Table of Contents
Do you know that the overall data breach costs reached $4.45 million in 2023?
The risks involved with the data breach could damage the whole business structure. Data does not only mean financial loss; the ingrown damage it leaves to a company is catastrophic.
Image Description: The bar chart shows the Average cost of a data breach Worldwide from 2006 to 2023
(in a million U.S. dollars).
Based on research conducted by IBM, 83% of American businesses that took part have encountered multiple data breaches, resulting in expenses exceeding $9.44 million, more than twice the worldwide mean of $4.35 million.
Contrary to the assumption that these incidents primarily result from internal weaknesses, a significant portion of the cybersecurity breaches in 2022 originated from third-party vulnerabilities, with 51% of companies indicating that a data breach was attributable to a third party.
How do you calculate the financial cost of a data breach?
Determining the precise monetary impact of a data breach is challenging due to the unique nature of each business.
The financial repercussions of a data loss can significantly vary from one company to another due to the heart and worth of their data, how they use it, and the level of safeguarding or cybersecurity defenses in place.
The cost associated with data loss can be dissected based on the following factors:
- The size of the organization.
- The volume of data that is compromised.
- The value of the data that is lost.
- The extent to which the breach disrupts business operations.
- The ability to recover the lost data.
- The duration of downtime experienced.
- The speed at which recovery, containment, and incident response measures are implemented.
Sector on attack: Health this time!
Rarely do we witness complete agreement in surveys, but AHA managed to achieve consensus among business executives spanning the healthcare provider, payer, and pharmaceutical/life sciences sectors.
Every participant concurred that the primary catalyst for the surge in ransomware attacks is the “heightened sophistication of hackers.”
Responding to these findings, the American Hospital Association conveyed to Porter Research that “cybercriminals are not only more organized than before but also frequently possess advanced skills.”
While not a unanimous sentiment, most of these leaders align in their response to the attacks. Sixty percent expressed being “less than fully confident” in their current technologies for preventing and mitigating ransomware threats.
Notably, 85% of these leaders classify mitigating cyberattacks as a “high” or “very high priority” for 2023. Consequently, a significant majority (82%) are bolstering their investments this year to enhance their defenses against ransomware attacks.
Source: IBM report 2023
At first glance, the consistent frequency of these incidents might seem optimistic. Nonetheless, the increased complexity renders them increasingly challenging to avert and more detrimental.
According to the IBM X-Force Threat Intelligence Index for 2023, the ratio of incidents in the healthcare sector that X-Force has addressed has stayed relatively stable, hovering around 5% to 6% over the last three years.
However, most healthcare assaults in 2022 occurred in Europe (constituting 58%), while North America accounted for the remaining 42%.
Image Description: Healthcare data breach statistics by HIPPA
What are the initial attack vectors?
“Initial attack vectors are identified as the most common root causes for data breaches in the report and compare the average cost of breaches for each category and the average time to identify and contain those breaches.”
Phishing and stolen or compromised credentials were the two most prevalent attack vectors 2023 and ranked among the top four costliest incident types.
What are the key cost factors?
The security technologies and practices used in an organization play a significant role in determining the average cost of a data breach.
Twenty-seven different cost factors can help those in charge of security and risk management understand how these factors can either increase or decrease breach-related costs.
It’s important to note that these factors should not be added together to calculate the potential breach cost, as they don’t work in an additive manner. In this year’s Cost of a Data Breach Report, IBM has included several new elements in the analysis.
These include supply chain breaches, ASM tools, software for data security and protection, endpoint detection and response (EDR) solutions, threat intelligence, proactive threat hunting, incident response (IR) teams, and security orchestration, automation, and response (SOAR) tools.
The above chart illustrates the average cost difference of organizations’ data breaches compared to the average breach cost of $4.45 million.
Factors that help reduce costs are referred to as “cost mitigators,” while those that increase costs are known as “cost amplifiers.”
The top three most effective cost mitigators, resulting in the most significant cost reduction, include
- adopting a DevSecOps approach,
- providing employee training and
- having incident response (IR) planning and testing in place.
Source: Microsoft
For instance, organizations with a DevSecOps approach experienced breaches that were, on average, $249,000 less than the 2023 mean data breach cost of $4.45 million, approximately $4.20 million.
Conversely, the most prominent factors amplifying costs were:
- the complexity of security systems,
- a shortage of security skills and
- noncompliance with regulations.
For instance, organizations dealing with security system complexity faced average breach costs of $241,000 higher than the 2023 mean data breach cost of $4.45 million, equating to approximately $4.69 million.
