The bald figure of $4.88 million tells us little about the state of security. But the detail contained within the latest IBM Cost of Data Breach Report highlights areas we are winning, areas we are losing, and the areas we could and should do better.
“The real benefit to industry,” explains Sam Hector, IBM’s cybersecurity global strategy leader, “is that we’ve been doing this consistently over many years. It allows the industry to build up a picture over time of the changes that are happening in the threat landscape and the most effective ways to prepare for the inevitable breach.”
IBM goes to considerable lengths to ensure the statistical accuracy of its report (PDF). More than 600 companies were queried across 17 industry sectors in 16 countries. The individual companies change year on year, but the size of the survey remains consistent (the major change this year is that ‘Scandinavia’ was dropped and ‘Benelux’ added). The details help us understand where security is winning, and where it is losing. Overall, this year’s report leads toward the inevitable assumption that we are currently losing: the cost of a breach has increased by approximately 10% over last year.
While this generality may be true, it is incumbent on each reader to effectively interpret the devil hidden within the detail of statistics – and this may not be as simple as it seems. We’ll highlight this by looking at just three of the many areas covered in the report: AI, staff, and ransomware.
AI is given detailed discussion, but it is a complex area that is still only nascent. AI currently comes in two basic flavors: machine learning built into detection systems, and the use of proprietary and third party gen-AI systems. The first is the simplest, most easy to implement, and most easily measurable. According to the report, companies that use ML in detection and prevention incurred an average $2.2 million less in breach costs compared to those who did not use ML.
The second flavor – gen-AI – is more difficult to assess. Gen-AI systems can be built in house or acquired from third parties. They can also be used by attackers and attacked by attackers – but it is still primarily a future rather than current threat (excluding the growing use of deepfake voice attacks that are relatively easy to detect).
Nevertheless, IBM is concerned. “As generative AI rapidly permeates businesses, expanding the attack surface, these expenses will soon become unsustainable, compelling business to reassess security measures and response strategies. To get ahead, businesses should invest in new AI-driven defenses and develop the skills needed to address the emerging risks and opportunities presented by generative AI,” comments Kevin Skapinetz, VP of strategy and product design at IBM Security.
But we don’t yet understand the risks (although nobody doubts, they will increase). “Yes, generative AI-assisted phishing has increased, and it’s become more targeted as well – but fundamentally it remains the same problem we’ve been dealing with for the last 20 years,” said Hector.
Part of the problem for in-house use of gen-AI is that accuracy of output is based on a combination of the algorithms and the training data employed. And there is still a long way to go before we can achieve consistent, believable accuracy. Anyone can check this by asking Google Gemini and Microsoft Co-pilot the same question at the same time. The frequency of contradictory responses is disturbing.
The report calls itself “a benchmark report that business and security leaders can use to strengthen their security defenses and drive innovation, particularly around the adoption of AI in security and security for their generative AI (gen AI) initiatives.” This may be an acceptable conclusion, but how it is achieved will need considerable care.
Our second ‘case-study’ is around staffing. Two items stand out: the need for (and lack of) adequate security staff levels, and the constant need for user security awareness training. Both are long term problems, and neither are solvable. “Cybersecurity teams are consistently understaffed. This year’s study found more than half of breached organizations faced severe security staffing shortages, a skills gap that increased by double digits from the previous year,” notes the report.
Security leaders can do nothing about this. Staff levels are imposed by business leaders based on the current financial state of the business and the wider economy. The ‘skills’ part of the skills gap continually changes. Today there is a greater need for data scientists with an understanding of artificial intelligence – and there are very few such people available.
User awareness training is another intractable problem. It is undoubtedly necessary – and the report quotes ‘employee training’ as the #1 factor in decreasing the average cost of a beach, “specifically for detecting and stopping phishing attacks”. The problem is that training always lags the types of threat, which change faster than we can train employees to detect them. Right now, users might need additional training in how to detect the greater number of more compelling gen-AI phishing attacks.
Our third case study revolves around ransomware. IBM says there are three types: destructive (costing $5.68 million); data exfiltration ($5.21 million), and ransomware ($4.91 million). Notably, all three are above the overall mean figure of $4.88 million.
The biggest increase in cost has been in destructive attacks. It is tempting to link destructive attacks to global geopolitics since criminals focus on money while nation states focus on disruption (and also theft of IP, which incidentally has also increased). Nation state attackers can be hard to detect and prevent, and the threat will probably continue to expand for as long as geopolitical tensions remain high.
But there is one potential ray of hope found by IBM for encryption ransomware: “Costs dropped dramatically when law enforcement investigators were involved.” Without law enforcement involvement, the cost of such a ransomware breach is $5.37 million, while with law enforcement involvement it drops to $4.38 million.
These costs do not include any ransom payment. However, 52% of encryption victims reported the incident to law enforcement, and 63% of those did not pay a ransom. The argument in favor of involving law enforcement in a ransomware attack is compelling by IBM’s figures. “That’s because law enforcement has developed advanced decryption tools that help victims recover their encrypted files, while it also has access to expertise and resources in the recovery process to help victims perform disaster recovery,” commented Hector.
Our analysis of aspects of the IBM study is not intended as any form of criticism of the report. It is a valuable and detailed study on the cost of a breach. Rather we hope to highlight the complexity of finding specific, pertinent, and actionable insights within such a mountain of data. It is worth reading and finding pointers on where individual infrastructure might benefit from the experience of recent breaches. The simple fact that the cost of a breach has increased by 10% this year suggests that this should be urgent.