The average cost of a data breach continues to rise as companies deal with the fallout from unauthorized access to, or leaks of, sensitive information. The latest version of IBM’s eagerly anticipated Cost of a Data Breach Report 2023 puts the figure at $4.45 million on average per breach. With a 15 percent increase in data breach costs in just three years, this article delves into the details of IBM’s 2023 report and unpacks some of the most interesting and actionable insights.
Data Breaches: A Brief Refresher
Before getting to the report, it’s worth a reminder that a data breach incident occurs when there is unauthorized access, disclosure, or use of sensitive or confidential information. While often associated with cybercrime and stolen information, data breaches encompass accidental exposure of information as well. Common types of data compromised in breach incidents include:
- Personal Identifiable Information (PII) like names, addresses, Social Security numbers, driver’s license information, and dates of birth that cybercriminals use for identity theft.
- Financial information like credit card numbers, bank account numbers, etc.
- Login credentials, including usernames and passwords for various online services like eBay, Amazon, and Yahoo, often get compromised and made available for sale on the dark web where anyone can buy the credentials via Bitcoin or another cryptocurrency.
- Customer data and user data like purchase history, personal preferences, phone numbers, social media, and behavioral data about user accounts.
The methodology IBM uses to calculate the cost of a breach in its annual report is activity-based. This method accounts for cost factors like detecting the breach, issuing notifications to affected parties, minimizing lost business in the post-breach window, and potential regulatory fines for violations of data protection laws.
Initial Attack Vectors in Data Breaches
The 2023 report presents findings about initial attack vectors organized into both frequency and cost. The two most common initial attack vectors in the analyzed data breaches were phishing and stolen/compromised credentials. Phishing attacks fall into the wider umbrella of social engineering attacks that use various types of psychological manipulation to break into systems and user accounts. Stolen credentials can bypass authentication mechanisms, although sometimes hackers compromise credentials when users don’t set strong passwords.
Two new initial attack vectors included by IBM for the first time in 2023 are unknown (zero-day) and known vulnerabilities. While zero-days are harder to find, they were actually more commonly exploited in data breaches than known vulnerabilities. Usually, more advanced hackers like Russian-sponsored APT groups exploit zero-days and install special malware known as backdoors that help them covertly snoop on and access sensitive internal communications, trade secrets, and more.
But it’s not just crafty hackers and cybercriminals who cause these security breaches – accidental data loss or lost/stolen devices and cloud misconfiguration were prominent initial attack vectors that led to sensitive data access or data leaks. Robust information security depends equally on technology, process, and user training and awareness to minimize the risk of unintentional data loss or exposure.
Interestingly, when breaking down the cost of a breach per initial attack vector, security incidents involving malicious insiders top the list at $4.9 million. These higher costs from malicious actors covertly stealing or transferring data out of companies perhaps reflect the fact that cyberattacks from within are often harder to detect and contain. Digging further into the data reveals that containing a data breach caused by a malicious insider took around 10 months on average.
Main Attack Types in Data Breaches
The initial attack vector describes how computer systems get first breached or how data gets compromised. But the report also describes in more detail the different types of malicious cyber attacks that caused data breaches. For 2023, ransomware accounted for 24 percent of malicious cyber attacks that caused data breaches. Threat actors opt for ransomware attacks that involve stealing data because they can demand more money when they use stolen data to blackmail companies.
The second most common type of attack in 2023 was what IBM calls, “destructive attacks.” The definition of a destructive attack is that these render systems inoperable. Distributed denial of service (DDoS attacks) that overwhelm servers with traffic fall into this category. In total, destructive attacks were the most commonly seen in data breaches at 25 percent.
Data Breach Costs by Industry
Cybersecurity leaders and decision-makers often skip straight to the industry demographics of IBM’s report to see how the trends look in their specific sectors. In 2023, breaches of confidential information financially hit organizations most often in the following four sectors:
- Healthcare
- Financial Services
- Pharmaceutical
- Energy
These results call to mind high-profile data breaches in previous years, including hotel chain Marriott in the services sector, Verizon in technology, and Equifax in the financial sector.
Reducing the Cost of a Data Breach
Here are some useful takeaways from the report for reducing the cost of a data breach:
- Practicing incident response is vital in minimizing the time to contain a breach and ultimately reducing costs. This means having a dedicated incident response plan along with regular drills to test out and improve its effectiveness.
- Companies that involve law enforcement in data breaches can save up to $470,000 compared to those that don’t. So, it’s worth contacting the relevant authorities promptly if data breaches and exfiltration hit your company.
- Leverage automation and more advanced AI-based user behavior analytics to speed up detection, because the faster you can detect a breach, the lower the cost.
- Invest more in employee training and awareness. The 2023 report found a 33.9 percent cost reduction for data breaches at companies with high levels of training and awareness versus those with low levels.
Conclusion
IBM’s annual report on data breach costs showed that, in 2023, the upward trend of growing costs shows no sign of slowing down. Hefty regulatory fines, a more dangerous threat landscape, and the growing value and volume of data all contribute to these rising costs. Organizations in all sectors have options available to help reduce the cost of data breaches when they happen.
And lastly, remember that data breaches don’t need to be inevitable. Many of these incidents are completely preventable through appropriate security measures, such as implementing least privilege access permissions, using Data Loss Prevention (DLP) tools with the functionality to block unauthorized transfers, and encrypting data so hackers can’t decipher it.
Make data protection a priority with Endpoint Protector by CoSoSys. Our DLP solution works across multiple operating systems to help you discover, monitor, and protect your sensitive data from many of the data security compromises that arise on endpoint systems like employee workstations.
Frequently Asked Questions
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.