The latest edition of IBM's Cost of a Breach report for 2023 has revealed some trends. While it's no surprise that breaches come with a price tag, what caught my attention is how organizations respond to threats and the technologies that help mitigate the costs associated with every IT team's nightmare.
Again, the average cost of a breach has risen to $4.45 million, marking a 15% increase over the past three years. During this period, costs related to escalation and detection have skyrocketed by 42%. Given these figures, we found it surprising that 51% of surveyed entities that experienced breaches decided to enhance their security investments despite the growing repercussions.
Although headline statistics on breach costs are interesting, can delving deeper into these trends actually assist in saving money? Organizations are eager to know where to allocate their security budget and which technologies provide the most value for their investment. Thankfully, there is an abundance of data in the report that can provide insights. While we cannot guarantee outcomes, we can offer opinions on areas where risk reduction and potential cost savings may be achievable in the event of a breach.
It is crucial to consider industry risks when assessing your organization's security needs.
For the year, the healthcare sector continues to be heavily impacted by data breaches. On average, healthcare organizations have experienced losses of $10.93 million, which is twice as much as the second most affected industry (finance, with an average loss of $5.9 million). Interestingly, there has been an increase in the impact on the energy and manufacturing sectors as well. It is worth noting that it is not just large organizations that are affected; entities with fewer than 500 employees have seen higher average data breach costs in 2023 ($3.31 million) compared to the previous two years ($2.92 and $2.95).
Cybercriminals do not randomly target businesses; they are aware of industries dealing with data and those experiencing profit growth. Moreover, they also consider factors such as an organization's size and their level of cybersecurity defenses. It is crucial to adopt a hacker's perspective when evaluating your organization; think about what they would be interested in acquiring and how challenging it would be for them.
Consider healthcare organizations, for instance. Can you confidently rely on your systems ability to protect your customers health data? Do you have security measures in place to prevent cybercriminals from accessing your credentials?
Penetration testing and red team exercises can provide insights into both suspected and unknown vulnerabilities. It is crucial to detect stolen credentials. With a password policy, it's essential to be prepared for the possibility of employee passwords being compromised, including strong passphrases. Phishing (16%) and stolen credentials (15%) remain the initial attack vectors. These types of incidents also rank among the four costliest, with phishing costing an average of $4.76 million in stolen credentials, $4.62 million in malicious insiders at 6% but averaging $4.9 million, and business email compromise at 9% with a cost of $4.67 million.
Mandatory security awareness training can help users become cyber-aware and prevent some phishing attacks. Implementing factor authentication (MFA) can also minimize the impact of compromised credentials when only the password has been breached. However, it's important to acknowledge that not all phishing attacks will be detected by end users and that MFA is not foolproof. So how can you determine if employee credentials have been compromised despite these precautions?
By incorporating a third-party tool into your Active Directory system, you gain control and visibility over compromises.
For instance, Specops Password Policy offers a feature called Breached Password Protection that continuously scans for compromised passwords. In the event that a user's password is found to be on our list of over 3 billion compromised passwords, they receive instant notifications through email or SMS. If you're interested in getting started, you can find information on identifying credentials here.
Quick incident response leads to cost savings
According to the report, there hasn't been an improvement in detecting breaches, as organizations still take an average of over 200 days. This indicates that threat actors continue to follow the practice of breaching and then moving laterally across networks. After discovering these breaches, it takes 70+ days to resolve the issues. Therefore, more focus needs to be placed on disaster recovery and contingency planning efforts.
This suggests that we should enhance our ability to detect threats and strengthen internal network controls beyond relying on perimeter security measures. The report reveals that one in three breaches (33%) were detected by the organization's security teams or tools. Additionally, attackers themselves disclosed 27% of breaches, while third parties such as law enforcement uncovered 40% of them.
Detecting breaches earlier clearly brings benefits
Companies that identified a compromise within 200 days incurred losses of $3.93 million, while those that discovered the issue after 200 days faced losses of $4.95 million. Luckily, there are tools to assist in this regard. The report indicates that users of Threat Intelligence were able to save an amount of time in detecting breaches, with an average of four weeks less compared to non-users. Furthermore, organizations with well-designed incident response plans experienced a 61% reduction in data breach damage costs, saving $2.66 million compared to the average. Discover how you can optimize your incident response through the utilization of threat intelligence.
Understanding your attack surface has become more crucial than before
Based on IBM's report, it was found that 82% of breached data was stored in the cloud, whereas 18% was stored on premises. Additionally, 39% of breaches occurred across cloud environments (including private clouds), resulting in higher than average breach costs totaling $4.75 million. Cloud configurations and both known and unknown (zero-day) vulnerabilities were also prevalent among the surveyed organizations.
Although the cloud offers benefits such as flexibility, scalability, and suitability for distributed workforces, it's important to note that it expands businesses potential attack surfaces that need protection. Attackers have also been capitalizing on the visibility between organizations and their suppliers.
Supply chain attacks accounted for 12% of all data breaches. It typically took longer than usual to detect attacks (around 294 days). However, there is some news. Cybersecurity tools are available to provide support in these situations. Organizations that implemented External Attack Surface Management (EASM) experienced a 25% reduction in the time it took to identify and contain a data breach compared to those without EASM (254 days with EASM versus 337 days without ASM). Furthermore, organizations that focused on risk-based vulnerability management instead of solely relying on CVEs saw a decrease in data breach costs (approximately 18.3% less). If you want to enhance your cyber resilience, learn more about how EASM and risk-based vulnerability management can help you.
The main takeaway from IBM's 2023 Cost of a Breach report is crystal clear: organizations that have knowledge about their vulnerabilities, insights into their attack surface, an effective incident response plan, and tools to handle compromised credentials will experience breaches. Even if the worst-case scenario occurs, they will be better prepared to mitigate the impact and suffer damage financially.