Amazing to know!
Companies that decided to pay a ransom in response to a ransomware attack didn’t see a significant reduction in their overall expenses. Their total costs amounted to $5.06 million, compared to $5.17 million for those who didn’t pay, resulting in a difference of $110,000 or 2.2%.
However, it’s important to note that this calculation doesn’t account for the actual ransom amount paid. Considering that most ransom demands are substantial, organizations that opted to pay likely spent more than those who chose not to.
Recent Data Breaches
Some renowned businesses have breached their data in the previous year. Let’s discuss some of them:
Kroll Data Breach
On August 19, 2023, Kroll, a financial advisory firm, reported that one of its employees fell victim to a highly sophisticated SIM-swapping attack targeting their T-Mobile account.
T-Mobile transferred the employee’s phone number to the attacker without Kroll’s consent, granting access to files containing personal information of bankruptcy claimants tied to BlockFi, FTX, and Genesis.
SIM swapping involves fraudulently activating a victim’s phone number on an attacker-controlled SIM card, allowing interception of messages and calls, including MFA codes.
Kroll secured the affected accounts, informed impacted individuals, and found no evidence of further breaches. These incidents highlight the need for improved SIM swap prevention and alternative authentication methods.
Electoral Commission Breach
The UK Electoral Commission revealed a “complex” cyber attack that persisted undetected for over a year until its discovery in October 2022. Threat actors gained access in August 2021, compromising servers hosting email, control systems, and electoral registers, affecting data for 40 million individuals.
Exposed details encompass names, email addresses, home addresses, contact numbers, email content, personal images, and more. The delay in disclosure aimed to thwart ongoing access, investigate the breach scope, and enhance security measures.
While the breach doesn’t impact the electoral process, affected individuals were advised to stay vigilant, and the Commission implemented safeguards against future attacks.
IDOR bugs exploited for Data Breach
Cybersecurity agencies in Australia and the U.S. jointly issued a cybersecurity advisory warning about vulnerabilities in web applications that could lead to data breaches and data theft.
Image Description: What is an Insecure Direct Object Reference (IDOR)?
Specifically, they highlighted Insecure Direct Object Reference (IDOR) flaws, an access control issue allowing malicious actors to manipulate requests to access unauthorized data. Cyber adversaries have exploited these flaws to compromise sensitive information.
To mitigate these threats, the agencies recommend adopting secure design principles and conducting authentication and authorization checks for all actions involving sensitive data. This advisory follows a report stating that “Valid Accounts” accounted for 54% of successful cyberattacks.
Reddit falls to a Phishing Attack
Reddit revealed it fell victim to a “sophisticated and highly-targeted phishing attack” on February 5, 2023. Unidentified threat actors used deceptive prompts to trick employees into revealing credentials and two-factor authentication tokens.
Although a single employee’s credentials were compromised, Reddit stated there’s no evidence of a breach in its production systems or user data exposure. Limited contact and advertiser information were accessed, but data is not being published or distributed online.
The incident underscores how threat actors use lookalike pages to bypass two-factor authentication, highlighting evolving cyber threats.
Last Past reported severe Data Breach
LastPass disclosed that the August 2022 security breach was more extensive than initially reported.
By leveraging data from a prior breach, malicious actors gained access to customers’ encrypted password vaults and personal data, including account information, metadata, and IP addresses.
This breach, still under investigation, allowed attackers to obtain credentials and keys, facilitating data extraction from a cloud-based storage service separate from the production environment.
While credit card data remained untouched, LastPass warned of potential brute-force attacks to decrypt vault data.
Reused master passwords pose risks, as attackers could access user accounts and potentially launch phishing attacks based on exposed website URLs.
Our Analysis of the Cost of Data Breach – 2023 Specific
The key figures related to breach expenses are intriguing, but can following these patterns genuinely assist in reducing costs? Businesses are eager to determine where to allocate their security funds and which technologies provide the most value.
Fortunately, we have a wealth of information available to analyze. While I can’t guarantee your financial outcome, I can share my insights on areas where I believe we can minimize risks and potentially save costs if a breach occurs.
Don’t think criminals are fools!
The healthcare sector continues to bear the brunt of data breaches for the twelfth consecutive year. Healthcare institutions are facing an average financial hit of $10.93 million, nearly double the second most affected sector, finance, which averaged $5.9 million in losses.
Intriguingly, the energy and manufacturing industries also witness an uptick in breach impacts.
What’s worth noting is that these breaches aren’t sparing smaller organizations. In 2023, businesses with fewer than 500 employees incurred an average data breach cost of $3.31 million, surpassing the figures from the previous two years, which were $2.92 million and $2.95 million, respectively.
Cybercriminals aren’t casting their nets randomly. They carefully target industries dealing with sensitive data and those experiencing significant profit increases. They also consider an organization’s size and its cyber defense strength.
It’s crucial to adopt a hacker’s perspective when assessing your organization. Ask yourself what they might be after and how challenging it would be.
Let’s take healthcare organizations, for instance. Can you have confidence in the security of systems safeguarding your customers’ health data? Do your access security measures effectively shield credentials from falling into the wrong hands?
Consider conducting penetration testing and red teaming exercises; they might uncover valuable insights into vulnerabilities you suspected and ones you weren’t even aware of.
I know you are smart, but don’t be over-smart
Even if you’ve got a solid password policy in place, it’s vital to be ready for employee passwords, including strong passphrases, to get swiped.
Phishing, accounting for 16%, and stolen credentials, making up 15%, remain the most frequent attack entry points.
Interestingly, these two also rank among the top four costliest types of incidents, with:
- Phishing averaging $4.76 million
- Stolen credentials at $4.62 million.
- Malicious insiders, representing only 6%, come with a hefty price tag of $4.9 million, and business email compromise, accounting for 9%, costs around $4.67 million on average.
- Requiring security awareness training can definitely help in shaping behavior to be more cyber-savvy and thwart some phishing attempts.
- Implementing robust multi-factor authentication (MFA) can also mitigate the impact of stolen credentials significantly when only the password is compromised.
However, it’s crucial to acknowledge that not all phishing attacks can be caught by end users, and MFA isn’t foolproof either.
So, the question arises: How can you determine if employee credentials have been compromised despite these precautions? Deal with it.
God does not protect data in the Cloud!
IBM’s study revealed that 82% of compromised data resided in the cloud, while only 18% was on-premises.
Interestingly, 39% of breaches stretched across various cloud environments, including public and private clouds, leading to a higher-than-average breach cost of $4.75 million.
Misconfigured cloud setups and the presence of both known and unknown (zero-day) vulnerabilities were widespread among the organizations surveyed.
Although the cloud offers enhanced flexibility and scalability and suits dispersed workforces’ needs, it creates a larger target for potential attacks. Attackers have quickly exploited the lack of visibility between organizations and their suppliers.
Supply chain-related data breaches accounted for 12% of all breaches, and these attacks took longer than usual to detect, averaging 294 days.
But it’s not all doom and gloom; cybersecurity tools are here to lend a hand again. Organizations implementing External Attack Surface Management (EASM) experienced a 25% reduction in the time it took to spot and contain a data breach (254 days with EASM versus 337 days without it).
Furthermore, the data indicated that organizations adopting risk-based vulnerability management, rather than relying solely on CVEs, enjoyed significantly reduced data breach costs, with an 18.3% reduction.
Slow analysis is no analysis!
Most organizations still require over 200 days to spot them. This underscores the fact that threat actors continue to employ the tactic of breaching within the network as their standard approach.
Once identified, it takes more than 70 days on average to rectify the issue, indicating a need for bolstered disaster recovery and contingency planning efforts.
This underscores the urgency of enhancing threat detection and strengthening internal network controls, not just focusing on fortifying the perimeter. The report reveals that only one in three breaches (33%) was uncovered by the organization’s internal security teams or tools.
Surprisingly, 27% of breaches were actually disclosed by the attackers themselves, while another 40% were discovered by third parties like law enforcement.
There’s a clear advantage to spotting breaches sooner. Companies that identified a compromise within 200 days incurred losses of $3.93 million, whereas those detecting it after 200 days faced a steeper cost of $4.95 million.
Thankfully, there are tools available to assist in this regard. According to the report, Threat Intelligence users could identify breaches around four weeks faster than those who don’t.
Additionally, organizations with well-crafted incident response plans reduced the costs of data breach damage by a substantial 61%, paying $2.66 million less than the global average.
Can we understand it simply?
Numerous factors play into the overall fallout of a corporate security breach. The outcomes can vary widely: for some companies, it might result in a modest bump in their IT budget, while for others, it could lead to substantial financial losses and reputational harm.
In the worst cases, it could even spell the end of the business, with all assets wiped out. One thing remains clear – the expense of dealing with a security breach is always greater than the cost of implementing protective measures.
Invest wisely! We all need to be secure!
Anas Hasan
September 11, 2023
8 months ago
