The 2023 Cost of a Data Breach Report came out last week. Conducted for IBM by the venerable Ponemon Institute, the Cost of a Data Breach is the benchmark for studies seeking to quantify the financial risks for organizations that do not property invest in the tools, training, and implementation of cybersecurity programs. Other studies fall far short of this one because they are not based on the kinds of data that Ponemon works from, nor do they stand up to the rigors of scientific objectivity. For these reasons, it is a report that everyone involved with cybersecurity and data privacy looks forward to each year—present company included.
When the study is published, everyone quickly looks to find out what that one big number is—the overall average cost of a data breach—to see if it is bigger or smaller than the year before. It is an indication as to how well we’re all protecting the data that has been entrusted to us. Spoiler alert! The overall average is up again. In 2022 it was $4.35 million and this year it’s $4.5 million. But the smart money is always on an increase.
Five Key Takeaways
But if all you do is look for that number and plug it in to your sales presentations, budget proposals, and press releases, you are missing the point. The Cost of a Data Breach Report offers a lot of data and insights that can help inform cybersecurity strategies and guide the allocation of available resources to the best possible use. Digging deeper for those nuggets is a worthwhile endeavor, and when we read through the report, we found five takeaways that stood out as worthwhile for CISOs, CSOs, or anyone who wants to improve their understanding and practice of cybersecurity strategy. I’ve listed them by order or appearance.
Takeaway #1: Time to identify and contain a data breach by initial attack vector.
On page 21 you’ll find a chart illustrating, on average, the length of time it takes to identify and contain a data breach based on the cause of that breach. Note that when an attacker uses stolen credentials the average time to containment is 328 days—eleven months for a hacker to sniff around, find what they are looking for, and accomplish their mission. At the other end of the spectrum, a system error that results in a breach is usually resolved in 236 days, or just under eight months. Armed with that knowledge I can look for cost effective ways to minimize my exposure to simple error (a systems audit or better utilization of available automations) and allocate more resources for investing in things like identity and access management tools.
Takeaway #2: How was a breach identified?
Related to our first takeaway, on page 23 there’s a graph showing that 73% of the time a breach is discovered by a benign third party (40%) or through the breached organization’s own efforts (33%). When an attacker discloses a breach, it is usually because they successfully executed a ransomware campaign and have demanded payment from their victim. This implies there is great value in building a trusted digital supply chain through rigorous due diligence and by establishing and enforcing standards for interacting with third parties. Requiring file encryption and the use of encrypted transport protocols, for example, can minimize the risk of exposure and keep data protected in the event of a breach.
Takeaway #3: Don’t skimp on hiring skilled professionals!
It’s a tight labor market, especially for people with a strong IT security skillset, but that should not be an excuse for a failure to attract and retain staff who possess experience and ability in that area. On page 27 we learn that, while the average cost of a data breach has risen to $4.5 million dollars, organizations lacking IT security professionals paid a premium for not prioritizing cybersecurity hiring, training, and retention were in worse shape, suffering a $5.36 million average data breach cost. Knowing that might help convince HR to prioritize recruitment of good IT security staff.
Takeaway #4: Factors affecting the mean cost of a data breach.
On the next page is one of the more revealing charts showing how 27 different factors can drive the cost of a data breach up or down. For example, organizations that have adopted a “DevSecOps” approach to IT management saw a nearly $250K lower data breach cost when compared to the average, while those that had security systems that were complex and difficult to manage suffered cost more than $240K more than their peers. This page alone is worth the price of admission.
Takeaway #5: The importance of the supply chain.
Finally, on page 36 is more evidence that we should all pay more attention to our digital supply chains. Fifteen percent of organizations studied for the report said their data breaches resulted from a compromised digital trading partner. Worse, when a data breach originates with a digital supply chain partner, the costs are higher and the average time to identify and contain the breach is longer. As with Takeaway #2, the importance of working with excellent trading partners and demanding others adhere to best practices can’t be understated. You should expect that the organizations you choose to do business with have invested in strong security tools and operate with excellent security policies.
Kudos for a Worthwhile Study
I hope I’ve given you something to think about and a reason to dig deeper into the 2023 Cost of a Data Breach Report. There’s so much more to discover beyond $4.5 million. Kudos to the Ponemon Institute for creating such a rich and worthwhile study, with so many actionable data points.