The costs of data breaches are continuing to rise. A new report has found the cost has risen 12 percent over the last five years and now costs $3.92 million on average per breach. Last year, the average cost was $3.86 million.
According to the report, the formation of an incident response team, extensive use of encryption and whether a third party partner is breached can impact the overall cost of a data breach.
The annual “Cost of a Data Breach” report comes from IBM Security and was conducted by the Ponemon Institute. It is based on in-depth interviews with more than 500 companies who have suffered a data breach over the last year.
“Cybercrime represents big money for cybercriminals, and unfortunately that equates to significant losses for businesses,” Wendi Whitmore, global lead for IBM X-Force Incident Response and Intelligence Services, said in a statement. “With organizations facing the loss or theft of over 11.7 billion records in the past three years alone, companies need to be aware of the full financial impact that a data breach can have on their bottom line –and focus on how they can reduce these costs.”
The report also found that malicious breaches were the most common and most expensive, mega breaches with more than 1 million records compromised cost about $42 million in losses, 50 million records or more compromises cost companies $388 million, and breaches in the United States cost double.
While malicious attacks accounted for 50 percent of data breaches, accidental breaches stemming from system glitches or human error made up about 49 percent. of data breaches. According to cybersecurity researcher and MIT professor Stuart Madnick, a large problem with data breaches and cybercrimes is that most people don’t understand that much about cybersecurity.
“Too many people assume [security] is left to the IT department, and don’t understand how much a critical role [they] play in essentially leaving the back door open for cyber criminals to get in and so that’s probably the most important message we need to clarify,” he said.
Most businesses experience a breach because someone in their organization executed a behavior that was not cyber secure such as giving a password to someone, leaving a password unprotected, not creating a strong enough password or clicking on a phishing email, added Keri Pearlson, executive director of Cybersecurity at MIT Sloan.
According to the IBM report, lack of understanding represents an opportunity for improvement within companies through security awareness training, technology investments and testing services to identify breaches early on.
For both malicious and inadvertent breaches, IBM found breach response will be the biggest cost-saver for companies. The report reveals 279 days is the average life cycle of a breach with companies. It takes companies 206 days after the breach has occurred to detect it and 73 days for them to contain it. Companies able to detect and contain the breach in less than 200 days spent $1.2 million less on the total cost of a breach, IBM explained.
The dark web
Another part of the software security problem is that people don’t understand how sophisticated the cybercrime ecosystem is, according to MIT’s Madnick.
“What we have discovered is that cybersecurity is an enormous ecosystem. I often jokingly say it makes the drug cartels look like child’s play,” he said. Cyber attacks are made possible through the dark web The dark web is where a lot of cyber warfare, weapons and cyber techniques are exchanged and where a lot of the cyber criminal ecosystem exists, Madnick explained.
While many companies wouldn’t disclose a cyber attack unless they were required by law because they are fearful of having a bad reputation, it is the exact opposite in the dark web. “If you are the one who broke into the FBI, you are going to rave about it because your reputation is valuable and you want everyone to know all the great things you did. They operate on a totally different set of principles than we do,” said Madnick. “The cyber criminals are much better at sharing information than the good guys are, and in fact that is why they are innovating and adapting much faster than we are.”
This information-sharing on the dark web enables cyber criminals to piece together software widgets and tools that can than be used against businesses, according to Madnick.
To combat this, Madnick and a team of cybersecurity researchers recommend a value-chain model for cybersecurity. The value-chain model refers to a set of processes or activities a business carries out in order to create value such as a product or service from conception to production. The primary activities of a business value chain are inbound logistics, operations, outbound logistics, marketing and sales, and service. The cyber criminals carry out a cyber attack value-chain model with the primary activities including: discovering a vulnerability, preparing to exploit, delivering the expolit and activating the cyberattack.
As a result, the researchers explain businesses must also follow this value-chain model to combat cyber attacks, with its primary activities being life cycle management, operations, hacker human resources, marketing and delivery, and technology support.
“Examining cyberattacks through the lens of a value chain reveals organized businesspeople using proven business models within a well-defined ecosystem governed by the dictates of supply and demand,” the researchers wrote in a report titled Casting the Dark Web in a New Light. “This cyberattack-as-a-service ecosystem makes mounting targeted, scalable cyberattacks quicker, cheaper, and more difficult to stop. But understanding all that helps organizations reimagine how to combat cyberattacks.”