By RV Raghu
Data breaches today are a dime a dozen, though the costs of the breaches can run into the millions. On the surface, a data breach may look like a simple failure in an enterprise’s security controls, but the rot may be wide and deep. A closer look might indicate not just a failure of controls but also costs that go beyond that.
The 2023 Cost of a Data Breach Report published by IBM and the Ponemon Institute identified the average cost of a data breach reached an all-time high in 2023 of USD 4.45 million. The same report identified that 51% of organizations were planning to increase security investments because of a breach, which may sound like putting the cart before the horse. Two other pieces of information that stood out from the report: only one-third of companies discovered the data breach through their own security teams, and 82% of breaches involved data stored in the cloud—public, private, or multiple environments. These are two important pieces of information to consider in the current context of most enterprises.
There are whispers of cyber spending fatigue which are putting a dampener on budgets, and there is breakneck adoption of newer technologies as well – technologies that are yet to be proven or where hidden threats exist, or technologies such as artificial intelligence (AI) that are not fully understood. Another thing to consider is the mean time to identify (MTTI), i.e. the time an adversary infiltrates the enterprise network and stays in reconnoitering the network and data inside before they are discovered, which currently stands at a whopping 204 days.
Apart from the direct costs of responding to the breach, the reputational costs are the highest and have the longest impact on an enterprise, affecting existing customers and also casting a long shadow into the future, leading to a higher cost of acquiring customers or leading to lost goodwill. There is the regulatory cost as well, which includes fines and other monetary charges imposed by the regulatory agency, and the costs involved in remediation over time such as compensations and credit protection costs. Next, there is the cost of the notification itself, which includes activities that enable the enterprise to notify data subjects, regulators and other third parties.
Other direct costs include:
- Detection and escalation costs
- Forensic and investigative activities
- Assessment and audit services
- Crisis management
- Communications to executives and boards
Other, often non-quantified costs, include revenue and business losses such as the costs of not being able to conduct business due to the outcome of a ransomware or a denial of service attack.
The IBM and Ponemon Institute report also identified phishing and stolen or compromised credentials as the two most common initial attack vectors, pointing to the need for a mix of technical and people-oriented measures aimed at tackling breaches, and strengthening teams and tools used to identify breaches.
Enterprises should invest in training and skilling/up-skilling their teams to look at various parameters and identify anomalous trends and behavior that may point to a breach. ISACA’s State of Cybersecurity 2023 report indicated a widening security skill shortage, pointing to the need for increasing skill building. Training would reduce the potential for phishing and other such forms of attacks from succeeding, thereby reducing breaches. Per the IBM and Ponemon report, 40 percent of the breaches were identified and reported by benign third parties, such as security researchers, pointing to the need for better relationships with them and for the potential of bug bounty programs to further support early identification of issues.
Enterprises would also find it useful to strengthen incident response practices since this can build the response-related actions into organizational muscle memory, making things easier when the real thing happens. Encryption might also help protect the crown jewels by making them harder to access so that even in the event of a breach or compromised and exposed credentials, actual data may remain inaccessible. Enterprises would do well to leverage AI and machine learning technologies to parse and sift through data from multiple sources to be able to identify breaches earlier and act on them, minimizing impact.
Last but not least, it is imperative for enterprises to build a culture of cyber security so that top down, the message is clear that breaches are a risk to the very survival of the enterprise and constant focus is required. For long-term success, enterprises should focus on a mix of technical and non-technical measures, focused on bridging the skill gap so that when the incident occurs, they are able to get back to business as usual, quickly and with minimum costs.
(The author is RV Raghu, ISACA India Ambassador; Director, Versatilist Consulting India Pvt Ltd, and the views expressed in this article are his own)
