Data Breach Cost Control: Practice and Preparedness Pay OffHealthcare Sector Spends Most on Cleanup, IBM's Annual Breach Study Finds
A new IBM study of data breaches found that many of the basics involved in effectively detecting and remediating intrusions remain unchanged. Namely, if an organization's internal team first detects a breach and the organization has well-practiced incident response plans, that organization will be able to more quickly detect and respond, which will lead to lower breach cleanup costs.
That preparedness pays off is again one of the top takeaways from IBM's latest annual Cost of a Data Breach study - now in its 18th year - which was conducted by the Ponemon Institute and analyzed by IBM Security.
This year's report is based on interviews with 3,475 individuals across 550 organizations that suffered a breach between March 2022 and March 2023.
Across those organizations, the average data breach incident cost $4.5 million, which represents an all-time high and a 15% increase compared to three years ago.
Here are my 10 top takeaways from the study:
- Phishing dominates. When victims identified an attacker's initial attack vector, phishing was most common, accounting for 16% of attacks, followed by stolen or compromised credentials at 15%, cloud misconfiguration at 11% and business email compromise at 9%. In 5% of cases, attackers exploited a known vulnerability that the victim had yet to patch.
- Stolen credentials delay detection. The mean time to detect a breach was 204 days, and the mean time to remediate one was 73 days. Those numbers are little changed from previous years. How attackers hacked the victim can make a big difference to how long it takes to spot a breach. When attackers wield stolen or compromised credentials, for example, victims required an average of 240 days - or 20% longer than normal - to detect it.
- Third-party notification is most common. Neutral third parties, including law enforcement, informed a victim about a breach in 40% of all cases, and attackers disclosed the attack - typically via their ransomware data leak site - 27% of the time. When the breach came to light via attackers, victims reported breach costs that were on average $1 million higher than normal.
- Internal discovery is ideal: The data breach detection ideal is discovery by internal teams, which IBM said happened in 33% of cases. Such breaches gets detected on average in 182 days, versus 203 days for neutral third-party notification and 233 days for notification via an attacker.
- Faster detection is better. No surprise: The longer a breach goes, the more it costs. IBM saw a big inflection point at the 200-day mark. Anything less cost an average of $3.9 million to remediate, while anything more cost $5 million, or 23% more.
- Healthcare pays most. When it comes to cleanup costs by sector, IBM reports that as in 2022, breached healthcare organizations on average pay the most to identify and remediate a breach. The average healthcare cleanup costs $10.9 million. The cost for financial services is $5.9 million, pharmaceuticals and energy cost $4.8 million and industrial cost $4.7 million.
- Smaller victims suffer more. Comparing breach cleanup costs from 2022 to 2023, average costs decreased very slightly for organizations with 5,000 or more employees, but they increased by 20% for midsize organizations and by 15% for smaller firms.
- Practice decreases response time. IBM said organizations that it rated as having "high levels of incident response planning and testing" spent an average of $1.5 million less on containing a breach, no doubt in part because they were able to mitigate it more quickly.
- DevSecOps drives savings. Organizations that IBM rated as having high-level DevSecOps practices - that integrate security into their development life cycle - spent on average $1.7 million less to remediate a breach. One likely explanation is that organizations with advanced secure development practices have environments that are more difficult to hack and can more quickly identify and lock down vulnerabilities exploited by attackers.
- Service providers can help. What else helps keep breach costs down? Organizations that work with a managed security service provider - a service IBM sells - identified and contained data breaches in 21% less time, on average. Threat intelligence - a service IBM sells - also helps. Organizations that use threat intelligence feeds identified breaches 16 days sooner, or in 8% less time. Organizations that did not use threat intelligence took on average 12 days, or 6%, longer to spot a breach.
One notable omission from IBM's study: The researchers didn't factor in the cost of any ransom a victim might have paid. During the time frame of IBM's study, ransomware incident response firm Coveware reported that of the thousands of cases it helped investigate, victims had paid a ransom between 37% and 45% of the time. Hence the average cost of a breach for some organizations IBM surveyed may have been far greater.
Also, IBM's study found that 18% of breached organizations carry cyber insurance, but it didn't state to what extent that may have directly or indirectly lowered breach costs.
Regardless, the report's findings emphasize that organizations with more advanced security teams, policies and procedures fare best, which should provide impetus for all organizations to get their cybersecurity house in order.