IBM Report: Data Breach Costs Soar to All-Time High, Impacting Consumer Costs
The financial ramifications linger long after a breach has occurred.
![data breach data breach](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/bltfb3e7e848bdd3e7b/65241dd548f7a7977716f0e6/2-Data-Breach.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Almost 80% of critical infrastructure organizations studied don’t adopt zero trust strategies, with average breach costs rising to $5.4 million. That’s a $1.17 million increase compared to those that do. All while 28% of breaches among these organizations were ransomware or destructive attacks.
“Zero-trust strategies are meant to make it harder for attackers to move laterally through the network and meet their objectives,” said IBM Security’s Limor Kessem. “It minimizes the reach into additional parts of the network and reduces blast radius. This essentially widens the window of opportunity for defenders to identify the attacker on the network before it’s too late.”
Tim Mackey is principal security strategist at Synopsys Cybersecurity Research Center.
“Critical infrastructure is particularly attractive to attackers who believe that their victims will believe the shortest path to restored operations involves payment of a ransom,” he said. “While zero-trust technologies offer significant promise, the reality is that critical infrastructure systems have a significantly longer life span than most other software. Overlaying a relatively new paradigm on top of what might arguably be a legacy architecture may not always be feasible. This is where continuous monitoring for abnormal events identified based on comprehensive threat models can help, as can the creation of incident response plans that are also informed by those same threat models.”
Ransomware victims in the study that opted to pay threat actors’ ransom demands saw only $610,000 less in average breach costs compared to those that chose not to pay, not including the cost of the ransom. Factoring in the high cost of ransom payments, the financial toll may rise even higher, suggesting that simply paying the ransom may not be an effective strategy.
“When you make the choice to pay a ransom, you are not only funding the next big problem, a future cyberattack, but you are also showing the cybercriminal ecosystem that you are willing to cooperate,” Kessem said. “That will immediately make a ransom-paying business an attractive target for a future attack. In fact, it’s not rare to see the same business hit twice/multiple times with ransomware due to this.”
When a ransomed organization pays for decryption, there is no actual guarantee its problem will immediately go away, and that’s if the attacker gives it the decryption key and that it will work, Kessem said.
“Even when all this goes well, the recovery process can be very lengthy, data can be corrupted and the recovery will have to come from backups either way,” she said. “Of course, there are cases where businesses are able to recover faster, case-specific, and some pay to prevent exposure of the data. But again, paying the ransom just funds a future attack, meaning that business will be repeating a cyber crisis all over again.”
Regulatory and legal costs are some of the long-tail expenses businesses may incur well after the breach has occurred, Kessem said.
“For example, having to compensate victims can easily cost hundreds of millions of dollars well after other, more direct breach costs have been addressed,” she said. “About 24% of the longer-term costs accumulate two years after the breach.”
Some 43% of studied organizations are in the early stages or have not started applying security practices across their cloud environments. They incurred more than $660,000 on average in higher breach costs than studied organizations with mature security across their cloud environments.
“The lack of cloud security maturity is also contributing to the 45% of breaches that occurred in the cloud,” Kessem said. “Cloud security enables more interoperability, greater visibility and speed for defenders to identify and respond to potential threats faster.”
Participating organizations fully deploying security artificial intelligence (AI) and automation incurred nearly $3.1 million less on average in breach costs compared to those that haven’t deployed the technology. That’s the biggest cost saver observed in the study.
Charles Henderson is global head of IBM Security X-Force.
“Businesses need to put their security defenses on the offense and beat attackers to the punch,” he said. “It’s time to stop the adversary from achieving their objectives and start to minimize the impact of attacks. The more businesses try to perfect their perimeter instead of investing in detection and response, the more breaches can fuel cost-of-living increases. This report shows that the right strategies coupled with the right technologies can help make all the difference when businesses are attacked.”
For the 12th year in a row, health care participants saw the costliest breaches among industries. The average breach costs in health care increased by nearly $1 million to reach a record high of over $10 million.
Shawn Surber is vice president of solutions architecture and strategy at Tanium.
