The IBM Cost of a Data Breach 2023 report also highlights the consequences to smaller organisations as they face considerably higher data breach costs
AJ Thompson, CCO, Northdoor plc
IBM’s Cost of a Data Breach report has highlighted the increasing cost for companies that suffer a data breach. The report found that the average cost of a data breach is now at an all-time high of $4.45 million. This represents an increase from last year, up 2.3 percent and a mammoth 15.3 percent from the 2020 report.
The report also highlighted that it is not just big business that is targeted by cyber criminals. All businesses no matter their size or market need to fully understand the threat they are facing and where vulnerabilities within their defences lie.
Smaller organisations hit by considerably higher data breach costs
The report found that in 2023 companies with more than 5,000 employees saw the average cost of a data breach actually decrease compared to last year. There might be a number of factors influencing this decrease, but certainly we have seen large organisations increase their spend on cyber defences over the past few months.
However, smaller organisations, who might have paused or not increased spending on cyber defences in light of the uncertain economy have been hit by considerably higher data breach costs compared to 2022. Organisations with fewer than 500 employees saw average impact of a data breach increase from $2.92 million to $3.31 million or 13.4 percent.
Those with 500-1000 employees saw an increase of 21.4 percent, from $2.71 million to $3.29 million and those in the 1001-5000 employee range saw the average cost of a data breach increase from $4.06 million to $4.87 million, a rise of nearly 20 percent.
Still, too often, small businesses presume that they are not targeted by cyber criminals and that it is only enterprise level organisations under threat of being hacked. As the report confirms, this is not the case. All businesses, no matter their size or market have data that is potentially hugely valuable to cyber criminals and so by ignoring the threat, smaller businesses are putting themselves at risk.
The cost of a data breach for the smallest companies, of on average, $3.31 million is huge and is more than enough to put them out of business. Therefore, instead of ‘saving’ money by not investing in cyber defences, all companies need to address the increasing threat from cyber criminals and ensure that their defences are able to keep them out and keep data safe.
The cost of a breach inevitably trickles down to the consumer too. The report found that most organisations continue to increase the price of services and goods as a result of a data breach. 57 percent of respondents indicated that data breaches led directly to an increase in business offerings, passing on the cost to consumers.
Phishing and stolen or compromised credentials responsible for majority of attacks
The report also found that phishing and stolen or compromised credentials were the two most common initial attack vectors (the way for the attacker to enter a network or system). We have seen cyber criminals use increasingly sophisticated phishing attacks to target employees, which are often considered the ‘weakest link’ in the security defences of a company. This is reflected in the report with phishing attacks responsible for 16 percent of breaches and stolen or compromised credentials responsible for 15 percent.
These were followed by cloud misconfiguration at 11 percent, followed by business email compromised at 9 percent.
Companies, therefore, have to ensure that the weakest link in their security defences is strengthened considerably. The nature of the most recent phishing attacks means that employees have very little chance of being to filter out legitimate messages and malicious emails and need help in doing so.
Encouragingly, the report suggests that businesses are doing exactly this.
Majority of companies planning to increase security investments
51 percent of businesses were planning to increase security investments because of a data breach. At a time where budgets are already stretched this is a really encouraging sign that companies are taking the threat, and consequences, of a cyber attack seriously.
It is further encouraging where businesses are looking to spend the increased investment. The report found that incident response (IR) planning and testing, threat detection and response technologies were investment priorities, as was employee training.
The latter is particularly significant given that phishing attacks are the most common way cyber criminals gain access to systems or network. Careful education of employees on what the threat looks like and how to deal with suspicious communication will be key in strengthening this ‘weakest’ element of cyber defence. There has to be a balance though. Too many messages can cause ‘security fatigue’ where employees, inundated with warnings, end up taking little notice of any of the messages, allowing malicious approaches to get through. Targeted, timely, education is the key.
AI and automation save time and money
The use of AI and automation solutions have had, according to the report, a real impact for businesses who use such solutions extensively within their defences. On average those companies with such solutions in place were able to identify and contain a breach 108-days shorter than those without. These companies also reported a $1.76 million lower data breach cost compared to organisations that didn’t have such capabilities.
The time to identify the fact that a company has been breached is particularly significant. The recent hack of the elections watchdog highlights this. Not only were the details of tens of millions of voters potentially compromised it appears that the cyber criminals may have been in the system of the watchdog for some time, before being discovered.
According to reports the attack was identified in October 2022, but the hackers had first been able to gain access to the commission’s systems in August 2021. This is a large amount of time for a cyber criminal to have, essentially, free reign, over systems and data. It gives them the time to understand where the most valuable data is stored and cause untold amounts of subtle damage all whilst the organisations is blissfully unaware of their presence.
The use of AI and automation solutions, as highlighted in IBM’s Cost of a Data Breach report, has shown a significant reduction in the amount of time to discover a breach. Getting cyber criminals out of a system quickly reduces damage and potential cost. Therefore, any upfront investment in such technology can quickly show ROI.
Whilst the report’s headlines will be focused on the ever-increasing cost of a data breach for most companies, there are, as has been discussed, a number of real positives. It seems that companies are recognising the real threat of cyber crime on their business and are willing to spend budget in order to close vulnerabilities and keep the criminal out. Ignoring the threat and ‘saving’ money by not investing in cyber defences is no longer an option.
Cyber criminals are not going away and are only going to be increasing the number and level of sophistication of their attacks. Businesses must address the weak points of their defences, whether that be employees or vulnerabilities within their existing cyber solutions, or be prepared to pay a huge cost and possible loss of their business if they are hacked.