What is the average cost of a security breach?
According to a McKinsey Global Survey of executives, the COVID-19 pandemic has accelerated the digitization of businesses by three to four years. The dependency on data has never been bigger than today. As a consequence, data breaches can be devastating for companies of all sizes. On a macro level, UpGuard states that the global cost of data breaches doubled from $3 trillion in 2015 to $6 trillion in 2021 annually.
On an individual company level, the latest "Cost of a Data Breach" report by IBM reveals significant changes in the landscape of data breaches. As of 2023, the average total cost of a data breach has escalated to $4.45M (approximately €4.06M), reflecting the evolving challenges and impacts of data breaches on businesses.
This cost encompasses several key areas:
- Detection and escalation (investigation, audit, crisis management & internal communications)
- Lost business (downtime cost, loss of customers & reputation damage)
- Notification of data subjects (external communications, regulatory requirements, costs related to external experts)
- Post breach activities (fines, help desk costs & legal expenditure)
Other key findings:
- Healthcare Industry: Continues to bear the brunt, with average costs soaring to $10.93M.
- Geographically, data breaches cost most in the USA with an average of $9.48M.
- The average time to identify and contain a breach is 204 days
- Rapid identification and containment of breaches are crucial, with breaches resolved in under 200 days costing significantly less.
- Malicious Breaches: phishing and stolen or compromised credentials were among the most prevalent initial attack vectors in 2023
- DevSecOps Adoption Savings: Organizations with high levels of DevSecOps adoption, integrating security into their software development process, saved an average of $1.68M compared to those with lower levels of adoption.
- Incident Response (IR) Planning and Testing: High levels of IR planning and testing led to cost savings of $1.49M per data breach, highlighting its effectiveness in reducing breach-related expenses.
- Impact of Security System Complexity: Organizations with high security system complexity faced an increase in data breach costs by 31.6%, with an average cost of $5.28M compared to $3.84M for those with less complex systems.
- Breach Lifecycle Duration: Breaches that took more than 200 days to identify and resolve cost an average of $4.95M, which is $1.02M more than breaches contained within 200 days.
Data breach protection must include physical security
“Already 10% of malicious breaches are caused by a physical security compromise” - IBM
With 10% of malicious breaches attributed to physical security compromises, the integration of physical and digital security strategies is more crucial than ever. Traditional security systems are no longer sufficient. Modern threats require advanced solutions like biometric access controls and continuous monitoring of physical access points. For more information, read our article on 10 steps to lower the chances of a physical security attack.
Examples of physical security breaches can include:
Physical security breaches manifest in various forms, each posing significant risks to an organization's integrity and safety. These breaches can range from unauthorized individuals gaining access to sensitive areas like server rooms, which house critical data and IT infrastructure, to incidents of theft or vandalism within office spaces, disrupting daily operations and causing financial losses. Additionally, the installation of covert surveillance or bugging devices within key infrastructural points represents a more insidious threat, potentially leading to long-term espionage or data leakage. Each of these scenarios underscores the vital importance of robust physical security measures to safeguard an organization's assets and information.
A poignant example comes from Tesla. Two former Tesla employees were recently implicated in a data breach involving the personal information of more than 75,000 individuals, reported to Maine regulators on August 18. The breach came to light when Tesla was informed by German news outlet Handelsblatt, leading to an internal investigation that traced the leak back to these employees. The leaked data, which included names, addresses, and contact details, was obtained in violation of Tesla's IT and data protection policies. Despite assurances from Handelsblatt about not publishing the data in compliance with GDPR, Tesla pursued legal action against the ex-employees and collaborated with law enforcement and forensic experts to mitigate the breach.
The Tesla case exemplifies the ongoing struggle companies face in securing their systems against threats from within, especially in an era where cloud-based applications and former employee access management add layers of complexity to organizational security.
Tips for preventing data breaches
- Employee Education: Conduct regular data security workshops.
- Penetration Testing: Regularly test critical applications and systems.
- Robust Access Controls: Implement varied passwords, locking systems, and multi-factor authentication.
- Data Encryption: Use high-grade encryption for sensitive information.
- Biometric Security: Consider integrating biometric verification in physical security.
- Regular Updates: Keep all software and hardware, including physical security systems, up-to-date.
- Software Architecture Mapping: Maintain a clear overview of all application dependencies and connections.