The cost of a data breach 2024 – part 2

Last time, we looked at the highlights of IBM’s Cost of a Data Breach Report 2024. We saw that the average cost of a breach was US$4.88m, with the average cost of a malicious insider attack costing US$4.99m. Also, the average time to identify and contain a breach was 258 days, which is lower than previous years, but still a very long time.

This time, I wanted to drill down a bit further into the report. For example, it tells us that AI and automation are transforming the world of cybersecurity. Worryingly, they make it easier than ever for bad actors to create and launch attacks at scale. On the plus side, they also provide defenders with new tools for rapidly identifying threats and automating responses to those threats. The report found these technologies accelerated the work of identifying and containing breaches and reducing costs.

The report also found that the number of organizations that used security AI and automation extensively grew to 31% in this year’s study from 28% last year. Although it’s just a 3-percentage point difference, it represents a 10.7% increase in use. The share of those using AI and automation on a limited basis also grew from 33% to 36%, a 9.1% increase.

The report also found that the more organizations used AI and automation, the lower their average breach costs were. Organizations not using AI and automation had average costs of US$5.72m, while those making extensive use of AI and automation had average costs of US$3.84m, a savings of US$1.8m.

Another plus found by the report was that organizations extensively using security AI and automation identified and contained data breaches nearly 100 days faster on average than organizations that didn’t use these technologies at all.

Among organizations that stated they used AI and automation extensively, about 27% used AI extensively in each of these categories: prevention, detection, investigation, and response. Roughly 40% used AI technologies at least somewhat.

When AI and automation were used extensively in each of those four areas of security, it dramatically lowered average breach costs compared to organizations that didn’t use the technologies in those areas. For example, when organizations used AI and automation extensively for prevention, their average breach cost was US$3.76m. Meanwhile, organizations that didn’t use these tools in prevention saw US$5.98m in costs, a 45.6% difference. Extensive use of AI and automation reduced the average time to investigate data breaches by 33%m and to contain them by 43%.

 

Even after a breach is contained, the work of recovery goes on. For the purposes of the report, recovery meant: business operations are back to normal in areas affected by the breach; organizations have met compliance obligations, such as paying fines; customer confidence and employee trust have been restored; and organizations have put controls, technologies and expertise in place to avoid future data breaches. Only 12% of organizations surveyed said they had fully recovered from their data breaches. Most organizations said they were still working on them.

Among the organizations that had fully recovered, more than three-quarters said they took longer than 100 days. Recovery is a protracted process. Roughly one-third of organizations that had fully recovered said they required more than 150 days to do so. A small share, 3%, of fully recovered organizations were able to do so in less than 50 days.

 

This year’s report found most organizations reported their breaches to regulators or other government agencies. About a third also paid fines. As a result, reporting and paying fines have become common parts of post-breach responses. Most organizations reported the breach within a few days. Over half of organizations reported their data breach in under 72 hours, while 34% took more than 72 hours to report. Just 11% were not required to report the breach at all. More organizations paid higher regulatory fines, with those paying more than US$50,000, rising by 22.7% over last year, and those paying more than US$100,000, rising by 19.5%.

 

About 40% of all breaches involved data distributed across multiple environments, such as public clouds, private clouds, and on premises. Fewer breaches in the study involved data stored solely in a public cloud, private cloud, or on premises. With data becoming more dynamic and active across environments, it’s harder to discover, classify, track, and also secure.

Data breaches solely involving public clouds were the most expensive type of data breach, costing US$5.17m, on average, a 13.1% increase from last year. Breaches involving multiple environments were more common but slightly less expensive than public cloud breaches. On-premises breaches were the least costly.

The more centralized control organizations had over their data, the quicker on average they could identify and contain a breach. Breaches involving data stored solely on premises took an average of 224 days to identify and contain, 23.3% less time than data distributed across environments, which took 283 days. The same pattern of local control and shortened breach life-cycles showed up in the comparison between private cloud architectures and public cloud architectures.

The average cost of a data breach involving shadow data was US$5.27m, 16.2% higher than the average cost without shadow data. Breaches involving shadow data took 26.2% longer on average to identify and 20.2% longer on average to contain than those that didn’t. These increases resulted in data breaches lasting an average lifecycle of 291 days, 24.7% longer than data breaches without shadow data.

While shadow data was found in every type of environment – public and private clouds, on premises and across multiple environments – 25% of breaches involving shadow data were solely on premises. That finding means shadow data isn’t strictly a problem related to cloud storage.

Mega breaches, characterized by more than 1 million compromised records, are relatively rare. The average cost of all mega breach size categories was higher this year than last. The jump was most pronounced for the largest breaches, affecting between 50 million and 60 million records. The average cost increased by 13%, and these breaches were many times more expensive than a typical breach. For even the smallest mega breach – 1 million to 10 million records – the average cost was nearly nine times the global average cost of US$4.88m.

 

Key factors that reduced costs of a data breach included employee training and the use of AI and machine learning insights. Employee training continues to be an essential element in cyber-defence strategies, specifically for detecting and stopping phishing attacks. AI and machine learning insights closely followed in second place.

The top three factors that increased breach costs in this analysis were security system complexity, security skills shortage, and third-party breaches, which can include supply chain breaches.

 

70% of organizations in the study experienced a significant or very significant disruption to business resulting from a breach. Only 1% described their level of disruption as low. The average breach costs were higher when business disruption was greater. Even organizations that reported low levels of disruption incurred average data breach costs of US$4.63m. For organizations that reported very significant disruptions, average costs were 7.9% higher, at US$5.01m.

Most organizations said they planned to increase prices of goods and services following a data breach. 63% of organizations surveyed planned to pass the costs on to customers, a 10.5% increase.

 

This is a report that not only the IT team need to read, but also the chief financial officer because it will be that person who will be responsible for paying company money for the ransom, the fines for lack of compliance, and any court settlements to people whose data has been stolen.

The cost of a data breach 2024

I do seem to be banging on about security recently, but it really is so important. No-one wants to find that their personally identifiable information has been stolen and is currently being shared all over the dark web. And no-one wants to find that their mainframe or other platforms have had all their data stolen and they are looking at massive fines, compensation payments, and loss of customers and future revenue.

But, how do you know exactly how bad things are out there? How do you find out how much it is costing organizations that have been hacked and faced a ransom payment. One answer is the Cost of a Data Breach Report 2024 from IBM. Their headline statistic is that the global average cost of a data breach in 2024 is US$4.88m, which is a 10% increase over last year and the highest total ever. The USA had the highest average data breach cost at US$9.36m. Other countries in top 5 were the Middle East, Germany, Italy, and Benelux (Belgium, the Netherlands, and Luxembourg).

The report also identifies an issue with shadow data, saying that it is involved in 1 in 3 breaches. They suggest that the proliferation of data is making it harder to track and safeguard. Slightly better news is the finding that US$2.22m is the average cost saving for organizations that used security AI and automation extensively in prevention versus those that didn’t.

The USA had the highest average data breach cost at US$9.36m. Other countries in top 5 were the Middle East, Germany, Italy, and Benelux.

Looking in more detail at the report, we find that more than half of breached organizations are facing high levels of security staffing shortages and it’s getting worse. The issue shows a 26.2% increase from the previous year. In cash terms, that corresponded to an average US$1.76m more in breach costs. The report goes on to say that even as 1 in 5 organizations say they used some form of gen AI security tools, which are expected to help close the gap by boosting productivity and efficiency, this skills gap remains a challenge.

Many organizations trust their all the employees, and yet the report says that the average cost of a malicious insider attack is now US$4.99m. The report says that compared to other vectors, malicious insider attacks resulted in the highest costs but were only 7% of all breach pathways. Other expensive attack vectors were business email compromise, phishing, social engineering, and stolen or compromised credentials.

