Why this report matters

Highlights

Key findings

Average cost of a data breach reaches an all-time high

Line drawing of graph with rising data

Data breach average cost increased 2.6% from USD 4.24 million in 2021 to USD 4.35 million in 2022. The average cost has climbed 12.7% from USD 3.86 million in the 2020 report.

More organizations are deploying a zero-trust approach and seeing savings

Line drawing of location pointer

The share of organizations deploying zero trust grew from 35% in 2021 to 41% in 2022. Organizations that don't deploy zero trust incurred an average USD 1 million greater breach costs compared to those with zero trust deployed.

Compromised credentials, phishing, and cloud misconfiguration were the top attack vectors

Line drawing of circle graph with two x marks

Stolen or compromised credentials were responsible for 19% of breaches. Phishing was responsible for breaches 16% of the time. Cloud misconfiguration caused 15% of breaches.

Security AI had the biggest cost-mitigating effect

Line drawing of two overlapping circles with opposing arrows

Security artificial intelligence (AI), when fully deployed, provided the biggest cost mitigation. The average breach cost up to USD 3.05 million less at organizations with AI than organizations without AI.

Response times were one month faster with XDR technologies

Line drawing of shield with person in center

Organizations with XDR shortened the time to identify and contain the data breach by about a month on average compared to organizations that didn’t implement XDR.

Hybrid cloud model had the lowest breach cost compared to public and private clouds

Line drawing of cloud and two connected servers

Breaches that happened in a hybrid cloud environment cost an average of USD 3.80 million. This figure compared to USD 4.24 million for breaches in private clouds and USD 5.02 million for breaches in public clouds.

Take the next step

Footnotes

*Note that this report does not constitute advice, and any recommendations are for educational purposes only. The research does not use scientific samples, and other limitations need to be carefully considered before drawing conclusions from findings.