While it is an open secret that employees’ accounts and computers are cybercriminals’ endpoint in hacking organizations and companies, the latest report of IBM Security puts a price tag on such incidents: $3.86 million per breach on average.
Sponsored by IBM Security and conducted by the Ponemon Institute, the “2020 Cost of a Data Breach Report” is based on in-depth interviews with more than 3,200 security professionals in organizations that suffered a data breach over the past year. The study found that there were over 8.5 billion records exposed in 2019 with attackers using previously exposed emails and passwords in one out of five breaches studied.
The IBM report also saw that 40% of malicious incidents rooted in stolen or compromised credentials and cloud misconfigurations mostly from employees.
Security complexity, according to IBM is also a top breach factor and it doesn’t help that companies are struggling with it which might be contributing to “cloud misconfigurations becoming a growing security challenge.”
The 2020 report revealed that attackers used cloud misconfigurations to breach networks nearly 20% of the time, increasing breach costs by more than half a million dollars to $4.41 million on average, making it the third most expensive initial infection vector examined in the report.
“At a time when businesses are expanding their digital footprint at an accelerated pace and security industry’s talent shortage persists, teams can be overwhelmed securing more devices, systems, and data,” said Wendi Whitmore, VP, IBM X-Force Threat Intelligence. “Security automation can help resolve this burden, not only enabling a faster breach response but a significantly more cost-efficient one as well.”
The report also found that the most resilient businesses have security postures in place and know how to execute their own playbook. Companies in the study with fully deployed security automation also reported significantly shorter response time to breaches, another key factor shown to reduce breach costs in the analysis.
The report found that AI, machine learning, analytics, and other forms of security automation enabled companies to respond to breaches over 27% faster than companies that have yet to deploy security automation — the latter of which require on average 74 additional days to identify and contain a breach.
Incident response (IR) preparedness also continues to heavily influence the financial aftermath of a breach. According to the report, companies with neither an IR team nor testing of IR plans experience $5.29 million in average breach costs, whereas companies that have both an IR team and use tabletop exercises or simulations to test IR plans experience $2 million less in breach costs – reaffirming that preparedness and readiness yield a significant ROI in cybersecurity.
Even if the endpoints of breaches are traced from employees, 46% of respondents said that chief information security officers and/or chief security officers must be held responsible for the breach, despite only 27% stating they are the security policy and technology decision-maker. The report found that appointing a CISO was associated with $145,000 cost savings as opposed to the average cost of a breach.
The report found that breaches at studied organizations with cyber insurance cost on average nearly $200,000 less than the global average of $3.86 million. Of these organizations that used their cyber insurance, 51% applied it to cover third-party consulting fees and legal services, while 36% of organizations used it for victim restitution costs. Only 10% used claims to cover the cost of ransomware or extortion.
While the United States continued to experience the highest data breach costs in the world, at $8.64 million on average, the report found that Scandinavia experienced the biggest year over year increase in breach costs, observing a nearly 13% rise. Healthcare continued to incur the highest average breach costs at $7.13 million — an over 10% increase compared to the 2019 study.