Image: Alexander Grey (unsplash)
The yearly Cost of a Data Breach Report by IBM reveals an unprecedented climb in the worldwide average cost of a data breach to $4.45 million in 2023, a 15% increase from the past three years.
It was observed that the costs associated with detection and escalation saw a 42% increase in this period, forming the most significant component of breach expenses and reflecting the trend towards more intricate breach inquiries.
As per the report, there is a divide amongst businesses in terms of handling the rising cost and frequency of data breaches. The report highlights that although 95% of the organizations studied have been breached more than once, those experiencing a breach are more likely to transfer incident costs to consumers (57%) than to augment security investments (51%).
AI as a Catalyst
AI and automation greatly influenced the rapidity of breach identification and containment for the organizations studied. Those leveraging AI and automation extensively had a data breach lifecycle that was 108 days shorter in comparison to organizations that have not adopted these technologies (214 days versus 322 days).
Involving law enforcement in ransomware cases was seen to save an average of $470,000 in breach costs among the victims studied, in contrast to those who decided not to involve law enforcement. Nevertheless, 37% of studied ransomware victims chose to exclude law enforcement from ransomware incidents.
Of all the breaches studied, only one third were detected by the organization’s own security team, while 27% were revealed by an attacker. It was found that breaches exposed by the attacker incurred nearly $1 million more on average in contrast to organizations that identified the breach on their own.
The report elucidated that time is a crucial factor in cybersecurity for both defenders and attackers. Early detection and swift response can substantially minimize the impact of a breach. As such, security teams are urged to target their efforts where adversaries are most successful, in order to stop them before they accomplish their goals. Emphasis is placed on investing in threat detection and response strategies that boost the speed and efficiency of defenders, such as AI and automation.
The Rising Cost of Time
The 2023 report states that organizations fully implementing security AI and automation experienced breach lifecycles that were 108 days shorter on average compared to those not adopting these technologies, resulting in significantly lower incident costs.
In fact, organizations that extensively deployed security AI and automation saw nearly $1.8 million lower data breach costs on average than organizations that did not employ these technologies – the largest cost reduction identified in the report.
While attackers have shortened the average time to execute a ransomware attack, nearly 40% of organizations studied have not yet implemented security AI and automation, signaling a substantial opportunity for organizations to enhance detection and response speeds.
Several organizations studied are hesitant to involve law enforcement in a ransomware attack, believing it might complicate matters. For the first time this year, the IBM report scrutinized this issue and discovered evidence to the contrary.
Organizations studied that did not involve law enforcement had breach lifecycles that were 33-days longer on average and paid approximately $470,000 higher in breach costs compared to those that did involve law enforcement.
Regardless of law enforcement’s ongoing attempts to collaborate with ransomware victims, 37% of respondents opted out of their involvement. Added to this, 47% of ransomware victims studied reportedly paid the ransom. This clearly shows that organizations should discard misconceptions about ransomware as paying a ransom, and avoiding law enforcement involvement, might only lead to higher incident costs and delayed response.
Breaches Across Environments
Progress has been observed in threat detection and response, as per IBM’s 2023 Threat Intelligence Index. Last year, defenders were more successful in halting ransomware attacks. However, attackers continue to find ways to evade defense systems. It was found that only one in three breaches studied were detected by the organization’s own security teams or tools. In contrast, 27% of such breaches were disclosed by an attacker and 40% were revealed by a neutral third party like law enforcement.
Organizations that discovered the breach themselves incurred nearly $1 million less in breach costs than those disclosed by an attacker ($5.23 million vs. $4.3 million). Furthermore, breaches exposed by an attacker had a lifecycle almost 80 days longer (320 vs. 241) compared to those identifying the breach internally. This indicates that significant cost and time savings can be achieved with early detection, making investments in these strategies worthwhile in the long term.
Data breaches that affected multiple environments like public cloud, private cloud, and on-premises led to higher breach costs ($4.75 million on average), and accounted for 40% of the data breaches studied. This demonstrates that attackers can compromise various environments while escaping detection.
The average cost of a breach in healthcare surged to almost $11 million in 2023, marking a 53% increase since 2020. The 2023 X-Force Threat Intelligence Report notes that cybercriminals have started to make stolen data more accessible to downstream victims. Using medical records as leverage, they intensify pressure on breached organizations to pay a ransom. In fact, customer personally identifiable information was the most frequently breached record type and the most expensive across all industries studied.
Organizations across all industries exhibiting a high level of DevSecOps had a global average data breach cost nearly $1.7 million lower than those with low or no use of a DevSecOps approach. Critical infrastructure organizations saw a 4.5% rise in the average costs of a breach from the previous year, increasing from $4.82 million to $5.04 million – $590K higher than the global average.