidential customer data to the wrong email address, or they click on a link in a cleverly disguised phishing email, unknowingly launching malware. By educating your team about these kinds of cyber risks, you can reduce the likelihood of accidental breaches.

Cybersecurity is everyone's responsibility because anyone in your company can be targeted. To get the best results, ensure all employees are familiar with common attack tactics, techniques, and procedures so they can recognize when they're being targeted.

It's also crucial that employees know and follow cybersecurity best practices, like using strong passwords and enabling multi-factor authentication whenever possible.

Understand and reduce your threat surface

Your company's threat surface consists of people and accounts, software, hardware, and cloud-based services—anything an attacker can exploit. With a better understanding of all your risks, you can take consistent steps to resolve them and reduce the chance of an attack.

For example, you can correct misconfigured software that might be putting confidential data or critical systems at heightened risk of compromise. It's also best practice to delete old accounts of former employees and ensure that current employees only have access to the data and systems necessary to complete their tasks.

You should also make sure all software is running on the most recent version. Patching can be tedious and time-consuming—sometimes requiring a reboot to complete. But it's necessary. Patches fix bugs, add new features, improve performance, and address critical security vulnerabilities.

Create and maintain data backups

While having data backups won’t reduce your risk of experiencing a breach, they are a crucial component of recovering quickly from one.

They provide copies of essential files that can be quickly restored after a cyberattack or any event compromising your data. In the event of an incident that limits access to critical files, a reliable backup system can significantly expedite recovery, helping you get back to business faster.

There are several data backup methods, such as external hard drives, self-service cloud storage, and dedicated backup providers. Each option has its pros and cons, so it’s important to choose the one that best fits your company’s unique needs.

For instance, using an external hard drive to store business-critical data might not be ideal for remote-only companies or those without IT professionals to manage it. However, it could be a practical choice if you have a physical office and an in-house IT team to support it.

Be prepared for an incident

Incident response (IR) planning and testing is one of the two most popular areas of security investment this year, according to the IBM report.

And it’s no wonder why. Planning and regularly rehearsing your incident response process can not only minimize the negative impacts of a breach and help you get back to business quicker, but also reduces the stress of dealing with an incident.

It’s also important for customers, partners, and stakeholders. An efficient response to incidents proves that you take cybersecurity seriously, maintaining your reputation and others’ trust in your organization.

There are IR plan templates and guidelines available online, but creating your own can be time-consuming and may be out of scope for many smaller businesses.

Investing in an incident response (IR) preparedness service is often easier as you'll work with experts to assess your company's cybersecurity posture, identify key assets and roles, and develop step-by-step incident response playbooks.

Put the right solutions in place

Studies have found that using automated technology to identify and contain cybersecurity incidents instead of manual processes drastically decreases the breach life cycle and, in turn, reduces breach costs.

In fact, the IBM report found that the more organizations used AI and automation, the lower their average breach costs

Download the eBook and learn how to choose the right cybersecurity solution.

Download now

But not just any automation will do. Simply layering point solutions (one for your endpoints, one for the cloud, and so on) often results in visibility gaps, an unmanageable volume of alerts to open and investigate, and inadequate security. Having the right solutions in place is paramount.

Field Effect MDR combines automation and human intelligence to detect and respond to threats and vulnerabilities across your network, cloud-based services, and endpoints. And, with automated blocking of major cyber threats like ransomware and advanced persistent threats, you can sleep soundly knowing your cybersecurity is handled.

Reduce your risk of a breach today

The cost of a data breach can devastate your company. That's why there's no time like the present to take preventative action. We can help you do that with Field Effect MDR. Book a demo today to see how Field Effect MDR reduces cyber risk and improves your defense.

If you think you're experiencing a cyberattack or security event now, our incident response (IR) team is available 24/7 to investigate, remediate, and get you back to business. Please contact our team if you need immediate IR assistance.