IBM Security announces the results of a global study examining the financial impact of data breaches and security breaches.
Among the key findings, the study reveals that compromised employee accounts are the leading cause of the cost to companies of data breaches.
Employee credentials and misconfigured clouds – Entry point for attackers
Stolen or compromised credentials and cloud misconfigurations were the most common causes of a security breach, accounting for nearly 40% of incidents. With more than 8.5 billion records exposed in 2019, and with attackers using previously exposed emails and passwords in one in five breaches studied, enterprises are rethinking their security strategy by adopting a zero trust approach, reexamining how users are authenticated and how much access they are granted.
Also, the continued struggle of enterprises to deal with security complexity – a major cost factor for major breaches – is contributing to cloud misconfigurations becoming an increasing security challenge. The 2020 report found that attackers used cloud misconfigurations to breach networks nearly 20% of the time, increasing the costs to enterprises of this from data breaches by more than half a million dollars, making it the third most expensive initial infection vector examined in the report.
State attacks are the strongest
Despite accounting for only 13% of breaches, government actors were the most damaging adversary type according to the 2020 report, suggesting that financially motivated attacks (53%) do not result in greater financial losses for enterprises. The highly tactical nature, longevity and stealth maneuvers of state-backed attacks, as well as the high-value data targeted, often prove to be a greater compromise for victims, increasing breach costs to an average of $4.43 million.
In fact, the Middle East, which historically experiences a higher proportion of state-sponsored attacks compared to other parts of the world, experienced an increase of over 9% per year in its average cost due to these data breaches, making it the second highest cost ($6.52 million) among the 17 regions studied. Similarly, the energy sector, one of the industries most targeted by states, experienced a 14% increase in costs due to these leaks year over year, averaging $6.39 million.
Advanced security technologies, a smart choice for businesses
The report also highlights the growing gap in breach costs between companies implementing advanced security technologies and those that have lagged behind, revealing a cost savings difference of $3.58 million for companies with fully deployed security automation versus those that have not yet deployed this type of technology. The difference has increased by $2 million.
The response time to breaches is significantly shorter, which contributes to lower breach costs for enterprises due to fully deployed security automation. The report notes that AI, machine learning, analytics and other forms of security automation are enabling companies to respond to breaches 27% faster than companies that have not yet deployed security automation – the latter requiring on average an additional 74 days to identify and contain a breach.
Incident response (IR) readiness also continues to greatly influence the financial consequences of a breach. Companies that neither have an IR team nor test their IR plans have an average cost of $5.29 million per breach, while companies that have an IR team and use simulations to test their plans have a cost of $2 million less per breach, reaffirming that preparedness represents a significant return on investment in cybersecurity.
Some additional findings from this year’s report include:
- The risk of telecommuting will have a cost –With hybrid work models creating less controlled environments, the report notes that 70% of companies that adopted telecommuting in the midst of the pandemic expect it to exacerbate data breach costs.
- CISOs failed due to leaks, despite their limited decision-making power: Forty-six percent of respondents said their CISO/CSO is responsible for the breach, despite only 27% stating that the CISO/CSO is responsible for security policy and technology decision making. The report found that the appointment of a CISO was associated with $145,000 in cost savings versus the average cost of a breach.
- The claims of most cyber insured businesses are with third party charges.The report finds that breaches at organizations with cyber insurance cost on average nearly $200,000. In fact, of the organizations that have cyber insurance, 51% use it to cover consulting fees and third-party legal services. While 45% of organizations use it for remediation costs for those affected. Less than 10% of claims are to cover the cost of data hijacking and extortion.
- Regional and industrial perspectives:While the United States continued to experience the highest data breach costs globally, averaging $8.64 million, the report found that Scandinavian countries experienced the largest year-over-year increase in data breach costs, noting an increase of nearly 13%. The healthcare sector continued to incur the highest costs, at $7.13 million on average, an increase of more than 10% from the 2019 study.