John Hanley of IBM Security shares 4 key findings from the highly acclaimed annual Cost of a Data Breach Report 2023
What is the IBM Cost of a Data Breach Report?
The IBM Cost of a Data Breach Report is an annual report that provides organizations with quantifiable information about the financial impacts of breaches. With this data, they can make data driven decisions about how they implement security in their organization.
The report is conducted by the Ponemon Institute and sponsored, analyzed, and published by IBM Security. In 2023, the 18th year the report was published, the report analyzed 553 breaches across 16 countries and 17 industries.
According to Etay Maor, Senior Director of Security Strategy at Cato Networks, "We tend to talk a lot about security issues and solutions. This report puts a number behind threats and solutions and provides a lot of information to support claims of how a threat actor, a solution or a process impacts you financially."
Key Finding #1: The average cost of a data breach reached a record high in 2023, but security investments at organizations are divided.
The average cost of data breaches has been rising almost steadily since 2017. In 2017, the average cost was "merely" $3.62M. In 2023, it reached an all-time high of $4.45M in 2023. In the past three years, average breach costs increased by 15%.
Drilling down into industry specifics reveals that the costliest breaches occur in healthcare ($10.93M), financial ($5.9M), pharmaceuticals ($4.82M), energy ($4.78M) and industrial ($4.73M).
The average cost of healthcare attacks is nearly double that of the subsequent industry. This is probably because the healthcare attack surface is enormous - healthcare organizations are highly focused on operational outcomes and - prioritize them over security, PHI data is very valuable to threat actors, and being heavily regulated, regulatory/compliance penalties may contribute to higher attack costs.
According to Maor, "Attacking healthcare organizations can also be a means to an end. An attacker might steal a victim's healthcare information and use it for identity fraud, to attack a bank or an insurance company, or for other causes."
From a geographical perspective, the costliest breaches occurred in the US ($9.48M), the Middle East ($8.07M) and Canada (($5.13M). In most cases, threat actors pursue wealthy regions, which is why most target countries have high GDPs.
IBM Security also cross-referenced the average cost and the frequency of breaches (by the initial attack vector). A few interesting insights include:
- Phishing is the most common way for threat actors to breach organizations, and they are also the second most costly breach for organizations ($4.76M).
- Stolen or compromised credentials are also commonly used and are fairly costly ($4.62M).
- Malicious insiders are a fairly less common attack vector. However, they are the costliest breach ($4.9M).
Maor adds, "Many of these attack vectors can be easily mitigated with a zero trust approach. Most users do not need excessive permissions like admin access or access to customer data."
Yet, when organizations were asked if they would increase their security investment following a breach, only 51% replied that they would. To resolve this gap, it's important for security professionals to leverage data, like the IBM Security report, to help quantify and communicate the benefit of security to senior-level executives and to the board.
Out of the 51% who said they would increase their security spending, 50% would invest in incident response planning and testing, 46% in employee training and 38% in threat detection and response technologies.
Etay Maor adds, "Incident response planning and testing is a valuable security endeavor. There's a big difference between how companies envision their response versus what happens when you actually try to play it. It has to be practiced. Doing so saves time and costs."
Key Finding #2: Using a DevSecOps approach, deploying incident response teams and using security and AI automation - produced large savings
IBM Security found that the use of security AI and automation has a direct impact on the average cost of a data breach. Organizations that extensively invested in and deployed AI and automation in their environment and organizations saved an average of $1.76M per breach compared to organizations that did not use AI and automation at all. They also saved 108 days in breach response time.
Organizations using high levels of a DevSecOps approach or incident response planning and testing saved millions of dollars compared to those that used low levels or none at all:
- $1.68M saved for organizations that used a DevSecOps approach
- $1.49M saved for organization with an incident response team and regular testing
Key Finding #3: Costs were highest and breaches took longer to contain when breached data was stored across multiple environments.
39% of the breached data was stored across multiple types of environments: public, private, hybrid clouds, or even on-premises. The breach costs were also higher for this data by $750,000.
In addition, the time to contain the breach was also the highest for this data, reaching 291 days. This is 15 days longer than the overall average.
This is not saying the cloud is more insecure. But it is more complicated, and it is new. This is why DevSecOps and building security into the earliest phases of architecture development are important.
Key Finding #4: Detecting the breach with internal security teams and involving law enforcement led to savings
Organizations that identified the breach on their own were able to contain it faster than if a benign third party or the attacker themselves identifies the breach - 241 days vs. 273 by a third party and 320 by the attacker.
The average costs were also lower, $4.3M when the organization identified the breach vs. $4.68M by a benign third party and $5.23M by an attacker. There is a very tight correlation between the amount of time it takes and the amount of money it's going to cost the organization.
When law enforcement authorities were involved in identification and mitigation, the average cost and the time to identify and contain the breach were significantly reduced. The cost was $4.64M when they were involved vs. $5.11M when they weren't. In addition, the breach was contained in 276 days, rather than 306.
There is another reason organizations should involve law enforcement when they are attacked. The FBI and other law enforcement organizations around the world are also empowered to take action against these threat actors, which individual companies and individual citizens are not .
Recommendations
Bottom line, what are the next steps all organizations should take based on the results of this report? The main recommendations are:
Build security into every stage of software and hardware development and test regularly:
- Employ a DevSecOps approach
- Adopt secure by design and secure by default principles during the initial design phase
- Apply the same principles to cloud environments
- Conduct application testing or pen testing
Protect data across hybrid cloud environments:
- Gain visibility and control over data in hybrid cloud environments
- Protect data as it moves between databases, applications and services
- Utilize data activity monitoring solutions
Use security AI and automation to increase speed and accuracy:
- Embed AI and automation throughout security tool sets to enhance threat detection, response and investigation.
- Use mature AI technologies
- Integrate core security technologies for seamless workflows and shared insights, using threat intelligence reports for pattern recognition and threat visibility.
Strengthen resiliency by knowing your attack surface and practicing incident response:
- Understand your industry and organization's exposure to relevant attacks
- Use ASM tools or adversary simulation techniques for an attacker-informed perspective on risk profile and vulnerabilities
- Establish a team well-versed in IR protocols and tools
- Develop IR plans, conduct regular testing, and consider having an IR vendor on retainer for quicker breach response