In our world transitioning to online operations, the most vulnerable point of companies, the user account of employees, has become even more vulnerable, according to a global survey by the Ponemon Institute. Artificial intelligence and automation of defense demonstrably mitigate the material consequences of data leakage.
Data leakage can have far-reaching consequences, not only causing financial loss and disruption to the company’s operations and compliance in the short term, but also damaging the brand’s reputation, leaving the business with revenue for years and a competitive disadvantage. For the fifteenth time, the Ponemon Institute has conducted its annual global survey , which provides an up-to-date overview of the factors that increase or decrease the expected costs of data leakage, and over the past decade and a half, it has become one of the leading performance measurement tools in the cybersecurity profession. A more accurate forecast of the financial consequences of security incidents will also help companies to price adequate protection and to avoid overspending or underfunding.
The report has been published for five years by IBM Security, which assists not only as a sponsor but also in analyzing the data collected. For the 2020 survey, the Ponemon Institute approached more than half a thousand companies that leaked between August last year and April this year in 17 countries and regions around the world, as well as in the same industry, interviewing more than 3,200 incident specialists.
Although the current research started months before the outbreak of the coronavirus pandemic, analysts later asked participants about its impact, and three-quarters (76 percent) of respondents said telework conditions It will be even more difficult to detect or respond to data leaks.
Personal data worth gold
When calculating the average cost of data leakage, the researchers ignored very small and very large incidents and analyzed the latter separately. The amounts in the report thus essentially show the extent of the expected material consequences of incidents involving more than three thousand and less than one hundred thousand data sets. The researchers performed activity-based costing, which found that in the event of a data leak, four main processes – detecting and escalating the event, ie eliminating the leak, communicating the incident, sending notifications, handling the event, and losing business – increase costs.
Although the global average cost of data leakage fell slightly to $ 3.86 this year from $ 3.92 million in last year’s report, it varies widely across countries, industries and companies, for example in organizations with little automation of cyber defense and incident management processes. than those at the forefront in this field.
The average was $ 4.45 million in Germany and $ 2.51 million in Scandinavia. In companies with a medium-sized population of 5-10 thousand in the survey, the average cost of incidents increased by 7 percent in one year, and the cost per employee was also the highest among them. Similarly, the cost to the data set shows that the severity of the material consequences is greatly influenced by the type of data leaked or stolen.
Half (52 percent) of security incidents are malicious and in 80 per cent of incidents, personally identifiable information (PII) of corporate customers fell into unauthorized hands; much more often than any other data type. While the cost per data set averages $ 146, when customer data is leaked, the amount rises to $ 150, but when it is acquired by cybercriminals, the cost jumps to $ 175, apparently because attackers target the most valuable customer or employee PII.
Not only is the telework introduced by companies as a result of Covid-19 making it difficult to detect and eliminate data leaks, but it is also raising the cost of incidents well above average to $ 4 million. For one in five companies (19 percent) that have been the victim of a malicious attack, cybercriminals accessed through user accounts with the IDs they obtained. In such a severe case, the cost of data leakage is expected to skyrocket to $ 4.77 million. Of course, human errors and system problems also led to incidents – 23 and 25 percent of the cases examined by the researchers, respectively – but the costs were still well above average, at $ 4.27 million.
However, the loss of business caused by the data leakage remains the most serious factor, increasing the average cost of incidents by almost 40%. Expensive customer acquisition due to customer bias, lost revenue due to system outages, and deteriorating reputation resulted in an average additional cost to companies of $ 1.51 million.
Cost-slimming incident management
Semi-configured cloud environments helped cybercriminals in 19 percent of incidents related to a malicious attack – the same proportion as stolen user IDs – and this also hurt companies a lot, averaging $4.41 million. The cost of data leakage was increased most by the complexity of security systems and ongoing cloud migration, averaging $ 296,000 and $ 267,000, respectively, but the third factor at the top of the list was the $ 257,000 shortage of security professionals.
The automation of cyber protection is increasingly influencing the evolution of data leakage costs, according to an annual report. While researchers found automated cyber defense with artificial intelligence platforms and rules describing the steps and processes of prevention and response in 158 of the companies surveyed in 2018, their proportion has now risen to 21 percent.
In parallel, automated cyber defense is increasingly cutting costs. For companies still at war with automation, the average cost of a data leak was $ 6.03 million, more than double the $ 2.45 million found for organizations that automate their protection. The latter’s savings of $ 3.58 million increased significantly compared to $ 1.55 million reported in 2018.
Companies that set up an incident response (IR) team and create an IR plan and test it with exercises and simulations save a lot on data leakage costs. Among them, the average cost of security incidents came in at $ 3.29 million this year, compared to $ 5.29 million for organizations without an IR team and plan. In addition, the difference has almost doubled from 1.23 million last year to $ 2 million.
The significant cost reductions are largely due to the increased vigilance and rapid response of artificial intelligence. Globally, companies took an average of 207 days to detect a data leak and had an additional 73 days to plug the leaks, making the incident life cycle 280 days. However, the results of this year’s survey show that fully automated cyber defense will shorten this lead time by 74 days.
It is hardly surprising that, on this basis, the authors of the report advise companies to use managed security services that alleviate the automation of cyber protection and the problem of skills shortages. However, many other measures are proposed to reduce the cost of data leakage, including the introduction of zero trust access management, endpoint protection and monitoring, and robust data management.
The vast volume of data from the Ponemon Institute’s global survey cannot be shown in full detail in an eighty-page report containing more than forty charts. IBM has therefore created an online version of the material that cybersecurity professionals can study on interactive data visualizations and use a calculator to calculate how much data leakage would cost their company.