“Health care continues to suffer the greatest cost of breaches, but has among the lowest spend on cybersecurity of any industry, despite being deemed critical infrastructure,” he said. “The increased vulnerability of health care organizations to cyber threats can be traced to outdated IT systems, the lack of robust security controls, and insufficient IT staff, while valuable medical and health dat a— and the need to pay ransoms quickly to maintain access to that data — make health care targets popular and relatively easy to breach. Unlike other industries that can migrate data and sunset old systems, limited IT and security budgets at health care organizations make migration difficult and potentially expensive, particularly when an older system provides a small, but unique function or houses data necessary for compliance or research, but still doesn’t make the cut to transition to a newer system. Hackers know these weaknesses and exploit them. Additionally, health care organizations haven’t sufficiently updated their security strategies, and the tools … haven’t been robust enough to thwart the more sophisticated techniques of threat actors.”
Additional findings in the IBM report include:
While compromised credentials continued to reign as the most common cause of a breach, phishing was the second and the costliest cause, leading to nearly $5 million in average breach costs for responding organizations.
Sixty-two percent of studied organizations said they are not sufficiently staffed to meet their security needs, averaging $550,000 more in breach costs than those that state they are sufficiently staffed.
The IBM report does include some encouraging signs, Kessem said.
“We’re seeing more businesses deploy security AI and automation, which proved to be the biggest cost-saver of the report,” she said. “We’re also seeing zero trust gain ground compared to the 2021 report, when 35% said they had partially or fully deployed a zero-trust architecture. We observed a $1 million cost difference between organizations that deploy (41%) and don’t deploy (59%) zero trust.”
Hank Schless is senior manager of security solutions at Lookout.
“The value of sensitive data is increasing, and as a byproduct of that, the long-term damage to a company that experiences a breach is getting ever more costly,” he said. “The numbers found in this report should be a wake-up call to anyone who thinks data security and infrastructure integrity can take a back seat to other priorities.”
Schless said it’s important to think about the challenges of zero trust in a realistic way.
“For example, you can approach access control with the mindset that just because a user has the right username and password doesn’t necessarily mean it’s the actual user,” he said. “Approaching it this way will help you think about how to implement and evolve a context-aware approach to access that could combine multifactor authentication (MFA) with a continuous evaluation of user risk.”
Hank Schless is senior manager of security solutions at Lookout.
“The value of sensitive data is increasing, and as a byproduct of that, the long-term damage to a company that experiences a breach is getting ever more costly,” he said. “The numbers found in this report should be a wake-up call to anyone who thinks data security and infrastructure integrity can take a back seat to other priorities.”
Schless said it’s important to think about the challenges of zero trust in a realistic way.
“For example, you can approach access control with the mindset that just because a user has the right username and password doesn’t necessarily mean it’s the actual user,” he said. “Approaching it this way will help you think about how to implement and evolve a context-aware approach to access that could combine multifactor authentication (MFA) with a continuous evaluation of user risk.”
The global average cost of a data breach has reached an all-time high of $4.35 million, according to an annual IBM report. This is likely contributing to the rising costs of goods and services.
The IBM report is based on analysis of real-world data breaches experienced by 550 organizations globally between March 2021 and March 2022. IBM Security sponsored and analyzed the research, which the Ponemon Institute conducted.
Data breach costs have increased nearly 13% over the last two years. In addition, 60% of studied organizations raised their product or services prices due to a breach, when costs already are soaring worldwide amid inflation and supply chain issues.
The IBM report found 83% of organizations in the study have had more than one data breach since opening. Another factor rising over time — the after-effects of breaches on these organizations. These effects linger long after they occur, as nearly one-half (50%) of breach costs are incurred more than a year after the breach.
Factors Influencing Rising Costs
Limor Kessem is IBM Security‘s principal consultant of cyber crisis management. She said there are various factors influencing breach costs.
IBM’s Limor Kessem
“The volume of cyberattacks is only increasing while the security industry continues to deal with a skills shortage,” she said. “There’s a finite number of incident response professionals available to respond to this growing number of attacks. So naturally many businesses aren’t able to contain and recover from these attacks fast enough. And the longer a breach life cycle lasts, the higher the costs and damages a business will incur.”
A lot of breaches occur in poorly secured clouds, where the scale of data is higher, Kessem said.
“The more records are lost in each case, the more costly the breach,” she said. “We also see this in third-party compromises, where one breach can impact a number of organizations. The other is that we’re seeing more ransomware and destructive attacks than before, which are much costlier to businesses due to the disruption and downtime that follows. Twenty-eight percent of breaches were caused due to one of these two forms of disruptive attacks.”
See our slideshow above for more from the IBM data breach cost report.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like