Cybersecurity Comment: IBM Research: Cost of a Data Breach Hits Record High

IBM Security today announced the results of a global study that found that data breaches now cost surveyed companies $4.24 million per incident on average – the highest cost in the 17-year history of the report. Based on an in-depth analysis of real-world data breaches experienced by over 500 organizations, the study suggests that security incidents became more costly and harder to contain due to drastic operational shifts during the pandemic, with costs rising 10% compared to the prior year.

Having reviewed the report’s findings and giving their insights are the following cybersecurity experts:

Notify of
3 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Javvad Malik
Javvad Malik , Security Awareness Advocate
InfoSec Expert
July 28, 2021 2:07 pm

<p>This is an interesting study which paints a pretty dim picture of key trends over the years. While stolen credentials are reported as the leading root cause, social engineering, business email compromise, malicious insiders and phishing cause the most financial impact. It highlights that human error, whether that be deliberate or through lack of awarness / laziness or being tricked has the biggest impact on organisations. And although technologies exist to minimise the risk of some of these breaches occurring such as multi factor authentication, password managers, or email gateways and the like. These alone are not enough and so having an engaged and educated workforce forms a critical part of an organisations defensive strategy.</p>

Last edited 11 months ago by Javvad Malik
Hank Schless
Hank Schless , Senior Manager, Security Solutions
InfoSec Expert
July 28, 2021 2:19 pm

<p dir=\"ltr\">The way we work has fundamentally changed with an emphasis on working from anywhere. Findings in the IBM 2021 Cost of a Data Breach Report highlight a number of new and existing security challenges. People are now working from anywhere and using whatever devices and networks are at their disposal. Traditional security solutions are no longer adequate for organizations where data goes wherever it\’s needed.</p>
<p dir=\"ltr\" role=\"presentation\">SaaS apps have boosted collaborative productivity, while cloud-based infrastructure provides the scalability that modern businesses need. But this cloud-first environment has also introduced new risks. With legitimate credentials, anyone can access corporate resources from anywhere. Heavier reliance on personal or unmanaged devices makes it difficult to know whether someone connecting to your network could be putting your organization at risk. Without visibility into the context of who or what is connecting to cloud-based resources, security teams could be missing telltale signs of a threat actor entering the infrastructure. </p>
<p dir=\"ltr\" role=\"presentation\">There’s also the challenge of ensuring that on-premises infrastructure is secured in the same way as cloud-based services. Remote work exacerbated many pre-existing issues. For example, compromised credentials have always been an issue. But with everyone now working from anywhere, organizations have lost what visibility they had into their users and devices. With access to an employee’s account, threat actors lower the chance of setting off any alarms when accessing an organization’s cloud apps and sensitive data. The most common way for attackers to compromise login credentials is through mobile phishing. According to Lookout data, one-third of mobile users globally were exposed to at least one mobile phishing attempt in the timeframe of IBM’s report, from May 2020 to March 2021. Since any mobile app with messaging functionality enables social engineering, attackers can deliver phishing attacks across countless channels, such as SMS, social media platforms, third-party messaging apps, and even dating apps. Since so many employees use personal or unmanaged devices to access enterprise resources, attackers will specifically phish credentials for platforms like Google Workspace or Microsoft 365. </p>
<p dir=\"ltr\" role=\"presentation\">Given the variety of apps that attackers leverage to phish login credentials, it’s critical for organizations to use an anti-phishing solution built for mobile. Once the attackers have compromised an individual’s login credentials, they will try to use them across both personal and corporate cloud platforms such as Google Workspace, AWS, Microsoft 365, and Azure to gain access to a plethora of sensitive and valuable data. This is why it’s critical for organizations to deploy dedicated security for their cloud apps. Cloud access security broker (CASB) solutions help solve this challenge by giving organizations a way to monitor for anomalous user, device, or file behavior with user and entity behavior analytics (UEBA). </p>
<p dir=\"ltr\" role=\"presentation\">Attackers posing as legitimate users will often log in from different locations than the employee, try to access different files, and exfiltrate large amounts of sensitive data. This is all behavior indicative of an insider threat that will be blocked by an advanced CASB. IBM also mentions the healthcare industry as being in the crosshairs of cybercriminals. This makes sense given the stress that industry has been under during the pandemic. Attackers will always take advantage of organizations that they know are stretched thin. Healthcare organizations don’t just possess data related to patient health. They also store payment data, social security numbers and other highly sensitive and personally identifiable information. </p>
<p dir=\"ltr\" role=\"presentation\">In the world of hybrid work, employees expect to be able to use any device to access corporate resources and infrastructure seamlessly. This often means that they’re using unmanaged devices to access compliance-related data. In addition to industry-specific compliance standards like HIPAA, other data privacy regulations such as GDPR and CCPA also need to be respected. With data traveling wherever it’s needed and teams no longer having the visibility they once did when everything stayed inside the traditional perimeter, it becomes difficult to ensure alignment with these regulations. Healthcare also experienced an onslaught of ransomware attacks. Attackers are leveraging the fact that healthcare organizations are under immense pressure as a result of the pandemic and targeting them with customized ransomware campaigns.</p>
<p dir=\"ltr\" role=\"presentation\">Ransomware groups know that healthcare systems can’t afford to be shut down, so they may have greater success in getting a ransom. In order to protect against the trends and challenges presented in this report, organizations need to ensure that they have cybersecurity coverage from endpoint devices all the way to the cloud. It’s no longer feasible to have standalone tools for various security scenarios. To ensure you don’t leave any security gaps and efficiently safeguard your data, organizations need a true endpoint-to-cloud security strategy. The variety of endpoint devices that now have access to corporate infrastructure make it a priority to ensure that security teams have visibility into activities associated with data, users, devices and apps. Employees now expect to be able to use personal devices for work. This makes it difficult to secure these devices without violating end-user personal privacy. Implementing security on the endpoint itself is a great start. Organizations also need to integrate it with security solutions that can implement granular, context-aware access policies to cloud resources.</p>

