IBM’s annual Cost of Data Breach report, created in conjunction with Ponemon Institute, shows no relief in sight for victims of breaches with a 10% jump in the global average cost on the year. The highest average cost per incident, $5.17 million, was incurred when the breached data was stored in public clouds.
75% of the cost of data breaches is also now coming from lost business and post-breach response. Defensive automation and AI tools are demonstrating an ability to save money, however, with organizations that have them in place seeing an average $2.22 million in savings when a breach happens.
Cost of data breach report sees rise in “shadow data” issues
This edition of the Cost of Data Breach report surveyed 604 organizations across a broad range of industries and countries; all experienced a data breach involving somewhere between 2,100 and 113,000 records from March 2023 to February 2024. New to the 2024 report is an expanded examination of long-term operational disruptions from attacks, the extent to which organizations are using AI-based tools for defense and response, time taken to restore systems to their pre-breach state, length of reporting time, and whether the breach included “shadow data” stored in unmanaged sources.
The 10% jump in cost is the largest seen since the period following the onset of the Covid-9 pandemic. This appears to mostly be driven by remediation in the wake of the breach, associated customer support and general business disruption. Over half of the surveyed organizations said they are raising prices and passing costs on to the customer to compensate.
The lone piece of good news is that it appears automated and AI-driven tools are indeed helping substantially with detection and containment of data breaches, reducing the overall lifespan of intrusions and minimizing damage. This is also of increasing importance as the cybersecurity workforce continues to experience substantial shortfalls, with the “skills gap” increasing by over 26% since the prior Cost of Data Breach report; an issue that translates into an average $1.6 million in added costs on average when a breach occurs.
“Shadow data” is one of the new influences being tracked by the latest edition of the Cost of Data Breach report, something seen in 35% of the surveyed incidents. Shadow data is essentially material that has become invisible to the IT department for one reason or another; it might have been stored inappropriately with an unauthorized cloud source, in an app used by employees, or transferred to a personal device. When shadow data is involved a breach will take longer to identify and contain, and sees a 16% average rise in cost.
The industrial sector saw the largest average cost of data breach increase, with a spike of $830,000 as compared to the prior year. All industries are still experiencing average recovery times that take well over half a year, a situation that is exacerbated when stolen employee credentials are involved. Organizations see improvements of about two weeks’ time in this area when law enforcement is involved, however, as well as an average savings of $1 million.
Gen AI relatively poorly secured, widely used by criminals
While the possibilities for criminals using chatbots like ChatGPT are still fairly limited, the generative AI industry is really struggling to keep them out. Gen AI tools are mostly assisting criminals in crafting better-worded and more authentic-looking phishing messages at this point, and are still not considered a serious threat in terms of developing or deploying malware. A prior IBM study referenced by the Cost of Data Breach report found that only 24% of Gen AI initiatives are properly secured.
The report indicates that organizations can have much more confidence in AI-based defensive tools, however. In addition to the cost savings these organizations reported containing breaches almost 100 days faster on average, a major benefit when average containment times still hover around 250 to 280 days. AI tools may also assist organizations in making the initial discovery of the breach in-house, which now happens 42% of the time (with a third party research firm making the discovery 34% of the time and the attackers announcing it 24% of the time).
The Cost of Data Breach report finds that 70% of organizations experience “significant” to “very significant” impact from their breaches, most commonly in the form of lost business and operational downtime in addition to the bills racked up by remediation and regulatory penalties.
Unfortunately, there are still not many clear answers for security professionals as the threat landscape continues to expand. Implementing automated machine learning tools and staffing up seems to be the clearest improvement to aim for, but that decision is up to business leaders. Involving law enforcement immediately seems to offer compelling savings, but is counterbalanced by the fact that operational downtime and recovery is such a huge expense (something that might be avoided by making a ransom payment). At minimum, organizations should be aware that Gen AI tools allow attackers to look and sound like native speakers of their language who are legitimate employees and that heightened awareness of phishing and social engineering attempts is thus necessary.