Compromised employee accounts led to most expensive data breaches over past year, says IBM Report

IBM Security has announced the results of a global study examining the financial impact of data breaches, revealing that these incidents cost companies $3.86 million per breach on average, and that compromised employee accounts were the most expensive root cause. Based on in-depth analysis of data breaches experienced by over 500 organisations worldwide, 80 per cent of these incidents resulted in the exposure of customers’ personally identifiable information (PII). Out of all types of data exposed in these breaches, customer PII was also the costliest to businesses.

As companies are increasingly accessing sensitive data via new remote work and cloud-based business operations, the report sheds light on the financial losses that organisations can suffer if this data is compromised. A separate IBM study found that over half of employees new to working from home due to the pandemic have not been provided with new guidelines on how to handle customer PII, despite the changing risk models associated with this shift.
Sponsored by IBM Security and conducted by the Ponemon Institute, the 2020 Cost of a Data Breach Report is based on in-depth interviews with more than 3,200 security professional in organisations that suffered a data breach over the past year.Some of the top findings from this year’s report include:

Smart tech slashes breach costs in half: Companies who had fully deployed security automation technologies (which leverage artificial intelligence (AI), analytics and automated orchestration to identify and respond to security events) experienced less than half the data breach costs compared to those who didn’t have these tools deployed – $2.45 million vs. $6.03 million on average.

Paying a premium for compromised credentials: In incidents where attackers accessed corporate networks through the use of stolen or compromised credentials, businesses saw nearly $1 million higher data breach costs compared to the global average – reaching $4.77 million per data breach. Exploiting third-party vulnerabilities was the second costliest root cause of malicious breaches ($4.5 million) for this group.

Mega breach costs soar by the millions: Breaches wherein over 50 million records were compromised saw costs jump to $392 million from $388 million the previous year. Breaches where 40 million to 50 million records were exposed cost companies $364 million on average, a cost increase of $19 million compared to the 2019 report.

Nation state attacks – The most damaging breaches: Data breaches believed to originate from nation state attacks were the costliest, compared to other threat actors examined in the report. State-sponsored attacks averaged $4.43 million in data breach costs, surpassing both financially motivated cybercriminals and hacktivists.

Commenting on the matter, Wendi Whitmore, vice president, IBM X-Force Threat Intelligence, said, “When it comes to businesses’ ability to mitigate the impact of a data breach, we’re beginning to see a clear advantage held by companies that have invested in automated technologies. At a time when businesses are expanding their digital footprint at an accelerated pace and security industry’s talent shortage persists, teams can be overwhelmed securing more devices, systems and data. Security automation can help resolve this burden, not only enabling a faster breach response but a significantly more cost-efficient one as well.”

Employee credentials and misconfigured clouds – Attackers’ entry point of choice
Stolen or compromised credentials and cloud misconfigurations were the most common causes of a malicious breach for companies in the report, representing nearly 40 per cent of malicious incidents. With over 8.5 billion records exposed in 2019, and attackers using previously exposed emails and passwords in one out of five breaches studied, businesses should rethink their security strategy via the adoption of a zero-trust approach – reexamining how they authenticate users and the extent of access users are granted.

Similarly, companies’ struggle with security complexity – a top breach cost factor – is likely contributing to cloud misconfigurations becoming a growing security challenge. The 2020 report revealed that attackers used cloud misconfigurations to breach networks nearly 20 per cent of the time, increasing breach costs by more than half a million dollars to $4.41 million on average – making it the third most expensive initial infection vector examined in the report.

State sponsored attacks strike heaviest

Despite representing just 13 per cent of malicious breaches studied, state-sponsored threat actors were the most damaging type of adversary according to the 2020 report, suggesting that financially motivated attacks (53 per cent) don’t translate into higher financial losses for businesses. The highly tactical nature, longevity and stealth maneuvers of state-backed attacks, as well as the high value data targeted, often result in a more extensive compromise of victim environments, increasing breach costs to an average $4.43 million.

In fact, respondents in the Middle East, a region that historically experiences a higher proportion of state-sponsored attacks compared to other parts of the world³, saw an over 9 per cent yearly rise in their average breach cost, incurring the second highest average breach cost ($6.52 million) amongst the 17 regions studied. Similarly, the energy sector, one of the most frequently targeted industries by nation states, experienced a 14 per cent increase in breach costs year over year, averaging $6.39 million.