Phishing and stolen or compromised credentials ranked among the top 4 costliest incident types. Compromised credentials topped initial attack vectors. Using compromised credentials benefited attackers in 16% of breaches. Compromised credential attacks can also be costly for organizations, accounting for an average US$4.81m per breach. Phishing came in a close second, at 15% of attack vectors, but in the end cost more, at US$4.88m. Gen AI may be playing a role in creating some of these phishing attacks. For example, gen AI makes it easier than ever for even non-English speakers to produce grammatically correct and plausible phishing messages.

Watching TV and movies might make you think that breaches are usually discovered fairly promptly and dealt with the next day. Sadly, the report found that breaches involving stolen or compromised credentials took the longest to identify and contain of any attack vector. That was 292 days. Similar attacks that involved taking advantage of employees and employee access also took a long time to resolve. For example, phishing attacks lasted an average of 261 days, while social engineering attacks took an average of 257 days.

The good news is that the average time to identify and contain a breach fell to 258 days, reaching a 7-year low, compared to 277 days last year. The report points out that this global average of mean time to identify (MTTI) (194 days) and mean time to contain (MTTC) (64 days) excludes Benelux because, as a new region in the study, it was having outsized influence and skewed results much more than the average.

Ransomware victims that involved law enforcement ended up lowering the cost of the breach by an average of nearly US$1m, although that excludes the cost of any ransom paid. Involving law enforcement also helped shorten the time required to identify and contain breaches from 297 days to 281 days.

The industrial sector experienced the costliest increase of any industry, rising by an average US$830,000 per breach over last year. This cost spike could reflect the need for industrial organizations to prepare for a more rapid response, because organizations in this sector are highly sensitive to operational downtime. However, the time to identify and contain a data breach at industrial organizations was above the median industry, at 199 days to identify and 73 days to contain.

Healthcare is still the costliest in terms of a data breach at US$9.77m, but that was down from US$10.93 in 2023. Financial is the second costliest sector at US$6.08m this year, with Industrial third with an average cost of US$5.56m.

Nearly half of all breaches (46%) involved customer personal identifiable information (PII), which can include tax identification (ID) numbers, emails, phone numbers, and home addresses. Intellectual property (IP) records came in a close second (43% of breaches). The cost of IP records jumped considerably from last year, to US$173 per record in this year’s study from US$156 per record in last year’s report.

The costs from lost business and post-breach response rose nearly 11% over the previous year, which contributed to the significant rise in overall breach costs. Lost business costs include revenue loss due to system downtime, and the cost of lost customers and reputation damage. Post-breach costs can include the expense of setting up call centres and credit monitoring services for impacted customers, and paying regulatory fines.

Worryingly, 45% of all breaches were caused by IT failures or human error. The breakdown is 23% are due to IT failure and 22% are due to human error.

Interestingly, security teams and their tools detected breaches 42% of the time. Benign third parties detected the breach 34% of the time, and attackers themselves identified the breach 24% of the time. Security teams are getting better at discovering breaches because the 2023 figure for identification was 33% of the time. When a breach was disclosed by an attacker, the average cost was US$5.53m. However, when a security team identified a breach, the average cost was US$4.55m.

Even so, no-one can be complacent. It’s still taking a long time to detect a breach. It’s still costing companies a lot of money. More needs to be done to protect individual’s data, don’t you think?

It’s a really useful report by the Ponemon Institute for IBM.

There will be more details from the report next time.

Perhaps not the best way to deal with a data leak

I’ve written and spoken about security many times, but usually I have been suggesting to people what they might consider doing or not doing in order to keep their data safe. Even if everyone took my advice, I would still be worried whether they were completely secure because it’s a continual arms race between the hackers and the large organizations that use mainframes to maintain their security and keep their data safe. New software updates are installed that might contain previously-unknown backdoors. Patches to lock those back doors aren’t always installed quickly enough, so bad actors can use them. Staff members still click on attachments to emails that trigger malware, or they click on links and receive unexpected drive-by malware on their laptops. And there are numerous other ways that the bad actors can get onto your mainframe including, probably, new ones that most of us haven’t heard of yet!

