Data breaches can occur anywhere in the world, but they are historically more common in specific countries. Typically, countries with high internet usage and digital services are more prone to data breaches.

To that end, IBM’s Cost of a Data Breach Report 2023 looked at 553 organizations of various sizes across 16 countries and geographic regions, and 17 industries. In the report, the top five costs of a data breach by country or region (measured in USD millions) for 2023 are:

• United States: $9.48 (up 0.4% from 2022)
• Middle East: $8.07 (up 8.2% from 2022)
• Canada: $5.13 (down 9% from 2022)
• Germany: $4.67 (down 3.7% from 2022)
• Japan: $4.52 (down 1.1% from 2022).

Is there a root cause for the top countries on the list? What factors are at play? Are some countries more susceptible to social engineering attacks like phishing?

Why are the costs for the top countries so high?

While it’s difficult to quantify, the high costs in the top five countries can be attributed to several factors.

The United States

The U.S. has the highest average total cost of a data breach at $9.48 million, up from $9.44 million in 2022. U.S. numbers are likely due to the size and complexity of U.S. organizations and extensive digital infrastructure in the country, as well as the sensitivity of the data they hold and the regulatory environment.

The Middle East

In the Middle East, the number is likely attributed to the large number of breached records, the high rate of malicious attacks and the longer time to identify and contain a breach.

Germany

In Germany, the statistics are likely due to the large number of lost or stolen records and the high rate of malicious or criminal attacks.

Canada and Japan

In Canada and Japan, the high cost may be attributed to the high churn rate (the rate at which customers stop doing business with an entity) and the longer time to identify and contain a breach.

Do data breach laws contribute to high costs among the top five countries?

While the report does not directly link these regulatory factors to the top five countries, it suggests that the regulatory environment and compliance with regulations can significantly impact the cost of data breaches.

For instance, in the United States, state data privacy policies such as the California Consumer Privacy Act (CCPA) and the Health Insurance Portability and Accountability Act (HIPAA) impose hefty fines and penalties for non-compliance. Similarly, in the European Union, the General Data Protection Regulation (GDPR) imposes strict penalties for data breaches, impacting countries like Germany and France.

Is the U.S. disclosing more breaches now than it has in the past?

The report does not conclude whether the U.S. is disclosing more breaches now than in the past due to mounting state data privacy policies. However, it does provide some relevant information:

• The United States has been a part of the Cost of a Data Breach Report for 18 years, the longest of all countries or regions involved.
• Only one-third of companies discovered the data breach through their own security teams, highlighting a need for better threat detection. The majority of breaches (67%) were reported by a benign third party or by the attackers themselves. When attackers disclosed a breach, it cost organizations nearly USD 1 million more than internal detection.
• The majority of respondents (57%) indicated that data breaches led to an increase in the pricing of their business offerings, passing on costs to consumers.

This data suggests that the disclosure of breaches is a complex issue involving multiple factors, including detection capabilities and financial implications.

However, organizations often won’t disclose that they have been breached for fear of reputational damage, regulatory scrutiny or legal liability. Even more often, companies may lack adequate cybersecurity measures or trained personnel to deal with the breach.

In fact, the FBI recently stated that only about 20% of ransomware incidents are reported.

What unique costs does the U.S. experience compared to other countries?

The United States incurs several direct and indirect costs that other countries may not have, which include:

Higher lost business costs. The United States has the highest lost business costs, which include the abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill.

Higher post-data breach response. Response activities help minimize the impact of the breach, such as help desk resources, inbound communications, special investigative resources, remediation, legal expenditures, product discounts, identity protection services and regulatory interventions.

Notification costs. In the United States, organizations are required to notify affected individuals, regulators and the media in certain circumstances following a data breach. These notification costs can be substantial.

Are citizens more prone to social engineering in some countries compared to others?

The IBM report does not directly comment on the tech savviness of citizens or their susceptibility to social engineering. It primarily focuses on the organizational costs and impacts of data breaches rather than individual behaviors.

However, it does mention that human factors, including social engineering attacks, play a significant role in data breaches. For instance, it states that nearly one in six breaches (17%) were caused by phishing, which is essentially human error.

It’s important to note that susceptibility to social engineering attacks is not necessarily a reflection of being less tech-savvy. These attacks often rely on manipulation and deception, exploiting trust and authority rather than technical ignorance.

Remember, everyone is susceptible to social engineering — no matter how old you are or where you live.