Consumers left out of pocket as security costs soar

The impact of cyber security incidents and data breaches may be contributing in a small way to the rising cost of goods and services that is leaving millions of UK citizens on the brink of financial crisis, as victim organisations struggle to recoup their losses from incident response, forensics, ransom payments and regulatory fines.

This is according to the latest edition of IBM Security’s annual Cost of a data breach report, which found that as the average cost of an incident across its surveyed base hits a high of $4.35m (£3.61m), up 13% over the last two years of the report, 60% of victim organisations have had to raise the price of their products or services as a direct result of the incident.

Darren Williams, CEO and founder of anti-ransomware specialist Blackfog, said that the study’s findings were not particularly surprising.

“Rising data breach costs are to be expected and unfortunately many consumers are now jaded by breach notifications as they happen on such a regular basis,” said Williams.

“Given the increase in cyber attacks generally and the new focus on data exfiltration rather than encryption, the number of breaches and the costs of remediation is likely to rise at a much faster rate in the coming years.

“As it becomes increasingly difficult to obtain cyber insurance coverage and/or pay-outs following cyber incidents, companies will certainly look to pass these costs on to their customers, who will end up not only footing the bill for the breach, but also paying the price for having their data in the hands of criminal gangs or for sale on the dark web,” he said.

Trevor Dearing, director of critical infrastructure solutions at zero-trust specialist Illumio, said that IBM’s survey had demonstrated how important it was for organisations to prepare for incidents ahead of time, rather than respond to them.

“Figures like this that place the average data breach at an eye-watering cost of $4.4m really put the scale of the problem into perspective,” said Dearing. “By putting in protection before an attack, organisations can mitigate any costs that would be passed onto consumers.

“By taking a zero-trust approach, segmenting critical assets, and only allowing known and verified communication between environments, security teams can limit the impact of an attack for both the organisation and its customers.”

The study noted that a great many organisations, and over 80% in the case of highly-vulnerable critical national infrastructure (CNI) operators, had not yet adopted zero-trust strategies, and those organisations saw the average cost of a breach rising beyond $5m.

Other factors in the varying cost of a breach included payment or non-payment of ransomware demands, with the data showing those who chose to pay, against all reasonable advice, actually saw average costs fall by approximately $610,000, not including the payment.

Meanwhile, the 43% of respondents who were still in the early stages (or who had not started) implementing security best practice in their cloud environments were on the hook for $660,000 more than those who were on top of cloud security, and organisations that had implemented security artificial intelligence (AI) and automation incurred $3.05m less on average, making such technology the biggest cost-saver yet observed by the study.

“Businesses need to put their security defences on the offence and beat attackers to the punch. It’s time to stop the adversary from achieving their objectives and to start to minimise the impact of attacks,” said Charles Henderson, global head of IBM Security X-Force.

“The more businesses try to perfect their perimeter instead of investing in detection and response, the more breaches can fuel cost of living increases. This report shows that the right strategies coupled with the right technologies can help make all the difference when businesses are attacked.”

IBM said the constant barrage of cyber attacks faced by organisations was also shedding light on a “haunting effect” of breaches, with the vast majority of those surveyed having experienced multiple breaches, and many reporting that they were still incurring unexpected costs months or even years, after an incident.

IBM’s findings back up – to some extent – a recent policy shift at the UK’s Information Commissioner’s Office (ICO), which recently announced it would be cutting back on fining public sector breach victims, saying that to do so effectively visits the cost of an incident on the public in the form of reduced budgets for critical services.