IBM Security reported on July 28 that the average cost of recent data breaches was $4.24 million per incident, the highest cost ever recorded by the company in 17 years of tracking the metric. Notably, data breaches in the U.S. were by far the costliest, exceeding $9 million per incident on average.
The findings were among several insights exposed through a global study of data breaches conducted by the independent Ponemon Institute, a analysis group known for its empirical studies. Researchers reviewed data breaches experienced by 537 organizations between May 2020 and March 2021. The incidents occurred in 17 countries and across various industries.
“We see the number, in general, tick up across the years—some years a little bit higher, some years a little lower—but in general, the trend has been the numbers increase over time,” IBM Cyber Threat Intelligence Expert Charles DeBeck told POWER during an exclusive interview. “I would still say that it was a pretty significant increase year over year here.”
Surprisingly, the average cost of data breaches in the Energy industry declined from $6.39 million per incident in the 2020 report to $4.65 million per incident this year. Still, Energy ranked fifth highest of the 17 industries tallied in the study.
Remote Work Adversely Affects Cost
Among the reasons DeBeck cited for higher costs overall this year compared to last was the increased number of people working from home as a result of COVID-19. In fact, the study found the cost to be $1.07 million higher on average for incidents in which remote work was a factor behind the breach compared to those in which it was not.
“We saw a significant increase for organizations that were breached after having gone through a significant remote work transition during the pandemic,” he said. “I think that was a really interesting component that I think was probably one of the leading factors that really pushed the overall data breach cost higher this year, among other factors.”
IBM said many businesses were forced to quickly adapt their technology approaches last year, with many companies encouraging or requiring employees to work from home, and 60% of organizations moving further into cloud-based activities during the pandemic. The findings suggest that security may have lagged behind these rapid IT changes, hindering organizations’ ability to respond to data breaches.
“One of the key reasons here was possibly because organizations needed to stand up a lot of infrastructure and a lot of capability very, very quickly with remote work. So, this wasn’t something where organizations sat back and thought to themselves, ‘Well, let’s do remote work slowly and safely.’ They pretty much said, ‘Okay, you’ve got a week, set up everything you can set up as quickly as possible, because nobody’s coming to the office starting on Monday,’ ” DeBeck explained. “For a lot of organizations, that sort of high-speed infrastructure and distributed capability setup, led to security doing the best they could, but ultimately, really struggling to keep up with the massive changes that organizations faced.”
Compromised Credentials Lead to Data Breaches
The study found that stolen user credentials were the most common root cause of malicious breaches. Additionally, customer personal data, such as names, email addresses, and passwords, were the most common types of information exposed in data breaches, with 44% of breaches including this type of data. IBM suggested the combination of these factors could cause a spiraling effect, with breaches of user names and passwords providing attackers with leverage for additional future data breaches.
“Organizations have started to realize that credentials are a major issue,” DeBeck said. “We’re really seeing a shift more broadly that organizations now are recognizing it’s really tough to keep your credentials protected and secure across the board, and you’re better off assuming that some amount of credentials are going to be lost, but minimizing the value of those credentials if they’re compromised. Multi-factor authentication is a great method here. Zero-trust, I think, is the other key idea here—making it so that even if somebody is able to get credentials for one machine, they’re not able to use that machine to leverage it into access throughout the organization based on zero-trust foundation relationships, making it so that the organization protects itself, not only from external aggression, but also from compromised internal machines or devices.”
Time to Detect Breaches Increased, AI Could Help
The study found the average time to detect and contain a data breach was 287 days (212 to detect, 75 to contain), which was one week longer than in the 2020 report. Notably, the time to identify and contain breaches has increased every year since 2017.
However, artificial intelligence (AI) and security automation can help reduce the time to detect and contain breaches, and cut their costs. In fact, having a fully deployed security automation system was found to reduce the average cost of breaches by almost a third, to $2.90 million per incident.
“The idea here is that artificial intelligence is really helpful in looking at large datasets, and disparate datasets, and finding correlations or potential areas of interest that would be challenging for a human to do,” DeBeck explained. He said AI can quickly assess a large number of data points and flag items that should be more closely evaluated by an expert. “Then, you can have a human with actual eyes on panel and hands on keyboard go through those instances and say, ‘Okay, this matters, this doesn’t. Here’s what I need to flag. Here’s what I can ignore.’ And so, artificial intelligence helps drive those operations more quickly, so that actual humans can do their job more effectively.”
Automated security orchestration is another component that can make a difference. “Automation can actually factor into both components—both in the identification component, as well as the containing component,” said DeBeck. He explained that automated components can insert mitigation measures, so breaches get addressed promptly, almost in real time. When alerts are sent to a person for resolution, the process of mitigating the breach can be delayed while the individual responsible for taking action is off duty or tackling other work-related matters. An automated system, meanwhile, is normally available and ready to act around the clock. “I think that’s the big advantage of automation is it speeds up both identification and containing of potential breaches,” DeBeck said.
—Aaron Larson is POWER’s executive editor (@AaronL_Power, @POWERmagazine).