Vulnerable data and rising breach costs

It’s no surprise that data breach costs, which have consistently risen in recent years, continue to do just that.

A recent annual report from IBM Security examines the causes of breaches, as well the associated costs and their contributing factors.  For starters, even the data breach life cycle, wherein an organization discovers and contains a breach, has extended since 2018 from 266 days to 279 days on average.  This also coincides with the total financial cost.  And amid all the facts and figures one thing especially is clear: attacks from malicious actors are the most common and most expensive, costing companies $4.45 million on average.  Nearly half, meanwhile, are still caused by human error or other internal factors, and can cost businesses over $3 million, all told.

Other statistics are equally concerning.  The United States maintains the highest average data breach costs in the world, at $8.19 million, while health care remains the most afflicted industry.  Unfortunately, whatever costs are accrued by an organization, the damages relative to overall size are proportionally more impactful for small-to-mid sized businesses, which lack the extensive resources of their larger counterparts.  For both, however, the types of costs are similar: detection, notification, response and especially lost business due to reputational damage.  Furthermore, for the first time IBM’s report studies the cumulative costs of a data breach over a period of years, revealing just how long companies can experience the aftershocks of a security incident.

The report also discusses impactors that contribute to the higher or lower costs a company might face in the event of a breach.  In order to help lower costs, one recommendation is a coherent, well-tested response plan.  Organizations that know what they will do and practice it generally save over $1 million in post-breach costs.  At the risk of too much self-promotion, another recommendation is strong encryption, to achieve both robust security and compliance with government regulations.

Personally, I think this should go without saying.  Apparently, though, it needed to be said louder for Suprema, the biometrics firm that is now in the news for allowing the breach of 28 million records.  An unencrypted database exposed data on facial recognition, fingerprints, and login credentials: pretty much all the things you’d never want to be compromised.  Since Suprema’s BioStar 2 platform is used in 83 countries around the world, this is a serious issue.  Unalterable personal data could give cybercriminals physical access to secure buildings or critical systems that employ biometrics for security.

I can only imagine the future costs of having such incredibly sensitive data stolen; seems like the aforementioned defensive measures are a small price to pay.