Content:
According to the latest IBM 2023 Cost of a Data Breach report, the average cost of a data breach hit an all-time high of $4.45 million in 2023. This implies a 2.3% increase above the previous record of $4.35 million in 2022. In the long run, the average cost has risen 15.3% from $3.86 million in 2020. Such a big amount of money could prove disastrous for any organization, let alone small and medium-sized businesses.
However, it is essential to note that there are certain factors that contribute either to the increase or to the reduction of data breach costs. Understanding how these costs fluctuate is critical to building an effective prevention strategy. Let’s examine these factors closely.
How data breaches happen
According to the Verizon 2023 Data Breach Investigations Report, financially motivated external threat actors are responsible for 83% of data breaches, leaving the remaining 17% to internal actors. It is worth remembering that ‘internal actors’ are not only responsible for intentional harm, but they are also just as likely to be responsible for negligent, unintentional error actions.
The top two most common root causes for data breaches are compromised credentials and phishing attacks. According to the IBM report, these two initial attack vectors are followed by cloud misconfiguration and business email compromise (BEC) attacks. However, it is worth noting that the costliest attack vector is the malicious insider ($4.90 million), followed by phishing and BEC attacks.
When attackers manage to bypass the organization’s defenses, personally identifiable information (PII) or simply personal data are their favorite assets to steal or compromise. Both reports from Verizon and IBM are unanimous in this finding.
Finally, according to the Verizon analysis, email is the main method criminals use to attack a company’s systems with malware, including ransomware. The VIPRE report, Email Security in 2023, highlights that 90% of the researched emails were spam, including benign commercial messages and malevolent phishing emails. Phishing emails accounted for 24% of all spam messages.
Phishing emails that are expertly disguised and convincing act as the Trojan Horse, allowing attackers access to the organization’s fortress. Malware is often hidden in Microsoft Office documents and is mostly delivered through email. This makes sense given that the majority of these documents may execute code on the client machine, which is quite advantageous for attackers.
Factors contributing to cost increase
The IBM report provides interesting insights into the factors that amplify the cost of a data breach.
Time, aka data breach lifecycle
The period between the first discovery of the breach and its containment is known as the data breach lifecycle. “Time to identify” is the number of days required to find an incidence. “Time to contain” is the number of days it takes for a company to deal with the problem and resume operations once a breach has been discovered. These two metrics aid in assessing how well an organization’s incident response and containment strategies are working.
The fact that costs decrease with shorter lifecycles comes as no surprise. IBM found that the average cost of a data breach with a lifespan of less than 200 days was $3.93 million, while the average cost with a lifecycle of more than 200 days was $4.95 million. This is a 23% difference and a $1.02 million cost reduction due to the shorter duration.
Another conclusion that is closely connected to the one above is that breaches that were initiated by malevolent insiders or using credentials that were stolen or compromised were among the most expensive to resolve.
On the same subject, identifying and containing breaches that were disclosed by the attackers themselves, as opposed to the impacted business, took an average of 320 days, or 28.2% longer than identifying breaches internally. Consequently, breaches disclosed by attackers cost $780,000 more than the global average cost of a data breach for 2023. Breaches identified by an organization’s own security teams and tools were significantly less expensive, costing nearly $1 million less than incidents disclosed by the attacker.
Skills, complexity, compliance
Three commonly cited barriers to effective security, especially in cloud environments, are the lack of skilled talent, security complexity, and the lack of compliance with privacy and security regulations. For example, the Cloud Security 2023 report sponsored by (ISC)2 notes that the persistent shortage of qualified cybersecurity talent is the most significant barrier to faster cloud adoption (37%), followed by legal and regulatory compliance issues (30%) and data security and leakage risks (29%) due to vendor and tool sprawl.
According to IBM, organizations with a high level of security skills shortage had a $5.36 million average data breach cost, which was $910,000 higher than the global average. Those with a high level of security system complexity had a 17.1% difference upward compared to the average cost of a data breach. Finally, organizations with a high level of noncompliance with regulations showed an average cost of $5.05 million, which exceeded the average cost of a data breach by $560,000.
Factors reducing the cost of a data breach
Besides understanding the factors that increase the cost of a data breach (and taking steps to address them), businesses can invest in people empowerment, technology, and processes to reduce the impact of a breach.
According to the IBM report, the three most impactful cost mitigator factors are embedding DevSecOps processes into the software development lifecycle, having a tested incident response (IR) plan supported by an IR team, and investing in security awareness training. The numbers below are enough to persuade even the most difficult audience about the effectiveness of these three factors:
- DevSecOps: $249,000 reduction in cost
- Employee training: $232,800 reduction
- IR plan and testing: $232,000 reduction
Businesses should concentrate on automating security procedures and minimizing human involvement in addition to making the above investments. Examples include the use of AI, machine learning, automation, and orchestration to supplement or replace human intervention in the process of identifying, responding, and containing threats. With an average cost of a data breach of $3.60 million, organizations with substantial use of security AI and automation showed the biggest cost savings in comparison. Even firms using security AI and automation sparingly recorded lower average data breach costs than the global average.
Prevention can minimize the impact of a data breach
The discussion above demonstrates that businesses should take the time to understand their risk environment and calculate the ROI of various data breach prevention approaches. Having a clear understanding of what amplifies and what minimizes the cost of a data breach is a great starting point for building up your defenses because you can prioritize your expenses and make better use of your resources.
About the Author: Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years’ worth of experience in managing IT projects and evaluating cybersecurity. During his service in the Armed Forces, he was assigned to various key positions in national, NATO and EU headquarters and has been honoured by numerous high-ranking officers for his expertise and professionalism. He was nominated as a certified NATO evaluator for information security.
Anastasios’ interests include among others cybersecurity policy and governance, ICS and IoT security, encryption, and certificates management. He is also exploring the human side of cybersecurity – the psychology of security, public education, organizational training programs, and the effect of biases (cultural, heuristic and cognitive) in applying cybersecurity policies and integrating technology into learning. He is intrigued by new challenges, open-minded and flexible. Currently, he works as a cybersecurity content writer for Bora Design. Tassos is a member of the non-profit organization Homo Digitalis.
