I was reviewing the 2023 IBM Security Cost of a Data Breach Report this week and wanted to share some findings I found interesting. This report is published annually and that follows organizations of all industries and sizes to find threats and trends from that year. We typically use this report as the source for estimating the cost of a breach for customers in assessing the adequacy of their cyber insurance, among other factors. This year 550 organizations contributed to the study.
- Artificial Intelligence (AI) and automation reduced the time to identify and contain breaches by 108 days and, therefore, reduced costs by $1.76 million fewer breach costs.
This one was interesting to me because we have heard many reports on how AI can be used by a threat actor to bypass security controls, such as encryption. I like this message because it shows that a tool can be used to help protect us as well. Many do not realize it, but many systems in institutions already use AI, for example, anti-malware, monitoring, and even some core and marketing systems. - Phishing was the most common initial attack vector, followed closely by stolen credentials.
This has been consistent among many studies this year and for several years past. This, along with the next finding are very interesting. So, if phishing is still a common threat vector and employee training still a solid control, how is this phishing still an issue? I’d like to see a study on that!
- The factors that had the greatest reduction in the cost of a breach:
- DevSecOps
- Employee training
- Incident Response Plan and testing
- Artificial Intelligence
- Incident Response Team
- Encryption
It’s very telling to me that these are a combination of technology, people, and processes because it validates that all three are integral to effective security. DevSecOps being number one is also reinforcing that message.
DevSecOps is an approach to system development that reinforces security throughout the entire system lifecycle, not only the development phase. This includes development, deployment, and operations. So, security is no longer just the responsibility of the security team, but rather the entire organization. I do not see this commonly among financial institutions but do expect to see this increase as many institutions are increasing the use of custom solutions, such as Application Program Interfaces (APIs).
- The factors present in the highest breach costs:
- Security skills shortage
- Complexity of the security system
- Noncompliance with regulations
It is sad to see that we still are battling a shortage of trained security professionals. I truly hope that the work we are doing here at Bedel is helping to buck this trend by developing professionals on our team and institutions.
Also, it could be argued that the two that follow are a result of the first. Here’s the thought process: if you don’t understand the threat and controls to mitigate it, the solution tends to be overcomplex. The overcomplexity then makes the control difficult to maintain and therefore ineffective. Ineffective controls just don’t work, resulting in noncompliance and breaches.
- Paying a ransom did not significantly reduce the cost of a breach.
Organizations that paid the ransom only saved 2.2% in breach response costs than those that did not. Further, this calculation did not include the ransom so it could be argued that they paid more if you included the ransom.
This is great news because paying the ransom only encourages threat actors to continue this type of attack. Could this be the beginning of the end for ransomware? We will see.
If you would like to dig into the report more, it can be found here: https://www.ibm.com/reports/data-breach?utm_content=SRCWW&p1=Search&p4=43700077724064021&p5=e&gclid=CjwKCAjwp8OpBhAFEiwAG7NaEmgooBeFWqrN1B7GqY5eH7OFL7lNR5s4O70li0EU-RMvEV5XbCpPbBoCar8QAvD_BwE&gclsrc=aw.ds
If some of these trends hit home and you’d like help with your security program, please contact us at support@bedelsecurity.com.