Last edited 11 months ago by Hank Schless
Tim Mackey
Tim Mackey , Principal Security Strategist, Synopsys CyRC (Cybersecurity Research Center)
InfoSec Expert
July 28, 2021 2:25 pm

<div class=\"gmail_attr\" dir=\"ltr\">Each year, the IBM Cost of a Data Breach report provides a wealth of insights into the business impact of a data breach. This year, what caught my eye was the increase in the length of time it took to identify and contain a breach which increased by a week from the 2020 analysis to 287 days. Arguably, the COVID influenced remote work environment we saw for much of 2020 shouldn’t have a large impact on breach identification and containment, but that wasn’t the case. Organisations who adopted more than 50% remote work saw an increase of 46 days to identify and twelve days to contain a breach. With a remote workforce, normal IT defences are stretched to include the remote work environment which is fundamentally an unmanaged environment. It then isn’t overly surprising to find that compromised credentials, phishing and social engineering resulted in times to identify and contain a breach that exceeded the baseline of 287 days.</div>
<div class=\"gmail_attr\" dir=\"ltr\">This situation might cause some business leaders to focus their cyber defence efforts on the people side of the security equation, but the telling stat relates to how long it took to identify and contain a breach associated with third-party software. With several high profile software supply chain attacks in the last six months, it should be deeply concerning to learn that in 2020 it took 286 days on average to identify and contain a breach that started based on an exploited software vulnerability. While some zero-day attacks will factor into this stat, the reality is that software patch management is automation friendly making this stat something that is resolvable. Since it isn’t resolved, that speaks to a blind spot in patch management – one which likely is based on an assumption that vendors push update notifications to their customers. That assumption may be true for some commercial suppliers, but it isn’t true for open source software or otherwise freely downloadable software. After all, if the download site doesn’t know who you are, they can’t push updates to you. The means that any patch management solution that doesn’t have a complete inventory of all software used in a business, regardless of origin, can’t possibly identify all outstanding patches. Cyber criminals know such a blind spot exists, but closing it is easy.</div>

Last edited 11 months ago by Tim Mackey
Information Security Buzz
Would love your thoughts, please comment.x