Sunday, 13 August 2023

Security breach – it’ll never happen! Part 1

We all know from the press that security breaches have been causing serious problems to computing infrastructure for a number of years now. And yet, there are still too many mainframe sites that are hoping it won’t happen to them. I thought, by way of a wake-up call, it would be useful to take a look at the findings of the latest Cost of a Data Breach Report from IBM Security.

The first thing your CFO will want to know is how much a data breach is likely to cost. The report found that it is US$4.45 million, which is 2.3% higher than the 2022 report’s findings. Worryingly, only 1 in 3 sites that experienced a breach had the breach identified by their own security teams or tools. The remaining 67% of breaches were reported by a benign third party or by the attackers themselves. When the attackers disclosed a breach, it cost organizations nearly US$1 million more compared to internal detection.

The cost of a ransomware attack increased by 13% from 2022, now costing on average US$ 5.13 million. Ransomware attacks made up 24% of all data breaches recorded in the survey. Destructive attacks that left systems inoperable accounted for 25% of attacks. Business partner and software supply chain attacks accounted for 15% and 12% of attacks, respectively.

There’s always a big debate about whether an organization should disclose that it has been hacked and call in law enforcement. After all, the hackers are often based abroad, and a prosecution is unlikely. In addition, the news of the breach may reach the press and the company is very likely will lose customer confidence and is likely to lose money over the next couple of years. The report found that organizations that didn’t inform law enforcement faced an additional cost of US$ 470,000. 63% of sites in the survey had involved law enforcement, the 37% that didn’t also paid 9.6% more and experienced a 33-day longer breach lifecycle.

If you work in healthcare, the report found that since 2020, healthcare data breach costs have increased by 53.3%. For the 13th year in a row, the healthcare industry reported the most expensive data breaches, at an average cost of US$10.93 million.

The big question worrying many sites is are they currently being hacked, and they haven’t realized yet? The survey found that the length of time it takes to identify a breach is 204 days, which, although it might be cold comfort, is better than last year’s figure of 207 days. Once a breach has been identified, how long does it take to recover? The survey found that on average it takes organizations 73 days. That’s three days longer than the 2022 results.

One small comfort for traditional mainframers is that 82% of breaches involved data stored in the cloud – public, private, or multiple environments Mainframe sites that have projects that embrace cloud computing may well wish to review their security policy for the cloud. The report goes on to say that attackers often gained access to multiple environments, with 39% of breaches spanning multiple environments and incurring a higher-than average cost of US$4.75 million.

The location of an organization has big impact on the cost of a data breach. The most expensive place for a data breach is the USA, costing US$9.48 million. The Middle East is the second most expensive at US$8.07 million. Next is Canada, costing US$5.13 million. Fourth is Germany, costing US$4.67 million. And fifth is Japan costing US$4.52 million. The United Kingdom has dropped out of the top five this year.

We said Healthcare was the most expensive. The rest of the top five industries are: Financial costing US$5.90 million; Pharmaceuticals costing US$4.82 million; Energy costing US$4.78 million; and Industrial costing US$4.73 million. Technology has dropped out of this top five list.

Detection and escalation costs are still very expensive. This year the figure rose by 9.7% to US$1.58 million. These costs include activities that enable a company to reasonably detect a breach and can include forensic and investigative activities, assessment and audit services, crisis management, and communications to executives and boards.

When it comes to lost business costs, the figure dropped 8.5% to US$1.30 million. This figure includes activities such as business disruptions and revenue losses from system downtime, the cost of lost customers and acquiring new customers, and reputation losses and diminished goodwill.

This year’s report is its 18th consecutive edition. The research is conducted independently by Ponemon Institute, and sponsored, analysed, and published by IBM Security. Responses were from 553 organizations impacted by data breaches that occurred between March 2022 and March 2023.

Next time will look at more from the report.

No comments: