What is the Potential Impact of a Data Breach?

CISOs and risk management leaders across the world are constantly trying to quantify the potential cost associated with inactivity associated with their cybersecurity program. Inherently businesses understand the economic cost of not protecting themselves. They hear the anecdotal accounts of companies, such as Target, Equifax, and Home Depot, who have been hit with very public data breaches and have had their reputation and businesses impacted. In the end, even with this gut feeling urging them forward, they struggle to assess how much budget to invest in cybersecurity activities as the tools and resources can be a significant budgetary line item.

Each year, IBM Security in conjunction with the Ponemon Institute conducts research studying hundreds of organizations around the world that have been impacted by data breaches. As part of this study, they focus on the true cost to organizations of a data breach - both the immediate costs and the prolonged long-term impacts associated with the data breach response.

In their 2022 study, they analyzed data from businesses in 17 countries and across 17 different industries that had experienced data breaches. They looked at the scope of the challenge, the reasons behind it, the financial impact of the data breaches, and the long-term impacts. They also analyzed what the data told them about the potentially beneficial impact of correctly deployed cybersecurity practices, principles, and technologies.

Scope

When looking at these data breaches, the first thing they looked at was who was getting hit and how. Their findings showed that:

• 83% of organizations in the study reported more than one data breach.
• With the increased utilization of cloud environments, both private and public, these platforms were frequently the target of data breaches and attacks. 45% of the breaches studied this year occurred in the cloud.
• 19% of breaches were caused by stolen or compromised credentials.

It is clear that the problem is pervasive and that companies large and small are getting hit multiple times a year. With the move to the cloud, this is an increasingly vulnerable segment of a company's infrastructure and needs special care and attention. In addition to the technology, one of the challenges faced by cybersecurity teams is educating the workforce to ensure that their credentials are protected and not vulnerable to attacks, such as phishing, smishing, and vishing.

Reason

As they investigated the common root causes of the attacks, they found a number of common patterns emerge. These include:

• 79% of critical infrastructure organizations didn't deploy a zero-trust architecture.
• 19% of breaches occurred because of a compromised business partner.
• With the COVID pandemic, remote work continued to be a reality for many organizations. This opened up holes in the attack surface that created vulnerabilities to ransomware and destructive attacks.

In the past two years, the attack surface associated with business's networks has been expanded. With an increase in the utilization of the cloud, remote work, and trusted partnerships, there are an increasing number of threat vectors. Companies are looking for new ways to protect themselves. Increasing in popularity is the construct of zero-trust architectures, but these take time and resources to implement and many organizations are still working through the processes associated with getting them live and in production. New AI-powered security technologies are flooding the market as a mechanism to help increase protection, but they have to be installed, configured, and often trained to achieve their full potential. This takes time and scarce talent to accomplish and to reap the benefit from these new advanced tools.

Financial Impact

When these data breaches do occur, it is important to know what the financial impact is on the organization. These were their findings:

• The average cost of a data breach was $4.35M USD. This represents a 2.6% increase from 2021 and a 12.7% increase from the 2020 report.
• In organizations that manage critical infrastructure, that cost was $4.82M USD. Critical infrastructure is defined by them as businesses in financial services, industrial manufacturing, technology, energy, transportation, health care, education, and the public sector.
• With relation to ransomware specifically, the average cost of a ransomware attack was $4.54M USD. This accounted for 11% of the overall data breaches.
• For the twelfth straight year, healthcare organizations have had the highest average cost of a data breach. Since 2020, the average cost of a data breach for healthcare organizations is up 41.6% to $10.1M USD.
• Out of all of the countries studied, the US had the highest average cost per data breach at $9.44M USD. Although not as expensive in terms of dollars, the country with the highest percentage increase over the past year was Brazil with a 27.8% increase in the average data breach cost.

It is clear that these data breaches are not trivial and have a significant impact on the organization's financial statement. Depending on the industry and the country where the business is located, the financial impacts can be more impactful. Putting aside the magnitude of the dollar costs, the year-over-year growth by percentage comes out as an ominous predictive indicator of the future. This leads to the conclusion that delaying the implementation of cybersecurity controls will potentially have a larger impact tomorrow than it does today.

Business Impact

When a data breach occurs, there are significant impacts on the business. These impacts can be directly customer-facing or they can slow or halt business operations leading to organizational inefficiencies.

• 60% of organizational data breaches led to increases in prices, which were passed on to consumers.
• The average time for a business to identify, contain, and correct a data breach is at 277 days.

These impacts are not trivial and have long-lasting impacts. These costs are often borne by the customers in the form of higher prices or impaired services. Business users are also often impacted by these data breaches as the process of identification and containment proceeds. This impairment of service can reduce the overall effectiveness and efficiency of the business in achieving its target goals and objectives.

Prevention

With all of these challenges and potential impacts, they found that a sound cybersecurity strategy that has been fully implemented is the key to reduced impact.

• Organizations with fully deployed security AI and automation avoided $3.05M USD. This was evaluated as the reduced cost of data breaches of organizations with this infrastructure in place as opposed to those that didn't. The average cost for those without fully deployed security AI averaged $6.2M USD and those with a solution averaged $3.25M USD.
• Organizations with fully deployed security AI also experienced a 74-day shorter time to identify and contain the breach, with a 249-day window compared to the 323-day window for those companies without a fully implemented security AI solution.
• Organizations with an incident response (IR) team who regularly tested their IR plan led to a reduction of $2.66M USD in the average cost of their breaches.

Prevention goes way beyond buying and implementing technology. For it to be successful, it needs to permeate the organization. It starts with adequate funding and investment in the cybersecurity function, the application of solid practices and processes, and the implementation of modern tools and technologies. When these pieces of the cybersecurity strategy come together, it doesn't make the organization completely impervious to cybersecurity attacks, but the costs and time associated with containment and correction are significantly decreased.

Final Thoughts

Cybersecurity professionals around the world are looking for ways to effectively secure funding so that they can implement the correct cybersecurity architecture. Although businesses hear anecdotal evidence that tells them that cybersecurity is something that they should pay attention to, having something more quantitative is often necessary to secure the funding to move forward. Ponemon Institute and IBM Security have partnered up to provide a set of definitive and compelling statistics to help cyber security teams as they build out and present their business cases.

———————————————————————————————————

https://www.ibm.com/reports/data-breach