IBM and the Ponemon Institute are out with a new study: Hidden Costs of Data Breaches Increase Expenses for Businesses – Study for First Time Calculates the Full Cost of “Mega Breaches,” as High as $350 Million. Among key findings:
- Average cost of a data breach of 1 million compromised records is nearly $40 million dollars
- At 50 million records, estimated total cost of a breach is $350 million dollars
- The vast majority of these breaches (10 out of 11) stemmed from malicious and criminal attacks (as opposed to system glitches or human error)
- The average time to detect and contain a mega breach was 365 days – almost 100 days longer than a smaller scale breach (266 days)
In response IT security experts commented below.
Christian Vezina, CISO at OneSpan:
“Why is it that in spite of ever-increasing spending in cybersecurity ,organizations worldwide are still hit with major data breaches? The security perimeter has dissolved and as a result the attack surface has increased way beyond what organizations want to realize. With the prevalence of IoT, increased mobility and cloud usage, the use of complex supply chains, and the increased speed of business, organizations can’t get a complete grasp over their attack surface. Organizations will need to re-think their cybersecurity investments and prioritize their initiatives carefully. If what you do doesn’t work, you may want to change your approach. As you cannot possibly protect from everything, you will probably be better off shifting your cybersecurity investments and approach from ‘prevention only’ (which seems to be failing) to a ‘detect and respond’ approach.”
Jonathan Sander, CMO at STEALTHbits Technologies:
“One thing we see is what turns a run of the mill breach into a mega-breach is the attacker getting insider access. Sometimes that happens because it’s insider threat and they had it all along. Most of the times an attacker captures insider access through weak configurations and exploitation of busy users. With insider level access, the bad guys can strike at less well secured but still information rich targets like documents, scanned information, and other file data. If you look at all the largest breaches that have hit the headlines, they all included attackers running off with saved emails, scanned contracts, and simple files filled with passwords. That stuff is truly toxic and is only available once the bad guys make that leap to insider status and turn these incidents into mega-breaches.”
Pravin Kothari, Founder and CEO at CipherCloud:
“From any perspective the cost of a data breach is painfully high in the short-term for remediation expense and lost business, in the longer-term as a result of damage to the brand, and then the ongoing impact to revenue and customers. IBM’s study brings sharp focus to the numbers and clearly highlights the high cost of failure for executives and their board of directors. The lesson to learn? Data breaches are inevitable for any large enterprise. Attackers will get into your networks. This rising tide of cyberattacks represent an expensive and almost existential threat to your business. Given the current set of breaches being announced almost daily, it’s both prudent and necessary to move aggressively to update your security strategy and then add the best-of-breed security technologies necessary to support them.
Some very basic technologies, implemented correctly, can make a significant impact on the potential risk to your organization. For example, by our estimate, the use of end-to-end encryption would likely have reduced the list of successful breaches in IBM’s study by over 75%. Why? Encrypted data is unintelligible to the cyber attackers and hence the breach of this data is inconsequential. Other important technologies, such as 2-factor authentication, would also have made a very significant impact in reducing the number of successful data breaches.”
Andy Norton, Director of Threat Intelligence at Lastline:
“The fact that the cost of breaches has risen so starkly shouldn’t come as a surprise to many. These mega breaches have increased sharply in recent years, and show no signs of slowing. Cybercrime has become increasingly more organised and easy to access, with ransomware-as-a-service and phishing-as-a-service packages readily available on the dark web. These breaches also work as something of a self-fulfilling prophecy, as the stolen data provides a pipeline for future cyberattacks. GDPR will also have help the impact of breaches to be felt more financially, as the fines associated with poor data protection have rocketed. Although these breaches may not be as a direct result of human error, a general lack of security awareness outside of IT or security departments is undoubtedly a contributing factor. A combination of educational initiatives and appropriate spending on cyber defences is the best approach to stemming the flow of data breaches.”