Last time, we looked at the highlights of IBM’s Cost of a Data Breach Report 2024. We saw that the average cost of a breach was US$4.88m, with the average cost of a malicious insider attack costing US$4.99m. Also, the average time to identify and contain a breach was 258 days, which is lower than previous years, but still a very long time.
This time, I
wanted to drill down a bit further into the report. For example, it tells us
that AI and automation are transforming the world of cybersecurity. Worryingly,
they make it easier than ever for bad actors to create and launch attacks at
scale. On the plus side, they also provide defenders with new tools for rapidly
identifying threats and automating responses to those threats. The report found
these technologies accelerated the work of identifying and containing breaches
and reducing costs.
The report also
found that the number of organizations that used security AI and automation
extensively grew to 31% in this year’s study from 28% last year. Although it’s
just a 3-percentage point difference, it represents a 10.7% increase in use.
The share of those using AI and automation on a limited basis also grew from
33% to 36%, a 9.1% increase.
The report also
found that the more organizations used AI and automation, the lower their
average breach costs were. Organizations not using AI and automation had
average costs of US$5.72m, while those making extensive use of AI and
automation had average costs of US$3.84m, a savings of US$1.8m.
Another plus
found by the report was that organizations extensively using security AI and
automation identified and contained data breaches nearly 100 days faster on
average than organizations that didn’t use these technologies at all.
Among
organizations that stated they used AI and automation extensively, about 27%
used AI extensively in each of these categories: prevention, detection,
investigation, and response. Roughly 40% used AI technologies at least
somewhat.
When AI and
automation were used extensively in each of those four areas of security, it
dramatically lowered average breach costs compared to organizations that didn’t
use the technologies in those areas. For example, when organizations used AI
and automation extensively for prevention, their average breach cost was US$3.76m.
Meanwhile, organizations that didn’t use these tools in prevention saw US$5.98m
in costs, a 45.6% difference. Extensive use of AI and automation reduced the
average time to investigate data breaches by 33%m and to contain them by 43%.
Even after a breach is contained, the work of
recovery goes on. For the purposes of the report, recovery meant: business
operations are back to normal in areas affected by the breach; organizations
have met compliance obligations, such as paying fines; customer confidence and
employee trust have been restored; and organizations have put controls,
technologies and expertise in place to avoid future data breaches. Only 12% of
organizations surveyed said they had fully recovered from their data breaches.
Most organizations said they were still working on them.
Among the organizations that had fully recovered,
more than three-quarters said they took longer than 100 days. Recovery is a
protracted process. Roughly one-third of organizations that had fully recovered
said they required more than 150 days to do so. A small share, 3%, of fully
recovered organizations were able to do so in less than 50 days.
This year’s report found most organizations reported
their breaches to regulators or other government agencies. About a third also
paid fines. As a result, reporting and paying fines have become common parts of
post-breach responses. Most organizations reported the breach within a few
days. Over half of organizations reported their data breach in under 72 hours,
while 34% took more than 72 hours to report. Just 11% were not required to
report the breach at all. More organizations paid higher regulatory fines, with
those paying more than US$50,000, rising by 22.7% over last year, and those
paying more than US$100,000, rising by 19.5%.
About 40% of all breaches involved data distributed
across multiple environments, such as public clouds, private clouds, and on
premises. Fewer breaches in the study involved data stored solely in a public
cloud, private cloud, or on premises. With data becoming more dynamic and
active across environments, it’s harder to discover, classify, track, and also
secure.
Data breaches solely involving public clouds were the
most expensive type of data breach, costing US$5.17m, on average, a 13.1%
increase from last year. Breaches involving multiple environments were more
common but slightly less expensive than public cloud breaches. On-premises
breaches were the least costly.
The more centralized control organizations had over
their data, the quicker on average they could identify and contain a breach.
Breaches involving data stored solely on premises took an average of 224 days
to identify and contain, 23.3% less time than data distributed across
environments, which took 283 days. The same pattern of local control and
shortened breach life-cycles showed up in the comparison between private cloud
architectures and public cloud architectures.
The average cost of a data breach involving shadow
data was US$5.27m, 16.2% higher than the average cost without shadow data.
Breaches involving shadow data took 26.2% longer on average to identify and
20.2% longer on average to contain than those that didn’t. These increases
resulted in data breaches lasting an average lifecycle of 291 days, 24.7%
longer than data breaches without shadow data.
While shadow data was found in every type of
environment – public and private clouds, on premises and across multiple environments
– 25% of breaches involving shadow data were solely on premises. That finding
means shadow data isn’t strictly a problem related to cloud storage.
Mega breaches, characterized by more than 1 million
compromised records, are relatively rare. The average cost of all mega breach
size categories was higher this year than last. The jump was most pronounced
for the largest breaches, affecting between 50 million and 60 million records.
The average cost increased by 13%, and these breaches were many times more
expensive than a typical breach. For even the smallest mega breach – 1 million
to 10 million records – the average cost was nearly nine times the global
average cost of US$4.88m.
Key factors that reduced costs of a data breach
included employee training and the use of AI and machine learning insights.
Employee training continues to be an essential element in cyber-defence
strategies, specifically for detecting and stopping phishing attacks. AI and
machine learning insights closely followed in second place.
The top three factors that increased breach costs in
this analysis were security system complexity, security skills shortage, and
third-party breaches, which can include supply chain breaches.
70% of organizations in the study experienced a
significant or very significant disruption to business resulting from a breach.
Only 1% described their level of disruption as low. The average breach costs were higher when
business disruption was greater. Even organizations that reported low levels of
disruption incurred average data breach costs of US$4.63m. For organizations
that reported very significant disruptions, average costs were 7.9% higher, at
US$5.01m.
Most organizations said they planned to increase
prices of goods and services following a data breach. 63% of organizations surveyed
planned to pass the costs on to customers, a 10.5% increase.
This is a report that not only the IT team need to
read, but also the chief financial officer because it will be that person who
will be responsible for paying company money for the ransom, the fines for lack
of compliance, and any court settlements to people whose data has been stolen.