The cost of a network data breach has hit a record $4.88 million – a 10% increase from 2023 and the largest spike since the pandemic.
That’s according to IBM’s 2024 Cost of a Data Breach Report that analyzed data infringements included interviews with 3,556 security and business professionals that hit 604 global organizations, between March 2023 and February 2024. The 19th annual version of the report, conducted by Ponemon Institute, found that a number of key issues directly impacted the rising costs – including the growing use of multi-environment, highly distributed on-premise, private and public cloud resources as well as the staff shortages that face many security teams across the globe.
A rise in the cost of lost business, including operational downtime and lost customers, and the cost of post-breach responses, such as staffing customer service help desks and paying higher regulatory fines, drove this increase. Taken together, these costs totaled USD 2.8 million, the highest combined amount for lost business and post-breach activities over the past 6 years, according to researchers.
For the 14th year, the United States had the highest average data breach cost—$9.36 million—among the 16 countries and regions studied. Rounding out the top 5 were the Middle East, Germany, Italy and Benelux. Notably, Canada and Japan saw average costs drop, while Italy and the Middle East saw significant increases, researchers stated.
“These multi-environment breaches cost more than $5 million on average and took the longest to identify and contain (283 days), highlighting the challenge of tracking and safeguarding data, including shadow data, and data in AI workloads, which can be unencrypted,” wrote IBM Security team member John Zorabedian a blog discussing the research results.
“The types of data records stolen in these breaches underscored the growing importance of protecting an organization’s most sensitive data, including customer personal identifying information (PII) data, employee PII, and intellectual property (IP). Costs associated with customer PII and employee PII records were the highest on average,” Zorabedian stated.
Customer PII was involved in more breaches than any other type of record (46% of breaches). IP may grow even more accessible as gen AI initiatives bring this data out in the open. With critical data becoming more dynamic and available across environments, businesses will need to assess the specific risks of each data type and their applicable security and access controls, Zorabedian wrote.
A recent Cisco study supported IBM’s results and found that 92% of organizations had deployed two or more public cloud providers to host their workloads and 34% using more than four, according to last year’s networking trends report.
“However, each public cloud service provider, private data center, and hybrid cloud environment uses different network and security operational models. Organizations need to address the resulting management complexity with a strategy that enables better visibility and more consistent control of connectivity and security across disparate private and public cloud environments,” Cisco stated.
Looking ahead to two years from now, 60% of companies expect to have an integrated multicloud networking and security management platform with common APIs for secure workload mobility, network and application visibility, and policy management, Cisco stated.
As for staff shortages, the problem continues to grow Zorabedian wrote.
“53% of organizations facing a high-level skills shortage, up 26% from 2023. The industry-wide skills shortage could be expensive for organizations. Those with severe staffing shortages experienced breach costs that were $1.76 million higher on average than those with low-level or no security staffing issues,” Zorabedian wrote.
At the same time, staffing shortages may see some ease, as businesses reported they intend to increase security investments as a result of the breach. Organizations planned investments including threat detection and response tools like SIEM, SOAR and EDR, according to the report. Organizations also plan to increase investments in identity access management, and data protection tools.
The staff shortages however may be driving large organizations to turn to AI and security automation to help out and reduce breach costs, Zorabedian wrote.
More organizations are adopting AI and automation in their security operations, up 10% from the 2023 report. And most promising, the use of AI in prevention workflows had the highest impact in the study, reducing the average cost of a breach by $2.2 million, compared to organizations that didn’t deploy AI in prevention, Zorabedian stated.
“Two out of three organizations in the study deployed AI and automation technologies across their security operations center,” Zorabedian wrote . “This factor may also have contributed to the overall decrease in average response times – those using AI and automation saw their time to identify and contain a breach lowered by nearly 100 days on average.”
Only 20% of organizations said they are using gen AI security tools, yet those that did saw a positive impact, with gen AI security tools shown to mitigate the average cost of a breach by more than $167,000, Zorabedian wrote.
Some other noteworthy findings from the IBM report include:
- Stolen credentials topped initial attack vectors – At 16%, stolen/compromised credentials was the most common initial attack vector. These breaches also took the longest to identity and contain at nearly 10 months.
- Breaches involving stolen or compromised credentials took the longest to identify and contain (292 days) of any attack vector. Similar attacks that involved taking advantage of employees and employee access also took a long time to resolve. For example, phishing attacks lasted an average of 261 days, while social engineering attacks took an average of 257 days.
- Fewer ransoms paid when law enforcement is engaged – By bringing in law enforcement, ransomware victims saved on average nearly $1 million in breach costs compared to those who didn’t – that savings excludes the ransom payment for those that paid. Most ransomware victims (63%) who involved law enforcement were also able to avoid paying a ransom.
- Compared to other vectors, malicious insider attacks resulted in the highest costs, averaging $4.99 million. Among other expensive attack vectors were business email compromise, phishing, social engineering and stolen or compromised credentials.
- Two-thirds of organizations that suffered ransomware attacks and involved law enforcement didn’t pay the ransom. Those organizations also ended up lowering the cost of the attack by
- an average of nearly $1 million, when excluding the cost of any ransom paid. Involving law enforcement also helped shorten the time required to identify and contain breaches from 297 days to 281 days.
- Critical infrastructure organizations see highest breach costs – Healthcare, financial services, industrial, technology and energy organizations incurred the highest breach costs across industries. For the 14th year in a row, healthcare participants saw the costliest breaches across industries with average breach costs reaching $9.77 million.
Source:: Network World