Stolen or compromised credentials and cloud misconfigurations were the most common causes of malicious breaches among organizations studied, according to a new global report.
The annual Cost of a Data Breach report by the Ponemon Institute and paid for by IBM found these factors represented nearly 40 per cent of malicious incidents in the 12 month period ending in April 2020. Among them, cloud misconfigurations were involved in nearly 20 per cent of breaches, making it the third most expensive initial infection vector examined in the report.
The study was based on in-depth interviews with more than 3,200 security professionals in over 500 organizations that suffered a data breach involving at least 1 million records.
Over 8.5 billion records were exposed during the study period. With attackers using previously exposed emails and passwords in one out of five breaches studied, the report says businesses should rethink their security strategy and adopt a zero-trust approach. This means no one on the internal network should be trusted, with a heavy emphasis on authentication and restricting access to sensitive data.
Globally, the average cost of what the study calls a mega-breach for the organizations studied was $3.86 million (all figures U.S. dollars), roughly the same as the previous year’s study. The average time it took to identify and contain the breach was 280 days, no change from the previous year’s study.
Among Canadian respondents, the average cost of a mega-breach was $4.5 million, up slightly from the year before. The average time it took to identify and contain breaches among Canadian respondents was 226 days, down from 241 days in the previous year’s study. Forty-two per cent of Canadian data breaches studied were caused by malicious attacks, 35 per cent from a system glitch, and 23 per cent from human error.
“Canada having one of the world’s highest average costs for data breaches shows an urgent need for businesses to make cyber resiliency a top priority, to mitigate not just the financial impact but the impact on customer and employee privacy as well,” said Ray Boisvert, an IBM Canada security expert. “The onus isn’t just on government and businesses, however, we all have a role to play in protecting and safeguarding our information.”
Other findings were:
- Smart tech slashes breach costs in half: Companies studied that had fully deployed security automation technologies (which leverage AI, analytics and automated orchestration to identify and respond to security events) experienced less than half the data breach costs compared to those who didn’t have these tools deployed – $2.45 million versus $6.03 million on average.
- Paying a premium for compromised credentials: In incidents where attackers accessed corporate networks through the use of stolen or compromised credentials, studied businesses saw nearly $1 million higher data breach costs compared to the global average – reaching $4.77 million per data breach. Exploiting third-party vulnerabilities was the second costliest root cause of malicious breaches ($4.5 million) for this group.
- Mega breach costs soar by the millions: Breaches with over 50 million records compromised saw costs jump to $392 million from $388 million the previous year. Breaches where 40 to 50 million records were exposed cost the studied companies $364 million on average, a cost increase of $19 million compared to the 2019 report.
- Nation-state attacks – the most damaging breaches: Data breaches believed to originate from nation-state attacks were the costliest, compared to other threat actors examined in the report. State-sponsored attacks averaged $4.43 million in data breach costs, surpassing both financially motivated cybercriminals and hacktivists.
Incident response (IR) preparedness also continues to heavily influence the financial aftermath of a breach. According to the report, companies with neither an IR team nor testing of IR plans experienced $5.29 million in average breach costs, while companies that have both an IR team and use tabletop exercises or simulations to test IR plans experienced $2 million less in breach costs.
The report also found that breaches at studied organizations with cyber insurance cost nearly $200,000 less on average than the global average of $3.86 million. Of these organizations that used their cyber insurance, 51 per cent applied for it to cover third-party consulting fees and legal services, while 36 per cent of organizations used it for victim restitution costs. Only 10 per cent used claims to cover the cost of ransomware or extortion.