SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Data breaches costing companies millions - could incident response help?
Wed, 5th Aug 2020
FYI, this story is more than a year old

On average, data breaches cost companies $3.86 million per breach, with compromised employee accounts the most expensive root cause.

On top of this, approximately 80% of incidents result in the exposure of customers' personally identifiable information (PII). In addition, of data exposed in these breaches, customer PII was also the costliest to businesses studied.

This is according to a new global study from IBM Security conducted by the Ponemon Institute, the 2020 Cost of a Data Breach report, which is based on in-depth interviews with more than 3,200 security professionals in organisations that experienced a data breach over the past year.

As companies are increasingly accessing sensitive data via new remote work and cloud-based business operations, the report sheds light on the financial losses that organisations can suffer if this data is compromised.

A separate IBM study found that more than half of surveyed employees new to working from home due to the pandemic have not been provided with new guidelines on how to handle customer PII, despite the changing risk models associated with this shift.

Key findings include how smart technology can help reduce breach costs, attackers' entry point of choice, the fallout of state sponsored attacks and more.

Stolen or compromised credentials and cloud misconfigurations were the most common causes of a malicious breach for companies in the report, representing nearly 40% of malicious incidents.

Companies' struggling with security complexity is likely contributing to cloud misconfigurations becoming a growing security challenge, the company states.

The 2020 report revealed that attackers used cloud misconfigurations to breach networks nearly 20% of the time, increasing breach costs by more than half a million dollars to $4.41 million on average making it the third most expensive initial infection vector examined in the report.

Breaches wherein over 50 million records were compromised saw costs jump to $392 million from $388 million the previous year. Breaches where 40 to 50 million records were exposed cost studied companies $364 million on average, a cost increase of $19 million compared to the 2019 report.

In incidents where attackers accessed corporate networks through the use of stolen or compromised credentials, studied businesses saw nearly $1 million higher data breach costs compared to the global average reaching $4.77 million per data breach.

Exploiting third-party vulnerabilities was the second costliest root cause of malicious breaches ($4.5 million) for this group.

According to IBM, with more than 8.5 billion records exposed in 2019, and attackers using previously exposed emails and passwords in one out of five breaches studied, businesses should rethink their security strategy via the adoption of a zero-trust approach reexamining how they authenticate users and the extent of access users are granted.

The IBM Security report revealed that nation state attacks were the most damaging breaches, when compared to other threat actors.

State-sponsored attacks averaged $4.43 million in data breach costs, surpassing both financially motivated cybercriminals and hacktivists.

The highly tactical nature, longevity and stealth maneuvers of state-backed attacks, as well as the high value data targeted, often result in a more extensive compromise of victim environments, increasing breach costs to an average of $4.43 million, IBM states.

Considering the role of smart technology, the report found that companies who had fully deployed security automation technologies (which leverage AI, analytics and automated orchestration to identify and respond to security events) experienced less than half the data breach costs compared to those who didn't have these tools.

The report highlights the growing divide in breach costs between businesses implementing advanced security technologies and those lagging behind, revealing a cost-saving difference of $3.58 million for studied companies with fully deployed security automation versus those that have yet to deploy this type of technology.

The cost gap has grown by $2 million, from a difference of $1.55 million in 2018. Companies in the study with fully deployed security automation also reported a significantly shorter response time to breaches, another key factor shown to reduce breach costs in the analysis.

The report found that AI, machine learning, analytics and other forms of security automation enabled companies to respond to breaches over 27% faster on average, than companies that have yet to deploy security automation the latter of which require on average 74 additional days to identify and contain a breach.

Incident response (IR) preparedness also continues to heavily influence the financial aftermath of a breach.

According to the report, companies with neither an IR team nor testing of IR plans experience $5.29 million in average breach costs, whereas companies that have both an IR team and use tabletop exercises or simulations to test IR plans experience $2 million less in breach costs reaffirming that preparedness and readiness yield a significant ROI in cybersecurity.

This year's report also found that remote work will have a cost. With hybrid work models creating less controlled environments, the report found that 70% of companies that adopted telework amid the pandemic expect it will exacerbate data breach costs.

Furthermore, 46% of respondents said the CISO/CSO is ultimately held responsible for the breach, despite only 27% stating the CISO/CSO is the security policy and technology decision-maker. The report found that appointing a CISO was associated with $145,000 cost savings versus the average cost of a breach.

The report also looked at cyber insurance, finding that breaches at organisations with cyber insurance cost on average nearly $200,000 less than the global average of $3.86 million.

In fact, of these organisations that used their cyber insurance, 51% applied it to cover third-party consulting fees and legal services, while 36% of organisations used it for victim restitution costs. Only 10% used claims to cover the cost of ransomware or extortion.

IBM X-Force Threat Intelligence vice president Wendi Whitmore says, "When it comes to businesses' ability to mitigate the impact of a data breach, we're beginning to see a clear advantage held by companies that have invested in automated technologies.

"At a time when businesses are expanding their digital footprint at an accelerated pace and the security industry's talent shortage persists, teams can be overwhelmed securing more devices, systems and data.

“Security automation can help resolve this burden, not only supporting a faster breach response but a more cost-efficient one as well."