Like everything else, the cost of a data breach is rising, up 10% over the past year, IBM found in its research on data breach costs released this summer.
Organizations can now expect an average of $4.88 million in costs that include business disruptions and remediation. It is the customer who ends up paying the price for a data breach, as nearly two-thirds of those organizations surveyed admitted passing those costs along to the consumer.
“Having customers absorb these costs can be problematic in a competitive market already facing pricing pressures from inflation,” IBM said in the report.
Asking customers to foot the bill for data breach remediation is not going to prevent future data breaches or address the issues that cause costs to increase. Instead, organizations should look look ahead to the next potential cyber incident and rethink the way they invest in data breach prevention.
The extensive recovery period
One reason why the cost of a data breach has skyrocketed is the time it takes to recover. It is a process that takes months, IBM found. Three-quarters of the study’s respondents said recovery took more than 100 days; a third said it took longer than 150 days.
It’s a long process because it isn’t easy to recover from a data breach, explained Chris Morales, CISO at Netenrich, in an email. Because today's cyberattacks are like very sophisticated puzzles, often using multiple attack vectors and advanced tactics, the complexity of any cyber incident makes it really challenging to identify and address all the aspects of a breach quickly.
Many organizations also have significant gaps in their detection and response capabilities.
“It's not that uncommon for breaches to go unnoticed for several weeks or even months, which obviously delays the start of recovery efforts,” said Morales.
Then, there's the regulatory maze to navigate. Compliance requirements add layers of complexity to the recovery process.
“It's not just about fixing technical issues,” said Morales.
"Organizations must also spend their precious time and energy on making sure that they meet all legal and regulatory obligations.”
Factoring in security investments
Most organizations understand the importance of implementing proactive security measures, like advanced threat detection, regular security audits and employee training. However, when it comes to actually investing in these areas, many fall short until after a breach occurs.
“After the breach, we usually see a flurry of reactive spending,” said Morales.
Organizations hurry up to patch vulnerabilities and implement new technologies, but sometimes, miss the bigger picture. There's a tendency to focus heavily on technological solutions while underinvesting in people and processes.
This parallels the findings of the IBM study, which said key factors in the increased cost of a data breach is the security skills shortage and the failure to understand the complexity of the security system.
On the flip side, investment in technologies like AI and machine learning, as well as support for employee cybersecurity awareness training, reduces data breach costs.
More often then not, an injection of investment in security arrives after a breach. Data breaches are often the catalyst for a substantial investment in a cyber security program. In fact, IBM found that nearly two-thirds of organizations increase security investments after a breach.
These post-breach investments typically encompass a range of security enhancements, according to Craig Jones, VP of security operations at Ontinue. These include incident and response systems, implementing more rigorous access controls, and adopting advanced threat intelligence solutions.
“Additionally, there is a growing emphasis on employee education, ensuring that staff are well-versed in recognizing and responding to potential threats,” said Jones.
Even though many of these investments may come about in the aftermath of an incident, they are the first line of defense in holding down costs if and when the next breach occurs.
What businesses are missing in their security investments
Despite all these investments, organizations overlook the pursuit of a truly holistic security posture.
“Many organizations focus so much on individual technological solutions that they lose sight of the bigger picture,” said Morales.
Elements such as continuous monitoring, proactive threat hunting, and a well-integrated security architecture are frequently underfunded or ignored. Or organizations will spend money on the latest and greatest tools, but that doesn’t mean anything if the security team cannot use them effectively.
“To bridge these gaps, businesses should prioritize comprehensive risk assessments, foster a culture of security awareness, and ensure that all security measures are aligned with their overall business objectives,” said Jones.
In essence, it's about shifting from a reactive to a proactive mindset.
“We need to stop playing catch-up and start staying ahead of the curve,” said Morales.
“It's challenging, sure, but in today's threat landscape, it's absolutely necessary.”
