The Cost of a Data Breach Reaches an All-Time High of $4.45 Million
MGM Resorts was the latest victim of a social engineering hack that brought the casino chain to its knees. The breach happened last week when hackers obtained a password by posing as an employee of the Las Vegas resort chain.
According to published reports on TechCrunch and Bloomberg, the attack crippled MGM’s hotel guest services as well as its online electronic gambling devices. Malware group Scattered Spider breached the system and held the MGM’s data for ransom. MGM rival Cesar’s was also subject of a data breach and ransomware attack.
The prevalence of data breaches, along with their associated cost, continues to rise. The cost reached an all-time high of $4.45 million USD this year, according to IBM’s annual “Cost of a Data Breach Report 2023.” Conducted by the Ponemon Institute, the report was sponsored, analyzed and published by IBM Security.
The study, conducted with 553 organizations worldwide between March 2022 and March 2023, reveals that 51% of organizations are planning to increase security investments as a result of a breach. That means that 49% are either continuing security investments at their current level or decreasing spending on security solutions.
Lifecycle of Data Breaches
What’s also surprising is that only about a third of breaches are detected internally. “Most of the time, you’re getting a knock on the door, or you’re being notified and disclosed by the attacker themselves,” explains Jennifer Kady, vice president, IBM Security. “That’s troubling. So, data breaches that were disclosed by the attacker cost nearly a million dollars more.” Of those attacks, about 40% are boundaryless, spanning public, private and on-premises environments.
Given the high costs, it still seems surprising that organizations aren’t doing more to prevent breaches. “Perhaps the repercussions still aren’t enough?” asks Eduardo Ciliendo, vice president, business development, 21CS. “Given the frequency, cost and impact of data breaches, IT shops can no longer wait to improve their data resilience posture.” 21CS develops several z/OS cyber resilience, encryption and change management solutions for IBM.
Ciliendo adds that many view the IBM Z mainframe as impenetrable and impervious to data breaches. While that was once true, the system’s prevalence in multi-cloud environments makes it easier to gain access to mainframe data. “The hackers may not target or go after mainframe first, but once they’re somewhere else in your hybrid cloud infrastructure, it’s getting easier and easier to get into the mainframe.”
The breach lifecycle, which is the time to identify and contain breaches, also impacts the cost of a breach. Breaches discovered and contained in less than 200 days–which is still more than half a year–cost organizations $3.93 million. In comparison, those breaches that took more than 200 days cost 23% more, or $4.95 million.
And the chances of a data breach are significant, as the Vegas casinos discovered. “It’s not a matter of if you’re going to be breached, it’s when you’re going to be breached,” Kady says. “Most of us in some way, shape or form have been breached. Our PII (personally identifiable information), most of our PII has been accessed.”
Mitigating Data Breaches
Given the severity and consequences of data breaches, organizations need to begin developing ways to fortify their IT infrastructure. Recommendations include developing a DevSecOps strategy, implementing AI and automation and managing the cloud.
DevSecOps Strategy
Organizations that have a defined DevSecOps strategy see a $1.7 million cost savings compared to those who lack the strategy or don’t test it regularly. By keeping security at the core by testing regularly gives an organization better insights into identifying or patching certain levels of vulnerabilities. By understanding and uncovering your organization’s weaknesses you can figure out where a threat actor could potentially gain access to your systems.
Most of the CISOs Kady works with regularly conduct pen tests. “That candidly can be a real savior for their teams,” she says.
AI and Automation
Other top findings demonstrate that security and artificial intelligence solutions (AI) have a significant financial impact on breaches. By using AI and automation, organizations experienced 108 days shorter time to identify and contain a breach. This also translates into $1.76 million lower data breach costs compared to organizations that didn’t use AI and automation solutions.
The use of AI and automation improves the speed and accuracy of data breach detection. Close to 70% of organizations are either using or plan to use AI within their organization. “While we’re combating the actors using suspicious and perhaps sometimes challenging generative AI in and of themselves, we need to be doing the same,” Kady says.
Cloud
The study showed that 82% of data breaches involved data stored in the cloud—public, private or multiple environments. Further, the study states, “Attackers often gained access to multiple environments, with 39% of breaches spanning multiple environments and incurring a higher-than-average cost of USD $4.75 million.”
Securing data in the cloud comes down to IT departments knowing where data and shadow data lives, how many copies exist and how to mitigate for that potential, according to Kady.
The Good News
The good news, according to Kady, is that clients aren’t putting their heads in the sand when it comes to security their data against breaches. From the board room to governmental regulations, clients are working to implement mitigation practices.
“There’s a variety of different pushes that are coming into play, not only from the government side and regulatory side, but I also see clients heeding the warnings that they’re seeing,” she says.