IBM's 2023 installment of their annual "Cost of a Breach" report has thrown up some interesting trends. Of course, breaches being costly is no longer news at this stage! What's interesting is the difference in how organizations respond to threats and which technologies are helping reduce the costs associated with every IT team's nightmare scenario.
The average cost of a breach rose once again to $4.45 million, increasing 15% over the last three years. Costs associated with escalation and detection have rocketed up 42% during the same period. With that in mind, I was surprised to learn that only 51% of the breached entities surveyed by IBM decided to bolster their security investments, despite the rising financial consequences of dealing with a breach.
Headline stats around breach costs are interesting – but can digging into these trends actually help you save money? Organizations want to know where to invest their security budget and which technologies offer the best bang for their buck. Thankfully, there's plenty of data to dig into from the report that can help. I can't make any promises regarding your bottom line, but I can offer some opinions on where I see risk reduction and potential cost savings in the event of a breach.
Consider your industry-specific risk
For the twelfth year running, healthcare is the industry most impacted by data breaches. Healthcare organizations suffered an average loss of $10.93 million, almost twice as much as the second most impacted industry (Finance with an average of $5.9 million). It was also interesting to see a rise in impacts for the energy and manufacturing industries. Another point to note is it's not just industry giants being impacted – organizations with fewer than 500 employees suffered higher average data breach costs in 2023 ($3.31 million) than the previous two years ($2.92 and $2.95).
Cybercriminals don't target businesses at random. They know which industries deal with sensitive data and which are seeing record rises in profits. They'll also consider an organization's size and how strong their cyber defenses are likely to be. It's important to think about your organization from the point of view of a hacker – consider what they want to get their hands on and how hard it would be.
Take healthcare organizations for example: can you trust the systems protecting your customer's health data? Do you have strong, effective access security that keeps credentials out of the hands of cybercriminals? Penetration testing and red teaming might throw up some valuable information about vulnerabilities you suspected were there – as well as those you're unaware of.
Detecting stolen credentials fast is vital
Even if you have an effective password policy, it's important to be prepared for employee passwords to be stolen – even strong passphrases. Phishing (16%) and stolen credentials (15%) are still the most common initial attack vectors. They also ranked among the top four costliest incident types ($4.76 million and $4.62 million) along with malicious insiders (at 6% but costing an average of $4.9 million) and business email compromise (at 9% with an average cost of $4.67 million).
Compulsory security awareness training can help adapt the behavior of users to be more cyber aware and thwart some phishing attacks. Strong multi-factor authentication MFA can also limit the impact of stolen credentials in cases where only the password has been compromised. However, end users will never spot every phishing attack – and MFA is far from bulletproof. So how can you tell if employee credentials have been compromised, despite these precautions?
Integrating a third-party tool into your Active Directory can give you added control and visibility. For example, Specops Password Policy comes with a Breached Password Protection feature that continuously scans for compromised passwords. End users are instantly notified by email or SMS if their password is discovered to be on our (ever growing) list of over 3 billion unique compromised passwords. If you're interested in starting, there's more on detecting breached credentials here.
Rapid incident response saves serious money
The report shows that there hasn't been must progress in the speed of detecting breaches, with the average organization still taking over 200 days. This also demonstrates that the tactic of breaching and then moving laterally across the network is still very much standard operating procedure for threat actors. After discovery, fixing the problem is still taking more than 70+ days, so more effort needs to be made in the disaster recovery and contingency planning areas.
This means that we still need to improve detection of threats and strengthen our internal network controls, not just the perimeter. The report showed that only one in three breaches (33%) had been detected by the organization's internal security teams or tools. Results also showed 27% of breaches were disclosed by the attackers themselves, while 40% were found by third parties such as law enforcement.
There's a clear benefit to detecting breaches earlier. Companies that discovered a compromise within 200 days lost $3.93 million compared to companies that identified the issue after 200 days ($4.95 million). Thankfully, there are tools available to help. The report showed Threat Intelligence users saved a significant amount of time uncovering a breach – on average 4 weeks less than those who didn't use it. And organizations with a well-designed incident response plan reduced data breach damage costs by 61%, paying $2.66 million less than the global average. Learn how to maximize your incident response through Threat Intelligence.
Understanding your attack surface is more key than ever
IBM's report found that 82% of breached data was stored in the cloud compared to only 18% on prem. Additionally, 39% of breaches spanned multiple cloud environments (including public and private clouds), leading to a higher-than-average breach cost of $4.75 million. Misconfigured cloud configuration and both known and unknown (zero day) vulnerabilities were also prevalent among the surveyed organizations.
Although cloud is more flexible, scalable, and better suited to distributed workforces, this data does highlight the fact it gives businesses a larger attack surface to protect. Attackers have also been taking advantage of the lack of visibility between organizations and their suppliers. Data breaches originating from supply chain attacks counted for 12% of all breaches, with attacks taking longer than average to detect (294 days).
However, it's not all bad news, as cybersecurity tools once again exist to support. Organizations employing External Attack Surface Management (EASM) saw a 25% reduction in the amount of time to identify and contain a data breach (254 days with EASM versus 337 days without ASM). The data also showed organizations pursuing risk-based vulnerability management rather than CVE-only saw significantly reduced data breach costs (18.3% less). Find out more about how EASM and risk-based vulnerability management could boost your cyber resilience.
Our 2023 Cost of a Breach takeaway
The takeaway of IBM's 2023 Cost of a Breach report is clear: organizations with an understanding of where their vulnerabilities lie, accurate views of their attack surface, an effective incident response plan, and tools for dealing with compromised credentials will suffer fewer breaches. And if the worst-case scenario does occur, they are better prepared to remediate and will take a smaller hit to their bottom line.