The average cost of “super-large” data breaches has increased astronomically over the past year, with companies affected by such security incidents expected to pay up to $392 million,media ZDNet reported. Now, data breaches are common, and cyberattacks on companies have spawned a new online insurance industry, regulatory and class-action lawsuits against companies that fail to protect data, and new laws, such as the EUROPEAN Union’s GDPR, can be used to impose heavy penalties on lax data controllers.
However, data breaches continue to occur, some of which lead to the theft of consumer records, the sale of them in underground forums, and the increased risk of identity theft. To deal with the consequences of a data breach, businesses may need to spend money to repair systems and upgrade their architectures, may need to invest in new network security services and network forensics, and may face legal action or regulatory penalties — costs that are increasing year by year if customer PII is involved.
On Wednesday, IBM released its annual Data Breach Cost Report, which said the average cost of a data breach now is $3.86 million. While this average is down 1.5 percent from 2019, the cost of remediation of these “super-large” data breaches could be as high as $392 million when more than 50 million consumer records are involved, up from $388 million in 2019.
If an organization acts as a data controller for 40 to 50 million records at an average cost of $364 million, the organization could face a cost of up to $175 per consumer record involving data theft or disclosure. The study, conducted by the Ponemon Institute, included interviews with more than 3,200 security professionals working with companies that have experienced data breaches in the past year.
As highlighted by the recent Twitter hack, compromised employees and internal accounts are one of the most expensive factors in today’s data breaches, costing an average of $4.77 million. When internal accounts are involved, 80% of the events result in the exposure of customer records. Overall, stolen or compromised account credentials — along with cloud misconfiguration — account editing nearly 40 percent of security incidents.
IBM says that in one in five data breaches, compromised account credentials were used as an attacker’s entry point, resulting in more than 8.5 billion records being exposed in 2019 alone. Cloud misconfiguration accounts for nearly 20% of network vulnerabilities. Taking advantage of third-party vulnerabilities, such as zero-day or unpatched security vulnerabilities in enterprise software, is also an expensive factor in data breaches. A corporate company is expected to receive up to $4.5 million in damages if it suffers a data breach as a result of such vulnerabilities.
State-sponsored attacks, including those by advanced persistent threats (APTs) organizations, are far less common, accounting for only 13 percent of the overall data breaches reported by corporate companies. However, when these threat actors are involved, the losses they cause often result in higher recovery costs, representing an average of $4.43 million.
If a business has already purchased online insurance, it can reduce the loss fee by an average of $200,000, with the bulk of the insurance payoutgoing for legal services and consulting fees.
In the report, IBM used artificial intelligence, machine learning, and automatons as valuable tools to respond to data breaches, potentially reducing event response times by 27 percent.
“At a time when companies are accelerating their digital footprint and the talent shortage in the security industry persists, teams are overwhelmed by the need to protect more equipment, systems, and data.” Wendi Whitmore, vice president of IBM X-Force Threat Intelligence, commented. “When it comes to the ability of companies to mitigate the impact of data breaches, we’re starting to see the clear advantages that companies that have invested in automation technology have.”