Advanced security technologies prove smart for business

The report highlights the growing divide in breach costs between businesses implementing advanced security technologies and those lagging behind, revealing a cost-saving difference of $3.58 million for companies with fully deployed security automation versus those that have yet to deploy this type of technology. The cost gap has grown by $2 million, from a difference of $1.55 million in 2018.

Companies in the study with fully deployed security automation also reported significantly shorter response time to breaches, another key factor shown to reduce breach costs in the analysis. The report found that AI, machine learning, analytics and other forms of security automation enabled companies to respond to breaches over 27 per cent faster than companies that have yet to deploy security automation – the latter of which require on average 74 additional days to identify and contain a breach.
Incident response (IR) preparedness also continues to heavily influence the financial aftermath of a breach. According to the report, companies with neither an IR team nor testing of IR plans experience $5.29 million in average breach costs, whereas companies that have both an IR team and use tabletop exercises or simulations to test IR plans experience $2 million less in breach costs – reaffirming that preparedness and readiness yield a significant ROI in cybersecurity.

Some additional findings from this year’s report include:

Remote work risk will have a cost – With hybrid work models creating less controlled environments, the report found that 70 per cent of companies studied that adopted telework amid the pandemic expect it will exacerbate data breach costs.

CISOs faulted for breaches, despite limited decision-making power: Forty-six percent of respondents said the CISO/CSO is ultimately held responsible for the breach, despite only 27 per cent stating the CISO/CSO is the security policy and technology decision-maker. The report found that appointing a CISO was associated with $145,000 cost savings versus the average cost of a breach.

Majority of cyber insured businesses use claims for third party fees: The report found that breaches at studied organisations with cyber insurance cost on average nearly $200,000 less than the global average of $3.86 million. In fact, of these organisations that used their cyber insurance, 51 per cent applied it to cover third-party consulting fees and legal services, while 36 per cent of organisations used it for victim restitution costs. Only 10 per cent used claims to cover the cost of ransomware or extortion.

Regional and industry insights: While the U.S. continued to experience the highest data breach costs in the world, at $8.64 million on average, the report found that Scandinavia experienced the biggest year over year increase in breach costs, observing a nearly 13 per cent rise. Healthcare continued to incur the highest average breach costs at $7.13 million — an over 10 per cent increase compared to the 2019 study.

Key India findings –

• Rs 140 million was the average total cost of data breach in the 2020 study, an increase of 9.4 per cent from 2019
• Rs 5,522 was the cost per lost or stolen record in the 2020 study, an increase of 10 per cent from 2019
• 53 per cent of data breaches were caused by malicious attacks
• The average time to identify a data breach increased from 221 to 230 days
• The average time to contain a data breach increased from 77 to 83 days
• Top 3 root cause of data breach- 53 per cent malicious attack, 26 per cent system glitch and 21 per cent human error

Commenting on the India findings, Prashant Bhatkal, security software leader, IBM India/South Asia said, “India is witnessing a change in the nature of cyber-crimes, it is now extremely organised and collaborative with rising incidents of phishing attacks, social engineering attacks, etc. The Hybrid- work environment has further brought about a dynamic change in the way organisations look at their security posture. While companies are being aware of the importance of cybersecurity solutions, we witnessed a 9.4per cent rise from last year in the total cost of data breach. Further, those with fully deployed security automation were able to detect and contains a breach more than 27per cent faster than those with none.

Risks that we’ve been talking about for years, like password reuse, not patching, and improperly configured cloud infrastructure are major cost exacerbators in a breach. Not only are they the most common ways attackers are creeping into companies, but they are also the most financially damaging.

In the SMB space, organisations are re-evaluating their risk management plans and planning to incorporate digital security into their various programs to build Digital Trust. In the enterprise space, while organisations have built some basic digital trust programs, they are looking at the modernisation of their systems by adopting AI-driven security solutions. They are also looking at ways to migrate easily from one platform to another without compromising on security. There are also modernisation projects of existing tools to measure scalability, cloud-readiness, and their compatibility to automatically leverage AI and orchestration capabilities to reduce the dependence on human intervention.

As organisations look to expand their digital footprint, technologies like Automation, AI, and Cloud can help address skills gaps, support the security team to focus on larger issues. These technologies can enable a faster breach response and be more cost-efficient in the long run.”