- The average data breach in the higher education and training sector cost $3.7 million in 2023, according to an annual report from IBM.
- This marks a decline from 2022, when the average cost of a data breach for the higher education sector reached $3.9 million. IBM includes public and private colleges, as well as training and development companies in its count.
- The higher education sector had the 11th highest data breach costs out of 17 sectors IBM tracked. In contrast, the healthcare, financial and pharmaceutical industries were at the top end, with average costs of breaches ranging from $4.8 million to $10.9 million.
IBM conducts a survey each year to assess how much data breaches cost organizations. This year, researchers studied 553 organizations in 16 countries and regions that fell victim to cyberattacks between March 2022 and March 2023.
The survey found that data breaches at higher education institutions typically cost less than the $4.5 million average reported across all industries in 2023. That represents a sectorwide increase of 2.3% over the year before and a 15.3% surge since 2020.
Still, the education sector is a frequent target.
Most recently, the mass attack of MOVEit, a widely used service to transfer large data files, ensnared colleges and higher education-related organizations.
That included the National Student Clearinghouse, which collects student data from thousands of colleges, and TIAA, a retirement services giant frequently used by academics and educators.
Between those two organizations, it’s possible that the MOVEit breach may impact the majority of U.S. colleges, Brett Callow, a threat analyst at cybersecurity firm Emsisoft, recently told Higher Ed Dive.
IBM warned organizations of several common pitfalls when handling data breaches. For example, two-thirds of breaches were reported by third parties or the hackers themselves.
When attackers notified organizations of the breach, it typically cost almost $1 million more than when breaches were internally detected, according to the report. For instance, 27% of breaches were disclosed by ransomware attackers.
In these cases, cybercriminals demand organizations pay a ransom to regain access to their data. The average ransomware attack cost organizations $5.1 million.
Breaches were typically more costly when organizations didn’t involve law enforcement, to the tune of another $470,000 on average.
It also matters how quickly breaches can be resolved. Those that are identified and contained in under 200 days cost organizations an average of $3.9 million, compared to nearly $5 million for those that took longer to handle.