by IT Director Luke Bragg
* The figures presented below come from Cost of a Data Breach Report 2022, an annual analysis of data breaches conducted by the Ponemon Institute and published by IBM Security.
The last thing anyone wants to imagine is a data breach happening to their company, but it’s getting to be more common than not that a company will be breached. We’ve talked about the cost of a breach or ransomware in terms of downtime, but that’s only one part of the total cost. By examining the whole picture, you can see what you may be doing that will increase the cost of a breach and what you can do to reduce that cost.
How Much Does a Breach Cost?
If you’ve been lucky enough to have avoided a data breach up to this point, don’t consider your company immune. It’s a matter of when, not if, some nefarious actor attempts to gain access to your data. You might think large companies are more susceptible because they would offer bigger rewards, but cybercrime doesn’t discriminate. Small businesses are more likely to be hit than large ones, since they have fewer resources to defend or recover from an attack.
As of 2022, the global average cost of a data breach is $4.35 million (USD), while the average cost in the United States is $9.44 million. The only thing scarier than that price tag is the fact that on average 83% of breached organizations have had multiple breaches.
With the increasing cost of identifying and recovering from a data breach, it’s important to look at what can make a breach more or less expensive to deal with so you can put up the best defense possible.
Are You Increasing the Cost of a Breach?
One of the most costly parts of a breach is how long it takes to figure out you have one. On average, it takes more than 200 days to identify a breach has occurred. That’s over six months of the bad guys having access to your systems. It takes another 70 days to contain the breach. There are many things that can affect that timeframe, but the fact is the slower you are to find and respond to a breach, the higher the cost.
Security System Complexity
It may seem like more security is better, but that’s not the case. You want effective security, not just a lot of it. When a system is too complex it introduces more room for things to go wrong. Having a hundred security reports is great until you have to sit down and read them all. The more you have the longer it can take to identify a breach has occurred, and the longer someone is in your system, the more it costs you.
The digital world is moving toward the cloud, but cloud migration comes with inherent risks. Cloud services allow flexibility in where a person can work, but the more places it is accessed from, the more points of entry a bad actor can find to infiltrate your systems. If your cloud environment is not configured correctly, your data is vulnerable. Failure to take those new risks into account can be costly. That doesn’t mean you should forgo the cloud altogether, especially if it can help your business run more efficiently, but new security will be needed to compensate for the risks.
On average, there was a difference of over half a million dollars in the cost of a breach between those companies who have fully implemented security in the cloud and those who had no security or were just beginning to implement security measures. Fully implemented security also correlated to breaches being identified and contained over 100 days sooner than those who hadn’t started security measures.
Trying to meet another new regulatory requirement may feel like a chore, but having them in place does more than keep you in compliance with the government. Many of the security features required by various regulations help keep bad actors at bay. Failing to comply, especially in critical infrastructure sectors, has been found to increase the cost of a breach more than $2 million compared to a company that has a higher level of compliance.
How Can You Reduce the Cost of a Breach?
Besides making sure you don’t have the issues listed above, there are other factors that can help reduce the overall cost of data breach.
Security AI and Automation
AI seems to be popping up everywhere, but when it comes to your IT security, AI and automation can save you a lot of money. Automated security protocols that can assist or replace the manual work of checking a variety of security tools, which often can’t share data between them, can help you find and contain breaches much faster. On average, companies with security AI and automation paid half of what companies without these features did to deal with a data breach.
Zero Trust Model
We’ve discussed the basics of a Zero Trust model of IT security before, and it’s something you should discuss with your IT team or managed services provider. Zero Trust means just that: trust no one, including those who’ve successfully logged into your network. It requires users to authenticate their identity as needed to protect your data and your IT systems. That way, if someone does breach your company’s systems, they won’t be able to get to all your data. The average difference in cost between those with and without a Zero Trust framework is $1.5 million.
Incident Response (IR)
A data breach doesn’t have to be a mad scramble to figure out what actions to take. Preparation can make any situation easier to deal with. When you know what to expect and what to do to resolve a problem, you can act swiftly to mitigate the damage. Having an IR Plan and IR Team gives you that preparation. When the worst scenario happens, you’ll be prepared to contain and recover quicker than a company without any plan.
It’s not enough to simply have a plan and dedicated response team, though. Practice makes perfect—or at least better. The IR Team needs to test the IR Plan routinely to make sure everyone knows their role and that there are no gaps in the plan. On average, companies who had an IR Team and regularly tested their IR Plan saved more than 50% compared to companies without either a plan or team in place.
While there’s no foolproof way to stop a breach from happening, having effective IT security systems in place can reduce the financial burden a little. Breach recovery is hard enough, so why not do everything you can to make it easier?