Sunday, 11 August 2024

The cost of a data breach 2024

I do seem to be banging on about security recently, but it really is so important. No-one wants to find that their personally identifiable information has been stolen and is currently being shared all over the dark web. And no-one wants to find that their mainframe or other platforms have had all their data stolen and they are looking at massive fines, compensation payments, and loss of customers and future revenue.

But, how do you know exactly how bad things are out there? How do you find out how much it is costing organizations that have been hacked and faced a ransom payment. One answer is the Cost of a Data Breach Report 2024 from IBM. Their headline statistic is that the global average cost of a data breach in 2024 is US$4.88m, which is a 10% increase over last year and the highest total ever. The USA had the highest average data breach cost at US$9.36m. Other countries in top 5 were the Middle East, Germany, Italy, and Benelux (Belgium, the Netherlands, and Luxembourg).

The report also identifies an issue with shadow data, saying that it is involved in 1 in 3 breaches. They suggest that the proliferation of data is making it harder to track and safeguard. Slightly better news is the finding that US$2.22m is the average cost saving for organizations that used security AI and automation extensively in prevention versus those that didn’t.

The USA had the highest average data breach cost at US$9.36m. Other countries in top 5 were the Middle East, Germany, Italy, and Benelux.

Looking in more detail at the report, we find that more than half of breached organizations are facing high levels of security staffing shortages and it’s getting worse. The issue shows a 26.2% increase from the previous year. In cash terms, that corresponded to an average US$1.76m more in breach costs. The report goes on to say that even as 1 in 5 organizations say they used some form of gen AI security tools, which are expected to help close the gap by boosting productivity and efficiency, this skills gap remains a challenge.

Many organizations trust their all the employees, and yet the report says that the average cost of a malicious insider attack is now US$4.99m. The report says that compared to other vectors, malicious insider attacks resulted in the highest costs but were only 7% of all breach pathways. Other expensive attack vectors were business email compromise, phishing, social engineering, and stolen or compromised credentials.

Phishing and stolen or compromised credentials ranked among the top 4 costliest incident types. Compromised credentials topped initial attack vectors. Using compromised credentials benefited attackers in 16% of breaches. Compromised credential attacks can also be costly for organizations, accounting for an average US$4.81m per breach. Phishing came in a close second, at 15% of attack vectors, but in the end cost more, at US$4.88m. Gen AI may be playing a role in creating some of these phishing attacks. For example, gen AI makes it easier than ever for even non-English speakers to produce grammatically correct and plausible phishing messages.

Watching TV and movies might make you think that breaches are usually discovered fairly promptly and dealt with the next day. Sadly, the report found that breaches involving stolen or compromised credentials took the longest to identify and contain of any attack vector. That was 292 days. Similar attacks that involved taking advantage of employees and employee access also took a long time to resolve. For example, phishing attacks lasted an average of 261 days, while social engineering attacks took an average of 257 days.

The good news is that the average time to identify and contain a breach fell to 258 days, reaching a 7-year low, compared to 277 days last year. The report points out that this global average of mean time to identify (MTTI) (194 days) and mean time to contain (MTTC) (64 days) excludes Benelux because, as a new region in the study, it was having outsized influence and skewed results much more than the average.

Ransomware victims that involved law enforcement ended up lowering the cost of the breach by an average of nearly US$1m, although that excludes the cost of any ransom paid. Involving law enforcement also helped shorten the time required to identify and contain breaches from 297 days to 281 days.

The industrial sector experienced the costliest increase of any industry, rising by an average US$830,000 per breach over last year. This cost spike could reflect the need for industrial organizations to prepare for a more rapid response, because organizations in this sector are highly sensitive to operational downtime. However, the time to identify and contain a data breach at industrial organizations was above the median industry, at 199 days to identify and 73 days to contain.

Healthcare is still the costliest in terms of a data breach at US$9.77m, but that was down from US$10.93 in 2023. Financial is the second costliest sector at US$6.08m this year, with Industrial third with an average cost of US$5.56m.

Nearly half of all breaches (46%) involved customer personal identifiable information (PII), which can include tax identification (ID) numbers, emails, phone numbers, and home addresses. Intellectual property (IP) records came in a close second (43% of breaches). The cost of IP records jumped considerably from last year, to US$173 per record in this year’s study from US$156 per record in last year’s report.

The costs from lost business and post-breach response rose nearly 11% over the previous year, which contributed to the significant rise in overall breach costs. Lost business costs include revenue loss due to system downtime, and the cost of lost customers and reputation damage. Post-breach costs can include the expense of setting up call centres and credit monitoring services for impacted customers, and paying regulatory fines.

Worryingly, 45% of all breaches were caused by IT failures or human error. The breakdown is 23% are due to IT failure and 22% are due to human error.

Interestingly, security teams and their tools detected breaches 42% of the time. Benign third parties detected the breach 34% of the time, and attackers themselves identified the breach 24% of the time. Security teams are getting better at discovering breaches because the 2023 figure for identification was 33% of the time. When a breach was disclosed by an attacker, the average cost was US$5.53m. However, when a security team identified a breach, the average cost was US$4.55m.

Even so, no-one can be complacent. It’s still taking a long time to detect a breach. It’s still costing companies a lot of money. More needs to be done to protect individual’s data, don’t you think?

It’s a really useful report by the Ponemon Institute for IBM.

There will be more details from the report next time.

No comments: