By: Terry Halvorsen, general manager, U.S. Federal Market, IBM
The pandemic accelerated digital transformation, amplifying both opportunities and risks. Remote workers, new devices, partners, and integrations open organizations in ways that can radically increase their threat surface, making it less of a question of if a cyber attack will happen, but rather when. Therefore, the well-being of organizations today depends on not only protecting against and preventing cyber incidents, but also rapidly detecting, responding to, and recovering from them – and the costs prove it.
IBM recently released its annual Cost of Data Breach Report, which found that the financial cost of a data breach in 2022 reached an all-time high of $4.35 million on average. And one of the key revelations in this year’s report is that the financial impact of breaches is starting to extend well beyond the individual organization itself. We’re now beginning to see a hidden “cyber tax” paid by consumers because of the growing number of breaches. In fact, IBM found that for 60 percent of organizations, breaches led to price increases passed on to consumers. A prime example, in the wake of the 2021 Colonial Pipeline ransomware attack, gas prices rose 10 percent on a temporary basis, and some of this increase can be attributed to that attack.
While certain factors can exacerbate breach costs, such as focusing on responding to data breaches versus preventing them, there are other factors, including a zero trust strategy, that can help mitigate the financial and mission impacts of a breach.
- Slow down bad actors with zero trust. The study found that organizations who adopt zero trust strategies pay on average $1 million less in breach costs than those who don’t. Instead of trusting that security defenses will succeed, zero trust assumes that an adversary’s attack won’t fail. To put a twist on an old Washingtonian phrase: don’t trust but still verify. Taking this approach helps organizations buy more time and slow down bad actors. It eliminates the element of surprise and moves away from patrolling a perimeter 24×7 – a strategy that has already crumbled at the feet of today’s digital revolution. In the year since the White House issued its cybersecurity executive order outlining a mandatory zero trust security strategy for the federal government, agencies are making progress toward their zero trust security goals. However, there’s still more work to be done specifically related to implementation. Assessing your current environment and properly defining what you’re trying to achieve will make for a higher probability of success. Zero trust is a journey, and patience is key.
- Reduce the data breach lifecycle with security AI and automation. A zero trust approach helps slow down bad actors, which ultimately helps reduce costs. Security AI and automation can go hand in hand, also helping to reduce the time and ultimately costs of a data breach, by shortening the total breach lifecycle. With 62 percent of organizations stating that they are not sufficiently staffed to meet their security needs, using AI to automate certain repetitive tasks, for example, can help address today’s security skills shortage while also positively impacting response times and security outcomes. This year’s report found that organizations with fully deployed security AI and automation can pay an average of $3.05 million less in breach costs than those that don’t – the biggest cost saver observed in the study. For those organizations with fully deployed AI and automation, it took an average of 74 days less to identify and contain a breach (known as the breach lifecycle), compared to those with no security AI or automation deployed.
- Enhance preparedness by testing, creating and evolving incident response playbooks. Zero trust makes it harder for attackers to gain access, but it doesn’t make it impossible. Incident response planning and capabilities can supplement by helping organizations quickly and effectively respond to security incidents and ultimately save costs associated with data breaches. In fact, the study found on average data breaches cost $2.66 million more for organizations that don’t have an incident response team or test their incident response plan compared to those that have both ($3.26 million vs. $5.29 million). That represents a 58 percent cost savings, compared to 2020 when the cost difference was only $1.77 million.
With the cost of a data breach higher than ever, it’s clear that the pressure on chief information security officers (CISOs) is not likely to let up anytime soon. The right strategies and technologies can help organizations across industry and government get their cybersecurity houses in order and may hold the key to reducing breach costs.