Deep Dive into IBM Cost of Data Breach Report 2023
What is IBM data breach report and why we love it?
IBM started 14 years ago to survey companies globally for the cost of data breaches. While there are many reports/surveys that do exactly that, the value differentiator of IBM is the cost mitigation factor. For the first time, we have a clear return on investment indication of the cost of the controls versus the cost of the breach. If you haven't read this report, I strongly suggest that you read it and dissect it inside and out.
In this article, we will do a deep dive on the report, what we can read from it, and what lessons we can draw from it.
To read the report, search IBM Data Breach report or get it from here: IBM Cost of Data Breach Report 2023
Note about Australian Companies
We found that the report does not cover many Australian companies. Only 24 Australian companies have been included in the survey. This is not large enough to support a statistically significant analysis, so more work is needed in future years for Australian companies and smaller businesses.
We would love to see more focus on companies with fewer than 500 employees. Currently, this is only stated as a single category. Taking into consideration that 80% of businesses in Australia have fewer than 500 employees, we would love to see a governing body (such as ASCS) adopt a similar methodology to provide more insight into breaches.
We are not sure of IBM's strategy for approaching customers, but we would invite anyone who has the opportunity to respond to the IBM data breach survey to do so, as this would benefit all companies.
Optus, Latitude, and Medibank should read and consider this section, as their names are all over it. While IBM states that a sample of 20 companies with more than 1 million records breached is too small to draw conclusions, they use Monte Carlo simulation to estimate and generalize their findings. In plain English, this sample is too small and prone to significant deviation errors. In our experience, we believe that the figure of USD 332 million placed by IBM is very conservative.
To be on the fair side, the tangible breach costs from the 3 recent largest breaches in Australia are as follows:
Optus: AUD $140 million
Medibank: AUD $45 million
Latitude: AUD $53 million
The above, akin to IBM breach is too small to generalize; in addition, there is too much variation in costs. We believe that Optus has been more transparent of the cost than Medibank and Latitude. Finally, it should be noted that this number does not take into account the class action that is currently in place.
Data breach cost mitigation
This section is the holy grail and most important part of the report. It is what makes the IBM report so useful and stands out from the crowd. It should be prioritized and drive security strategy and priorities. If people are too impatient to read the entire report, they should at least read and consider this section.
Figure 1: Cost mitigation Factors
Comments on the Cost Mitigation
Incident response: For many years, incident response has been and always is the best return on investment when it comes to data breach mitigation. Plan, document, test, update, and repeat. There is no secret sauce to this; it is simply good process improvement.
External security reporting: Since two-thirds of breaches are identified by external parties or entities, including partners, we strongly suggest that companies enable and allow external parties to report security issues found from outside. A simple email on the company portal to report security incidents may be sufficient to start detecting issues early.
SOAR/SIEM and XDR: While we previously did not have a tangible return on investment for these technologies, the report now shows a return on investment of nearly $800,000 when deploying these large-ticket items in your security program. Additionally, consider using a SOAR vendor that employs some form of AI in their detection and response capabilities.
User Awareness Training: Please drop everything you are doing and start your user awareness training process if you have not already done so. This program will save you thousands of dollars, and it will only cost pennies.
Attack Surface Management: Consider number of attack surface management (ASM) practices, such as Application whitelisting, restricting local admin privileges and hardening endpoints. These practices will play a key role in blocking zero-day attacks when they emerge.
EDR versus traditional antivirus: This year, IBM showed value of deploying EDR compared to traditional antivirus. If you are still using signature base antivirus, please consider upgrading to a more robust technology such as EDR, trust us, this money is very well spent.
CISO/leadership: Please consider hiring or contracting a part-time CISO to lead your security strategy and roadmap, whether you are a top-tier firm or a small fund company. If you have any queries, please reach out to us to see how we can assist.
Cyber Insurance: Insurancemust be your last resort only; it should never be your first. While we hear mixed stories about the quality of cyber insurance support services during and after the breach; we urge all companies to avoid the thinking that Cyber Insurance, will protect them from breaches.
DevSecOps while the report stated that this is the biggest cost saving. We would question to what level the integrated security testing in the DevOps that has the impact, more clarity is needed here. Additionally, since phishing, user errors and compromised credentials are stated as the top source of breach in the report, why DevSecOps has the highest cost saving amongst all controls.
Every year, this report provides us with great insights on the cost of data breach, mitigating factors and what companies need to prioritise in their security investment. It however lacks larger sample base to be able to conclusively generalise the findings. We also strongly welcome and encourage including more Australian based data that cover SMB more granularly.