Businesses confess: We pass cyberattack costs onto customers
Cover an average of $4.4 million per raid ourselves? No chance, mate
The costs incurred by organizations suffering data losses continue to go up, and 60 percent of companies surveyed by IBM said they were passing them onto customers.
According to Big Blue, the average cost of a data breach worldwide rose almost 13 percent over the past two years, hitting an all-time high of $4.35 million. In addition, the effects of those attacks are widespread and lingering, Big Blue revealed in its annual Cost of a Data Breach Report, released on Wednesday.
About 83 percent of the 550 organizations around the world studied for the report have been hit with more than one data breach during their existence, and the impact of those incidents can ripple outward in time. Almost 50 percent of the costs of a breach are incurred more than a year after the incident, IBM found.
Such numbers show not only that a given organization will likely sustain a data breach, but that when it hits, it's going to be costly. Given that, orgs need to take a more proactive approach to protecting their businesses before an attack, according to Charles Henderson, global head of IBM Security X-Force.
"It's time to stop the adversary from achieving their objectives and start to minimize the impact of attacks," Henderson said in a statement.
"The more businesses try to perfect their perimeter instead of investing in detection and response, the more breaches can fuel cost of living increases. This report shows that the right strategies coupled with the right technologies can help make all the difference when businesses are attacked."
Inflation hitting everywhere
IBM's report echoes findings of other companies and government agencies about the financial toll that cyberattacks have on their victims.
Hank Schless, senior manager of security solutions network security vendor Lookout, told The Register it's not surprising that the cost of data breaches continues to rise.
"The value of sensitive data is increasing, and as a byproduct of that the long-term damage to a company that experiences a breach is getting ever more costly," Schless said. "The numbers found in this report should be a wake-up call to anyone who thinks data security and infrastructure integrity can take a back seat to other priorities."
- JPMorgan, UBS among trio accused of shoddy ID theft protection
- Computer glitches harmed 'nearly 150' patients after Oracle Cerner system go-live
- Deploying disaster-proof apps may be easier than you think
- Infosec not your job but your responsibility? How to be smarter than the average bear
Brad Hong, customer success manager for cybersecurity company Horizon3ai, laid a lot of the blame at the feet of the organizations, telling The Register that the warning signs about data breaches have been flashing red for the last decade.
"While everyone in the industry now operates, or should operate, under the impression of when – not if – they will be breached, I have to wonder what these 550 organizations were doing," Hong said.
He also pointed to the part of IBM's report that showed 60 percent of organizations IBM studied raised the prices of their products or services due to the data breach, noting that there likely were some companies that put time and money into protecting against attacks.
"But for those who did nothing – those who, instead of creating a disaster recovery plan, just bought cyber insurance to cover the org's operational losses, and those who simply didn't care enough to heed the warnings – it's the coup de grâce to then pass the cost of breaches to the same customers who are now the victims of a data breach." Hong said.
"I'd be curious to know what percent of the 60 percent of organizations who increased the price of their products and services are using the extra revenue for a war chest or to actually reinforce their security."
Don't bet on it
Among the key findings in the report was that among critical infrastructure organizations – which increasingly are coming under attack, as the Colonial Pipeline and JBS Foods breaches illustrate – 80 percent of those studied haven't yet adopted zero-trust strategies. The average breach costs for those companies rose to $5.4 million – $1.17 million more than those that do use zero-trust.
IBM's study also showed that paying ransomware attackers doesn't substantially help companies. Those that paid only saw $610,000 less in the average cost of an attack and, when combined with the ransom payment itself, the financial hit rose higher. Nicole Hoffman, senior cyber threat intelligence analyst at cybersecurity vendor Digital Shadows, also noted that those organizations that pay the ransom are often targeted again within months, increasing the financial losses even more.
"These factors are important to consider when making the challenging business decision of whether or not to pay," Hoffman told The Register. "For these reasons, prevention is important but cyber-resiliency is key."
The ongoing migration to the cloud also is an issue, according to IBM. About 43 percent of organizations are either in the early stages of applying security practices across their cloud environments or haven't started at all – costing them $660,000 more on average in higher breach costs than those with mature cloud security strategies.
An important metric in the report is that the time it takes for an organization to detect a breach remained at eight months – an indication that detection mechanisms are failing, according to Shawn Surber, vice president of solutions architecture and strategy at cybersecurity firm Tanium.
He told The Register "Ninety-four percent of today's enterprises find at least 20 percent of their endpoints are unprotected, while the many tools sitting on those endpoints adversely affect performance and visibility." He added: "All of [this] contributes to the lack of efficacy of many detection mechanisms. Organizations would be better served by investing in cyber-hygiene tools and threat hunting skills than to keep throwing money at point solutions that continue to fail them."
IBM noted that organizations using security AI and automation technologies had average data breach costs that were $3.05 million less than those that weren't. Such technologies were the largest cost savers seen in the study, Big Blue argued. ®