One of the main takeaways from IBM's latest annual data breach report, released this week, is that a strong incident response capability can help organizations reduce breach costs by more than 25% on average.
IBM's study of over 500 data breach victims — conducted by the Ponemon Institute — shows that businesses with a formal incident response team and well-tested response plans spent $3.51 million on average on breach costs compared with $4.74 million by those who had neither.
The study shows that organizations on average took 206 days after initial intrusion to first identify a data breach and another 73 days to remediate it. But companies that were able to detect and contain a breach in fewer than 200 days spent $1.23 million less in breach costs.
"When it comes to data breaches, time is money, and the longer it takes to contain and remediate, the longer the organization keeps bleeding, so to speak," says Limor Kessem, global executive security advisor at IBM Security.
The IBM-Ponemon study — now in its 15th year — considered four core categories of expenses when computing breach costs: lost business, detection and escalation, notification, and post-breach, Kessem says.
"We found that lost business has remained the highest cost factor over the past five years," Kessem says. This includes things such as the costs of business disruption, revenue losses from system downtime, damage to a company's reputation, and the cost of lost customers, she says. The global average customer turnover rate caused by a data breach was 3.9%, an increase from last year's rate of 3.4%, she says.
Quick detection and response are critical to reporting the exact scope of a breach, figuring out what might have been compromised, and complying with regulatory breach notification requirements. A fully drilled incident response team can help speed up restoration and repair, Kessem notes.
"[Organizations] are in a better place on reporting and can save costs on everything from operational downtime, employee productivity, and regulatory fines to reputational damage."
Joseph Carson, chief security scientist at Thycotic, says the reason why companies are having a harder time detecting breaches is because attackers are getting better at hiding their tracks by abusing privileged accounts and other measures to remove traceable digital footprints. Many security researchers have noted a recent increase in attacks that employ legitimate remote admin tools and other utilities to hide on a compromised network for extended durations.
"A strong incident response plan can be useless if you're not actively threat hunting" as well, Carson says.
The IBM-Ponemon study shows that other measures could help organizations reduce breach costs, too. Companies that had deployed security automation technologies, for instance, generally spent just half of what organizations without such tools spent on a data breach. Similarly, total breach costs were about $360,000 lower on average for companies that employed encryption effectively.
"Encryption, business continuity management, DevSecOps, and threat intelligence sharing are cost mitigators, while cloud migration, IT complexity, and third-party breaches are major cost amplifiers," says Jonathan Deveaux, head of enterprise data protection at comforte AG.
Increasingly, companies are talking about a "cloud-first" strategy for some projects and about "multicloud" configurations, involving the use of AWS alongside Azure or Google Cloud, Deveaux says. "What this means from a data security perspective is that there are more attack vectors that leave organizations susceptible to data breaches."
As in previous years, the latest IBM-Ponemon report shows that data breach costs are continuing to climb for organizations across the board, but none more so than healthcare companies. The global average cost for a data breach is now $3.92 million — or 12% higher than what it was five years ago. For organizations in the US, the average costs are more than double, at $8.19 million.
The data shows that healthcare companies last year spent a stunning $439 per lost record at an average of nearly $6.5 million for a data breach. That figure is some 60% higher than what organizations in any other industry pay for a data breach. "[These] breaches are simply calamitous to organizations in the sector," Kessem notes. It speaks to the need of the healthcare sector to pay more attention to all those cost reduction strategies that extend beyond a security program that's already in place, she says.
The biggest cost factor for breaches in the US stemmed from lost business, such as customer turnover, system downtime, and business disruption. More than half ($4.5 million) of the total cost of a breach in the US, in fact, was tied to lost business — double that for organizations in other countries. "In general, we expect increasing data privacy standards and regulation like GDPR will increase regulatory and compliance costs for companies who experience a breach," Kessem notes.
Generally, data breaches caused by malicious cyberattacks cost businesses in the IBM-Ponemon study about $1 million more on average than data compromises caused by an accident. The data shows the percentage of companies in the study that experienced a malicious external data breach was 51% compared with 42% six years ago. Forty-nine percent of the breaches were caused by human error and system problems and cost victims $3.5 million and $3.24 million on average, respectively.
The study shows that breach costs can escalate sharply depending on the number of records that are breached. The projected final cost for companies in the IBM-Ponemon study that experienced a breach of more than 1 million records — a relatively rare occurrence — was $42 million. The figure skyrocketed to $388 million for breaches involving more than 50 million records.
Significantly, the financial impact of a data breach can last for years, Kessem says. Most organizations incur only about two-thirds (67%) of their data breach costs in the first 12 months. They spend 22% in the second year and the remaining 11% more than two years after the incident.
Such "long-tail" costs tend to be higher in regulated industries such as healthcare, financial services, and energy. A lot of it has to do with the fact that compliance and regulatory processes tend to be complex and often move slower as well. Therefore, fines and legal fees accumulate in the years following a breach, and not in the immediate aftermath of one, she says.