But once you have been hacked, once the bad actors have accessed your computers, exfiltrated your data, encrypted your copy of the data, and left a ransom demand, what should you do? Let’s take a look at how one company dealt with a massive loss of data. It’s been in the news, so I don’t feel I need to keep its name secret, it’s NTT Data Romania.

NTT – Nippon Telegraph and Telephone – was established as a state monopoly in 1952 to take over the Japanese telecommunications system that was being operated by AT&T. NTT was privatized in 1985 to encourage competition in the country's telecom market.

NTT Data is a Japanese multinational information technology service and consulting company that originated in 1988. It is a partly-owned subsidiary of NTT. It acquired Keane Inc in 2010 and Dell Services in 2016, and other international companies. NTT Data mainly services non-NTT Group companies. NTT Data Romania was formed in 2000.

That’s a little bit of the company’s history. So, why am I discussing it as something we could all learn from in terms of a cyberattack?

RansomHub, the ransomware group, claimed that they had exfiltrated (stolen) 230GB of sensitive data from the company during an attack that was first detected on 14 June. The bad actors set a ransom deadline of 5 July or else they would publish the data they had stolen.

So, what would your company do if it happened to you? Would you alert your chief financial officer to get ready to pay out a huge amount of money in compensation and fines? Or would you decide to keep quiet about everything? NTT DATA Romania officially denied that a ransomware attack took place. They said in a statement to Romania Journal, “No ransomware attack. While there has certainly been some suspicious activity detected relating to a legacy server, the quick response taken by our security team prevented any further damage.

“On 14th June, suspicious activity was detected by our security monitoring team on a legacy server, separate from our corporate network. We immediately activated our Incident Response protocols and rendered the entire environment completely inaccessible and inactive.

“Additional measures to mitigate any further risk and protect the data of our customers were also activated. At this time, there is no visibility that client data has been affected.

“We are conducting an in-depth investigation into the situation and take the security of our client data very seriously.”

Who, within an organization, do you think would decide to keep quiet about a ransomware attack? In this case, three internal messages were sent by the CEO, Maria Metz, on 17, 18, and 24 June. Apparently, the first message confirmed the penetration and compromise of several platforms and services, and asked employees not to come to the company's offices, because they wouldn’t be able to access the data networks. Employees were also asked not to tell anyone outside the company about this crisis, including customers, suppliers, partners, the press, or other people.

You might call me cynical, but I don’t think that plan is going to work, do you? People naturally talk – especially when everyone asks them why they’ve not gone into the office.

With what you’ve seen already, you’ll not be surprised that the company denied the severity of the situation. In response to that, the hackers posted samples of the data, which apparently includes accounting, financial planning, and internal documents of every type and purpose. There’s also personal and recruitment data, project and business data, backup files, client and financial data, as well as legal documents.

You might be thinking, “poor old NTT Data”, but NTT companies seem to be having a bad time recently. NTT West’s president Masaaki Moribayashi resigned in March, following the leak of data relating to 9.28 million customers, which became known in October last year. And now NTT Data Romania in June this year.

I guess no-one wants to publicize their failings, and organizations are the same. However, there comes a time when the optics of owning up and taking steps to remediate the problem and appease the customers whose data has been stolen seems a better approach than trying to deny anything happened and asking staff to keep silent. I’m sure any stranger standing in the middle of a local supermarket or bar could have gathered the who story quickly enough by listening to what people were chatting about.

The other thing is that if your organization is hacked and you fix the problem, and then tell every similar organization how they could be hacked and what they need to do to prevent the same problem occurring to them, you now seem like one of the good guys, don’t you think?

The NTT West hack was, it’s claimed, an inside job. If NTT Data Romania’s was also an inside job, it should make senior staff wonder about the culture within their organization, and the quality and dedication of the staff working for that organization – including in senior management. Customers of NTT Data Romania must be waiting to for their information to start turning up of the dark web, and are probably discussing with their lawyers what sort of compensation they should be demanding from the company. And at the back of their minds, they must be wondering, if NTT Data Romania is keeping quiet about something big like a data loss on this scale, what else is it not telling them?