Data breaches are growing in volume and cost. Estimates from non-profit the Identity Theft Resource Center (ITRC) reveal that 2023 was a record year for compromise in the US. Over 3,200 incidents impacted more than 353 million customers. The latest in a long line of annual reports from IBM has more revelations to keep CISOs and data protection officers (DPOs) awake at night. The cost of an average global data breach is now 10% higher than it was last year, at nearly $4.9m.
An increasingly large share of that cost is due to lost business following an incident. It’s time organizations doubled down on data protection.
Counting the cost
The IBM Cost of a Data Breach study has been tracking key metrics like this for years. Its “activity-based costing” methodology highlights four key elements that follow a data breach: detection and escalation, notification, post-breach response and lost business. Costs associated with lost business increased 13% annually, from $1.3m to $1.47m. That means factors related to this now account for nearly a third (30%) of total breach costs. Only detection and escalation costs (33%) were higher.
According to the study, lost business includes revenue loss due to system downtime, the cost of losing customers and acquiring new ones, and reputation damage and diminished goodwill. All three can have a serious impact on a business.
- Ransomware attacks, which now account for nearly a quarter (23%) of all data breaches, can have a major impact on system downtime. Even if data is not encrypted by threat actors, victim organizations may need to take business-critical systems offline to contain the threat and then perform checks and remediation efforts
- At a time when customer trust is hard won and easily lost, breaches are particularly damaging. Reports suggest that customer acquisition can often cost many times more than retaining an existing one. According to one study, 60% of consumers have bought from a brand based on the service they expect to receive, and three-quarters (73%) say they’ll switch to a competitor if they have bad experiences with that company
In this context, there’s a world of difference between notifying a customer that their personal and/or financial data has been compromised, and that it was accessed but has already been rendered unusable to the threat actors.
Getting data protection right
The share of organizations making security investments rose by over 23% annually to reach almost two-thirds of the sample studied by IBM. The tech giant claims that this may reflect a realization that lost business costs and reputational damage are starting to spiral out of control. The report claims that encryption can reduce average breach costs by $243,914. It helps particularly in reassuring regulators (eg GDPR, PCI DSS) that compromised data cannot be monetized by those who stole it.
So how should organizations go about implementing data-centric security? Encryption and format-preserving alternatives like tokenization are the end goal. But first it’s essential to understand the type of data flowing through the organization, and where it resides. This is not a one-off job. It must be a continuous process of discovery, classification and finally the application of data protection according to policy. As the report states: “Data encryption strategies must consider the types of data, its use and where it resides to lower risk in case of a breach.”
comforte’s Data Security Platform can help with all of this, utilizing AI algorithms for automated continuous discovery and classification of highly regulated personally identifiable information (PII). It will find this information wherever it resides – even in cloud storage. By eradicating blind spots, it works to minimize breach costs.
