Security

Businesses confess: We pass cyberattack costs onto customers

Cover an average of $4.4 million per raid ourselves? No chance, mate


The costs incurred by organizations suffering data losses continue to go up, and 60 percent of companies surveyed by IBM said they were passing them onto customers.

According to Big Blue, the average cost of a data breach worldwide rose almost 13 percent over the past two years, hitting an all-time high of $4.35 million. In addition, the effects of those attacks are widespread and lingering, Big Blue revealed in its annual Cost of a Data Breach Report, released on Wednesday.

About 83 percent of the 550 organizations around the world studied for the report have been hit with more than one data breach during their existence, and the impact of those incidents can ripple outward in time. Almost 50 percent of the costs of a breach are incurred more than a year after the incident, IBM found.

Such numbers show not only that a given organization will likely sustain a data breach, but that when it hits, it's going to be costly. Given that, orgs need to take a more proactive approach to protecting their businesses before an attack, according to Charles Henderson, global head of IBM Security X-Force.

"It's time to stop the adversary from achieving their objectives and start to minimize the impact of attacks," Henderson said in a statement.

"The more businesses try to perfect their perimeter instead of investing in detection and response, the more breaches can fuel cost of living increases. This report shows that the right strategies coupled with the right technologies can help make all the difference when businesses are attacked."

Inflation hitting everywhere

IBM's report echoes findings of other companies and government agencies about the financial toll that cyberattacks have on their victims.

Hank Schless, senior manager of security solutions network security vendor Lookout, told The Register it's not surprising that the cost of data breaches continues to rise.

"The value of sensitive data is increasing, and as a byproduct of that the long-term damage to a company that experiences a breach is getting ever more costly," Schless said. "The numbers found in this report should be a wake-up call to anyone who thinks data security and infrastructure integrity can take a back seat to other priorities."

Brad Hong, customer success manager for cybersecurity company Horizon3ai, laid a lot of the blame at the feet of the organizations, telling The Register that the warning signs about data breaches have been flashing red for the last decade.

"While everyone in the industry now operates, or should operate, under the impression of when – not if – they will be breached, I have to wonder what these 550 organizations were doing," Hong said.

He also pointed to the part of IBM's report that showed 60 percent of organizations IBM studied raised the prices of their products or services due to the data breach, noting that there likely were some companies that put time and money into protecting against attacks.

"But for those who did nothing – those who, instead of creating a disaster recovery plan, just bought cyber insurance to cover the org's operational losses, and those who simply didn't care enough to heed the warnings – it's the coup de grâce to then pass the cost of breaches to the same customers who are now the victims of a data breach." Hong said.

"I'd be curious to know what percent of the 60 percent of organizations who increased the price of their products and services are using the extra revenue for a war chest or to actually reinforce their security."

Don't bet on it

Among the key findings in the report was that among critical infrastructure organizations – which increasingly are coming under attack, as the Colonial Pipeline and JBS Foods breaches illustrate – 80 percent of those studied haven't yet adopted zero-trust strategies. The average breach costs for those companies rose to $5.4 million – $1.17 million more than those that do use zero-trust.

IBM's study also showed that paying ransomware attackers doesn't substantially help companies. Those that paid only saw $610,000 less in the average cost of an attack and, when combined with the ransom payment itself, the financial hit rose higher. Nicole Hoffman, senior cyber threat intelligence analyst at cybersecurity vendor Digital Shadows, also noted that those organizations that pay the ransom are often targeted again within months, increasing the financial losses even more.

"These factors are important to consider when making the challenging business decision of whether or not to pay," Hoffman told The Register. "For these reasons, prevention is important but cyber-resiliency is key."

The ongoing migration to the cloud also is an issue, according to IBM. About 43 percent of organizations are either in the early stages of applying security practices across their cloud environments or haven't started at all – costing them $660,000 more on average in higher breach costs than those with mature cloud security strategies.

An important metric in the report is that the time it takes for an organization to detect a breach remained at eight months – an indication that detection mechanisms are failing, according to Shawn Surber, vice president of solutions architecture and strategy at cybersecurity firm Tanium.

He told The Register "Ninety-four percent of today's enterprises find at least 20 percent of their endpoints are unprotected, while the many tools sitting on those endpoints adversely affect performance and visibility." He added: "All of [this] contributes to the lack of efficacy of many detection mechanisms. Organizations would be better served by investing in cyber-hygiene tools and threat hunting skills than to keep throwing money at point solutions that continue to fail them."

IBM noted that organizations using security AI and automation technologies had average data breach costs that were $3.05 million less than those that weren't. Such technologies were the largest cost savers seen in the study, Big Blue argued. ®

Send us news
21 Comments

Street newspaper appears to have Big Issue with Qilin ransomware gang

The days of cybercriminals having something of a moral compass are over

Yacht dealer to the stars attacked by Rhysida ransomware gang

MarineMax may be in choppy waters after 'stolen data' given million-dollar price tag

AI researchers have started reviewing their peers using AI assistance

ChatGPT deems your work to be commendable, innovative, and comprehensive

Stanford University failed to detect ransomware intruders for 4 months

27,000 individuals had data stolen, which for some included names and social security numbers

Samsung preps inferencing accelerator to take on Nvidia, scores huge sale

PLUS: Tencent's profit plunge; Singtel to build three AI datacenters; McDonald's China gobbles Microsoft AI

INC Ransom claims responsibility for attack on NHS Scotland

Sensitive documents dumped on leak site amid claims of 3 TB of data stolen in total

UK council won't say whether two-week 'cyber incident' impacted resident data

Security experts insist ransomware is involved but Leicester zips its lips

Dell adds Nvidia's next GPUs to its portfolio of AI platforms

Nvidia is a kingmaker, and who wouldn't want to be king?

Microsoft confirms memory leak in March Windows Server security update

ALSO: Viasat hack wiper malware is back, users are the number one cause of data loss, and critical vulns

Serial extortionist of medical facilities pleads guilty to cybercrime charges

Robert Purbeck even went as far as threatening a dentist with the sale of his child’s data

IBM said to be binning off more staff as 'workforce rebalance' continues

Next logical step after rounds of voluntary layoffs

Intel chases smaller code shops with expanded AI PC dev program, NUC kit

Chipzilla wants more apps coded for NPUs, not Nvidia