The Cost of Data Breaches

The IBM Security “Cost of a Data breach” survey is out [here], and it analyses the every increasing costs involved in data breaches. As…
Photo by Shahadat Rahman on Unsplash

The Cost of Data Breaches

The IBM Security “Cost of a Data breach” survey is out [here], and it analyses the ever-increasing costs involved in data breaches. It involves a survey of 524 companies who have recently had a data breach (between August 2019 and April 2020) and covers over 17 countries, and 17 different sectors.

As previous research has shown, the industries which bare the most costs are healthcare ($7.13 billion) and energy ($6.9 billion). These two are often seen as soft targets, and which have high amounts of sensitive personally identifiable information (PII):

Ref: https://www.ibm.com/security/digital-assets/cost-data-breach-report/

The highest cost per record relates to consumer PII and is $150 per record breached. When it comes to the motivates for threat actors, it is still the human failing for the love of money that keeps them focused on their targets, but there is a significant percentage associated with hacktivist and nation-states:

Ref: https://www.ibm.com/security/digital-assets/cost-data-breach-report/

For the things that can save costs related to data breaches, the best investment is within Incident Response (IR) testing, business continuity planning and implementation, having an IR team, having an AI platform, extensive encryption, security analytics, and red team testing:

Ref: https://www.ibm.com/security/digital-assets/cost-data-breach-report/

But the things that increase costs are cloud migration, a shortage of security skills and complex security systems. When it comes to pointing blame on who is responsible for a data breach, the CISO/CSO comes out in front, and for taking technical responsibility the CIO/CTO role is the one that is most pin-pointed:

Ref: https://www.ibm.com/security/digital-assets/cost-data-breach-report/

It is interesting that the board of advisors seem to bare very little responsibility for a breach, but have some influence in decision making.

So, with all this investment in security, is the time to detect a data breach and containing it reducing? Well, not from those survey, as the average time to detect a breach is a massive 207 days, and 73 days to contain it:

Ref: https://www.ibm.com/security/digital-assets/cost-data-breach-report/

The average costs savings when a breach is contained within 200 days is estimated at $1 million. One particular target for threat actors are compromised credentials and cloud misconfiguration, and which account for nearly one-fifth of all malicious breaches. The average estimated saving for those with automated security controls is $3.8 million, and $2 million for those with Incident Response (IR) teams.

So, in a COVID-19 era, is the time rising or falling to detect and/or contain a data breach? Well, the vast majority of companies in the survey say that there’s an increased time spent on this:

Ref: https://www.ibm.com/security/digital-assets/cost-data-breach-report/

And that the costs of dealing with a breach have increased:

Ref: https://www.ibm.com/security/digital-assets/cost-data-breach-report/

Conclusions

The true cost of a data breach is much more than just containing it. In the case of Travelex, it can push the company over the edge, and inflict significant damage to a brand. It can also affect other things such as staff morale and result in a loss of key staff (or even difficulties in recruiting staff).

While the figures in the IBM report can be disputed for whether they are actually real costs, there’s some good pointers to the areas that companies perhaps need to invest in. For small companies in IR, red teaming, encryption and security training, it provides a bit of evidence for investments from boards.