The cost of data breaches has been on a steady incline for the past decade. During this time, firms have had to pay 30 per cent more, as costs rose from $3.5million in 2014 to $4.45million in 2024. However, evidence from IBM, a multinational tech firm, suggests that in the next 10 years, breaches could cost a lot more as we just experienced the highest year-on-year jump in cyber attacks (10 per cent).
The findings come from the IBM Cost of a Data Breach Report, which analysed 604 firms across the globe and how they responded to data breaches between March 2023 and February 2024. This is the 19th iteration of the report, as IBM has studied breaches of more than 6,000 organisations in the past two decades.
With research conducted by the Ponemon Institute, the report found that many fintech teams are understaffed. More organisations faced severe staffing shortages compared to the prior year (26 per cent increase) and observed an average of $1.76million in higher breach costs than those with low-level or no security staffing issues.
“Businesses are caught in a continuous cycle of breaches, containment and fallout response. This cycle now often includes investments in strengthening security defenses and passing breach expenses on to consumers – making security the new cost of doing business,” said Kevin Skapinetz, vice president, strategy and product design, IBM Security.
Saving money and improving defences through AI
Organisations that were constantly using generative AI were revealed to be the ones incurring a lighter cost than their competitors not using the technology. The tech enabled some organisations to save over $2.2million per data breach making it the biggest cost-saving solution according to the IBM report.
Sixty-seven per cent of organisations deployed security AI and automation extensively – a near 10 per cent jump from the prior year. A further 20 per cent stated they used some form of gen AI security tools.
Organisations that employed security AI and automation extensively detected and contained an incident, on average, 98 days faster than organisations not using these technologies. At the same time, the global average data breach lifecycle hit a seven-year low of 258 days – down from 277 days the prior year. It revealed that these technologies may be helping put time back on defenders’ side by improving threat mitigation and remediation activities.
Skapinetz added: “As generative AI rapidly permeates businesses, expanding the attack surface, these expenses will soon become unsustainable, compelling business to reassess security measures and response strategies. To get ahead, businesses should invest in new AI-driven defenses and develop the skills needed to address the emerging risks and opportunities presented by generative AI.”
However, while generative AI can be a big help to organisations, many also fear it. In fact, according to a study from the IBM Institute for Business Value, 51 per cent of business leaders surveyed were concerned with unpredictable risks and new security vulnerabilities arising, and 47 per cent were concerned with new attacks targeting AI.
Acknowledging and dealing with staffing problems
As AI emerges on the playing field though, organisations are facing another problem. They do not have the resources or manpower to deal with the new technology appropriately. In fact, more than half of the organisations studied had severe or high-level staffing shortages last year and experienced significantly higher breach costs as a result ($5.74million for high levels vs. $3.98million for low levels or none).
Mounting staffing challenges may soon see relief, as more organisations stated that they are planning to increase security budgets compared to last year (63 per cent vs. 51 per cent), and employee training emerged as a top planned investment area. Organisations also plan to invest in incident response planning and testing, threat detection and response technologies (e.g, SIEM, SOAR and EDR), identity and access management and data security protection tools.
Lost business and post-breach customer and third-party response costs drove the year-over-year cost spike, as the collateral damage from data breaches has only intensified. The disruptive effects data breaches are having on businesses are not only driving up costs, but are also extending the after-effect of a breach, with recovery taking more than 100 days for most of the small number (12 per cent) of breached organisations that were able to fully recover.
Are internal practices costing firms more?
The report found that 40 per cent of breaches involved data stored across multiple environments including public cloud, private cloud, and on-prem. These breaches cost more than $5million on average and took the longest to identify and contain (283 days).
These data visibility gaps contributed to the sharp rise (27 per cent) in intellectual property (IP) theft. Costs associated with these stolen records also jumped nearly 11 per cent from the prior year to $173 per record. IP may grow even more accessible as gen AI initiatives push this data and other highly proprietary data closer to the surface. With critical data becoming more dynamic and active across environments, businesses will need to reassess the security and access controls surrounding it.
However, it would not be right to solely criticise internal practices. Shorter breach lifecycles can also be attributed to the increase in internal detection: 42 per cent of breaches were detected by an organisation’s own security team or tools compared to 33 per cent the prior year. Internal detection shortened the data breach lifecycle by 61 days and saved organisations nearly $1million in breach costs compared to those disclosed by an attacker.
Other key findings in the 2024 Cost of a Data Breach Report
At 16 per cent, stolen/compromised credentials was the most common initial attack vector. These breaches also took the longest to identity and contain at nearly 10 months.
By bringing in law enforcement, ransomware victims saved on average nearly $1million in breach costs compared to those who didn’t – that savings excludes the ransom payment for those that paid. Most ransomware victims (63 per cent) who involved law enforcement were also able to avoid paying a ransom.
Healthcare, financial services, industrial, technology and energy organisations incurred the highest breach costs across industries. For the 14th year in a row, healthcare participants saw the costliest breaches across industries with average breach costs reaching $9.77million.
Sixty-three per cent of organisations stated they would increase the cost of goods or services because of the breach this year – a slight increase from last year (57 per cent) – this marks the third consecutive year that the majority of studied organisations stated they would take this action.
The post AI is a Cause for Celebration But Also a Growing Fear for Firms as They Deal With Data Breaches appeared first on The Fintech Times.
