The threat of a data breach is always imminent in higher education, and a new analysis by IBM illustrates just how expensive one can be.
“The Cost of a Data Breach Report 2023” found that the average cost of a cybersecurity breach was $3.7 million at colleges or universities and related training and development companies between March 2022 and March 2023.
While the average is about $200,000 less than last year, IBM’s report illustrates how much more work needs to be done to protect postsecondary institutions. For example, only one-third of companies discovered the data breach internally. The other 67% of breaches were found by third-party entities, and, in some cases, the hackers themselves. It pays big to have a strong internal detection team: Organizations paid an average of $1 million more when attackers disclosed the breach.
Phishing was the most effective attack vector recorded by IBM, accounting for 16% of breaches and costing $4.76 million dollars on average. It took an average of 293 days, or around 10 months, to identify and contain them. Similarly, the average cost of a ransomware attack increased by 13% this year to $5.13 million, and destructive attacks increased to $5.24 million, a 2.3% increase.
Out of the 17 industries IBM analyzed, the education industry (which is how it defined public or private colleges or universities and related companies) ranked 11th-highest in average breach cost. Healthcare, the mostly costly industry, came in at nearly $11 million per breach.
Impact on U.S. universities
While IBM examined industries across 16 different countries, U.S. companies comprised the highest proportion.
This report comes on the heels of a data breach at the Colorado Department of Higher Education, which has claimed the sensitive information of K12 school system students, public college and university attendees, state GED earners and others dating back to 2004.
Additionally, last month, a security vulnerability in MOVEit Transfer, a large data file transfer service, exposed millions of people’s sensitive data. Those affected range from students and faculty members at the University System of Georgia, Johns Hopkins University and Webster University to Trinity College, Middlebury College and St. Mary’s University.