Middle East Data Breach Costs Rise to SAR 32.80 Million
IBM’s 2024 Cost of a Data Breach Report shows the average cost for businesses in the Middle East has risen to SAR 32.80 million, up nearly 10% from SAR 29.90 million in 2023. The main factors driving these costs are shortages in security skills, non-compliance with regulations, and complex security systems.
In the Middle East, lost business, detection and escalation, post-breach customer response and notification costs also drove the year-over-year cost spike in the region, as the collateral damage from data breaches has only intensified. In line with 2023 trends, lost business costs —operational downtime, lost customers, and reputation damage, among others— continued to top the list, reaching an average of SAR 12.84 million per breach in 2024, up from SAR 10.02 million last year. This was followed by post-breach customer response costs at SAR 9.01 million in 2024, compared to SAR 8.86 million in 2023; detection and escalation costs at SAR 8.42 million, up from SAR 8.36 million; and notification costs at SAR 2.53 million, rising from SAR 2.36 million last year.
The 2024 report highlighted that the energy sector participants experienced the costliest breaches across industries, reaching SAR 36.90 million on average per breach. The region’s financial industry ranked second, with an average cost of SAR 35.81 million per breach, while the industrial sector came in third place at SAR 34.52 million.
“The alarming and continued escalation of data breach costs in the Middle East highlights the urgent need for advanced cybersecurity measures. As technology evolves and becomes more complex, cyberthreats and data breaches also grow more sophisticated. Now more than ever, it is imperative to adopt AI-driven technologies, address security staff shortage concerns, and reinforce regulatory compliance. These actions are essential for businesses to mitigate risks and the rising costs of data breaches, thereby protecting organizations and customers,” said Santhosh Koratt, MEA Cybersecurity Services Leader at IBM.
Other key findings in the 2024 IBM report for Middle East include:
- Security staff shortage – When analyzing the costs for local organizations, the report found that the shortage of security skills contributes to the average increase in data breach costs by SAR 1.62 million. This highlights the pressing need for businesses to bridge the gap.
- Lack of compliance and complexity – Another factor identified was non-compliance with regulations, which contributed to data breaches costing businesses an average of SAR 1.25 million more. The third factor was the complexity of security systems, which cost an average of SAR 975K.
- Main initial attack vectors – At 19%, stolen or compromised credentials was the most common initial attack vector and represented an average cost of SAR 33.60 million per breach. Followed by attacks using zero-day vulnerability at 16% (SAR 32.31 million). In third place were phishing (SAR 34.75 million), business email compromise (SAR 32.15 million) and cloud misconfiguration (SAR 30.62 million), accounting for 10% of incidents each. Social engineering, in fourth place, had an average cost of SAR 36.05 million and was involved in 8% of breaches studied.
- Data breach and storage – The 2024 report stated that breaches involving data stored across multiple environments had an average cost of SAR 34.23 million, while breaches in the public cloud cost an average of SAR 35.92 million, with each type accounting for 31% of the incidents. Followed by private cloud, which represented an average of SAR 30.66 million, and on-premise at SAR 27.36 million per breach, with both accounting for 19% each. This emphasizes the significant financial impact of breaches on organizations and underscores the need for enhanced security measures to protect sensitive information across multiple environments.
- Impact of leveraging security AI and automation – Organizations in the Middle East that extensively deployed security AI and automation experienced lower data breach costs, with an average cost of SAR 26.54 million compared to those that did not, who incurred costs of SAR 38.85 million. In addition, these technologies also benefit the data breach lifecycle. Organizations that extensively used security AI and automation had an average time of 198 days to identify a breach and 57 days to contain it. In contrast, organizations that did not deploy these technologies had an average time of 294 days to identify a breach and 78 days to contain it.