The CyberRisk Summit is back: Join us on Dec 6. as we recap the cyber risk landscape in 2022 | Get free ticket >> 

Live webinar, Oct 13: Attend to learn how you can deduplicate vulnerability and deliver a smarter approach to cyber risk management  | Register  >>

New report: Mapping MITRE ATT&CK framework to CVEs |  Read more  >>

Perspectives

The real cost of a data breach (according to IBM)

Orani Amroussi | August 11, 2022

What’s the real cost of a data breach?

Cyber security is a game of cat and mouse. Security practitioners and threat actors work to outrun each other, with the ultimate goal of securing – or accessing – critical data. And because so much work goes into protecting assets, practitioners are often stuck in the trenches, fending off the latest attack. 

But zoom out a little, and we can start to see some alarming trends about the state of data breaches today. According to a new report from IBM, the cost of a data breach in 2022 is a record $4.35 million per incident, up 2.6% from last year. 

Among the costs incurred, ransoms, lost sales, and regulatory fines all provide the basis for IBM’s estimates. And around half of these costs occur more than a year after the actual breach. To offset the impact of these expenses, 60% of affected organizations pass on the cost to their customers, increasing the prices of their services. 

The report also provides some valuable insight into the causes and ramifications behind these breaches:

  • Trust in zero trust – or pay the price
    • The majority of the organizations studied don’t adopt zero trust strategies, and the results are clear, with average breach costs rising to $5.4 million, a $1.17 million increase compared to companies that do. Moreover, 28% of these breaches were ransomware or destructive attacks. 
  • The cost of cooperation
    • Faced with ransomware attacks, the temptation is to pay up to avoid expensive breaches. But, according to the report, ransomware victims that chose to meet the demands of threat actors weren’t let off much easier than those that didn’t – with the cost of their breaches $610,000 less. Considering the cost of the payment itself, the financial outlay may be even higher, indicating that cooperating with your threat actor may not be the optimal course of action. 
  • Cloud security still in its infancy
    • Organizations are lining up to take advantage of the efficient solutions offered by cloud service providers. But as cloud adoption continues to grow, so must the attention to cloud security. The reality, however, is that 43% of surveyed organizations are only in the early stages of applying security practices to their cloud workflows – or haven’t started at all. The result? $660,000 on average in higher breach costs than organizations with advanced security implemented in their cloud environments. 
  • Security AI and automation saves millions
    • Organizations quick to adopt AI and automation are reaping the benefits. Companies participating in this report that are fully deploying these technologies have seen $3.05 million less on average in breach costs, compared to organizations that aren’t.

Threat actors are opportunists. They seek easy wins and open goals to maximize the damage they can cause, and the money they can make. As they get smarter at identifying these opportunities, organizations must grow more vigilant, taking proactive steps to deflect attention away from themselves as easy targets. 

When faced with a breach, the instinct might be to panic, but it’s important to recognize that these attacks often come not from particularly sophisticated hacking, but from straightforward exploits of easy-to-address vulnerabilities. And of those threats, only some will represent a significant impact to an organization – contextual prioritization of vulnerabilities from the outset is key.

But IT security teams are often under-resourced, siloed, and drowning in a mass of unfiltered information across networkcloud, and application attack surfaces. They have the vulnerability data, but cannot make sense of it fast enough to do anything about it. Attackers know this, and take advantage.  

These breaches can be avoided – or at least their impact reduced – with a clear cyber risk management strategy. Identifying the risk that matters most to an organization, and taking the actions needed to communicate and collaborate towards mitigating that risk, should be an effort that is shared across an organization – from the board level down.