Organizations are investing more than ever in cybersecurity. Recent research reveals that mean spending was up 60% year-on-year to reach $5.3m, and has increased by 250% since 2019. But the devil’s in the detail. If these funds are not being directed to the right areas, then global businesses will continue to expose themselves to excessive cyber-risk. The challenge for CISOs is knowing which projects should take priority.
This is where industry research can be instructive. An IBM study out this week calculated that “extensive” use of encryption could save the average organization as much as £250,088 on the cost of a data breach. That makes it one of the most important things IT security buyers can do to reduce financial risk stemming from cyber-attacks.
Counting the costs
The IBM Cost of a Data Breach Report has been running for 17 years, and as such represents a useful snapshot of both the threat landscape and the maturity of the market. It reveals a digital landscape in which breaches are inevitable—83% of respondents admitted they’d suffered more than one incident. And organizations are still too slow at discovering they’ve been breached—the average time to identify and contain a data breach stood at 277 days, a drop of 3.5% from the previous year but still far from optimal. The longer threat actors are allowed to remain inside networks undisturbed, the more damage they can do.
The report also highlighted the significant and growing financial impact of data breaches. The average figure for a single incident now stands at $4.35m globally. But the number rose significantly in the US ($9.4m) and for organizations in certain sectors like healthcare ($10m), finance ($5.97m) and pharma ($5m), which were the top three most expensive for breach costs. What’s more, 60% of organizations that have been breached put the prices of products and services up following an incident, so under-performing security also impacts customers.
The good news is that there are several best practices organizations can follow to help reduce these costs. Placed in the top four according to the report is “extensive use of encryption.”
Saving money and reducing risk
In this context, it stands to reason that technology capable of effectively rendering stolen data useless to attackers will save organizations on potential financial and reputational costs. Those costs included by IBM in its calculations relate to:
- Breach detection and escalation
- Breach notification
- Post-breach response, including regulatory fines and legal costs
- Lost business including immediate disruption, lost customers and inability to recruit new customers
However, encryption isn’t the only way of ensuring data cannot be monetized by attackers. Tokenization is often favored as it cannot be reverse engineered, reduces the compliance burden and minimizes the burden of key management. Whatever data-centric security technology you choose, though, the important thing is that it’s capable of automatically and continuously discovering, classifying and then protecting all sensitive data across the IT environment.
That means it’s able to gain visibility into highly distributed cloud environments. This is key, because nearly half (45%) of data breaches last year were in the cloud, according to IBM. If organizations deploy data-centric security as part of “mature cloud security practices” such as data classification schema, organizations could save as much as $720,000 per average breach, the report claimed.
In the end, IBM only considered costs related to breaches of between 2,200 and 102,000 compromised records for its headline findings. The average cost of mega-breaches (involving 1m+ records) can easily reach into the tens or hundreds of millions of dollars. It stands to reason that in those cases, the financial benefit of data-centric security will also be much greater. In fact, a recent Forrester analysis of comforte technology revealed that our data-centric security platform could save $5.4m in losses by rendering data unreadable to hackers. It’s just one of a series of financial benefits that organizations are already taking advantage of by focusing protection on their most important asset: their data.