The 2020 Cost of Data Breach report from IBM and the Ponemon is out. It provides a detailed analysis of causes, costs and controls that appeared in their sampling of data breaches. The report is full of data, and the website allows you to interact with its information so that you can do your own analysis and/or dig into aspects relevant to you and your industry. The obvious finding is that data breaches are expensive. The average cost of data breach is between $3 million and $4 million. That million-dollar difference is based on how long the data breach lifecycle lasts. The breakpoint is the 200-day mark. Shortening the lifecycle reduces the cost, so anything you can do to reduce the time it takes to identify a breach, contain it and take the appropriate corrective actions will save you money. Fortunately, the report points to some ways to blunt the impact of a breach or, better yet, prevent one from occurring in the first place. Here is where I see the biggest returns on investment based on the report’s findings. https://www.youtube.com/watch?v=RzlSyicS4G4&feature=youtu.be
Number One Exposure: Cloud Configuration
The leading cause of breaches in 2020 was misconfigured cloud deployments. This isn’t surprising given how many companies are moving their infrastructure to public cloud platforms. With this move, unfamiliar technologies and new ways of managing infrastructure are introduced; the cloud offers quick and easy deployments without the well-known guardrails of a traditional data center. It’s like moving into a new house, only it’s a huge mansion with doors everywhere, and some of them are hidden in surprising places. This complexity makes room for human error and misconfiguring cloud-based data. Luckily, you can hire someone to go through the house, find all the entrances, show you where they are and secure them for you. This is exactly what tools like Tripwire’s Cloud Management Assessor do. Securely configuring the cloud prevents or greatly reduces the chance that data there will be maliciously accessed or stolen.
Further Reading on Cloud Security:
- Top 5 Cybersecurity Risks with Cloud Migration
- Most security pros are concerned about human error exposing cloud data
- Survey: 76% of IT Pros Say It’s Difficult to Maintain Security Configs in the Cloud
Reducing the cost of a breach
There are a host of things that can help to reduce the cost of a breach either by limiting the event’s duration or severity. There are three that stood out to me in the report. Not all of them require purchasing a technical control set.
1) Preparedness
Imagine an orchestra is performing in front of a live audience. When they come out to play, there is no conductor, and they don’t know what music they’ll be performing until they are seated on the stage. When they start to play, it won’t sound very good, and it may take a while for them to get in synch. Even then, there will be mistakes as players work through the music for the first time. This is the same situation your security and IT teams are in if they haven’t prepared for a breach. Even worse, they may not have an instrument or done any practice recently. Like an orchestra, sports team or first responder, practicing for the show, game or emergency event ensures a more successful outcome. In the Cost of Data Breach report, there were several things that led to cost reduction, which I’ve grouped under-preparedness. These are as follows: incident response training, business continuity, building an incident response team and employee training (e.g., phishing simulations and security awareness). It’s not surprising that preparing for a breach and response practice would make identification and resolution quicker, thereby making the costs and time of implementing these controls worthwhile. According to the Cost of Data Breach report, the programs I have grouped under ‘preparedness’ would reduce the cost of a breach by almost $1 million on average.
Further Reading on Business Continuity and Incident Response:
- Business Continuity Requires Infrastructure Continuity in Times of Remote Working
- SANS 2019 Incident Response Survey: Successful IR Relies on Visibility
- Why You Need a Concrete Incident Response Plan (Not Strategy)
2) Vulnerability Management
Ignorance is not bliss when it comes to weaknesses in your enterprise, which is why one of the top five CIS critical security controls involves continually identifying and addressing vulnerabilities in your environment. A strong vulnerability management program can prevent a breach or significantly limit its impact, reducing the cost by almost $175k on average. That goes up to $400k if you include red-team testing as part of the program. Much like cloud configuration, finding weaknesses in applications, operating systems and network configurations allows you to prioritize and remediate those weaknesses. The quicker you can do that, the less likely it is that the weakness will be exploited.
Further Reading on Vulnerability Management:
- The Center for Internet Security (CIS) Use Cases and Cost Justification
- Effective Threat Intelligence Through Vulnerability Analysis
- Climbing the Vulnerability Management Mountain
3) Managed Security Services
The cyber security skills gap has been a topic this blog has addressed previously, and it continues to be a challenge for companies. In order to address this gap as well as to grow the number and sophistication of their security tools, these companies are increasingly turning to managed services to ease the burden. It turns out this staff augmentation not only lightens the weight borne by over-taxed security teams; it also decreases the cost of a breach by an average of almost $80,000.
Further Reading on the Cybersecurity Skills Gap:
- Podcast Episode 4: Understanding the Impact of the Skills Gap on the Infosec Market
- Bridge the Cybersecurity Skills Gap With Tripwire
- How Organizations Can Fight to Retain Talent Amidst the Infosec Skills Gap
Why the Cost of a Breach Is Growing
If the practices listed above help to decrease the cost of breach, what contributed to the growth of the cost in the first place? These the factors that stood out to me from the report: 1) Compliance failure – It feels like adding insult to injury when fines and compliance remediation are piled on top of dealing with the cost of a breach. However, compliance isn’t just a practice for staying on the good right side of regulations or business requirements. Those audits are like a regular check-up with your doctor to ensure your security controls are healthy. Continuous compliance thereby helps keep you secure and saves you money in the event of a breach – over $250k on average. 2) Skills shortage – This is a corollary to the managed services cost savings noted above. Not having the resources on hand to prevent or manage a breach added an average of $260k to the cost of a breach. Whether it’s adding staff, providing training or using managed services, finding a way to bridge the gap will help reduce the impact of a data breach significantly. 3) Cloud migrations – Moving infrastructure to the cloud is not a quick or easy process, and it requires planning and expertise to do it effectively and safely. Data exposure during cloud migrations is a risk, especially since environments will necessarily reside in incomplete or transitory states and staff will be learning how to operate the new environment. With the number one exposure this year being cloud misconfigurations, focusing on good architecture, secure configuration and testing will pay dividends in risk reduction. 4) Security System Complexity – It may seem like having a host of security systems to create defense-in-depth is good strategy, but it turns out it is the greatest cost amplifier in a breach, adding almost $300k to the cost on average. Unless there are enough people with the right skills and well-defined processes in place, all those security systems make it harder and more expensive to handle a security incident. Focusing on the critical controls that provide continuous security will be more beneficial than a breadth of tools adding noise to your system. Having enough trained staff on hand will reduce the cognitive load and ensure you have the expertise to get the value from the tools deployed. Managed services can also reduce complexity by shifting some of the control work to a team dedicated to delivering that value, thus allowing you to focus on your areas of expertise.
Surprising Findings
There were two findings in the report that I found surprising for different reasons. One because it’s a measure intended to protect data privacy, and the other because it ranks quite low on the CIS critical control list.
Anonymized Data is Still Expensive
Stolen anonymized customer data still costs a lot of money – around $140 per record. This tells me two things: 1) anonymized data is valuable to attackers and businesses, and 2) anonymization is good for privacy but isn’t an effective security control. As a practice, reducing or removing personally identifiable information (PII) is a good idea, and it does reduce the cost of per record in a breach event. What it does not do is eliminate the cost altogether. Treat customer data regardless of whether it has PII or not as sensitive by encrypting, segmenting, classifying and limiting access to it.
Red Team Exercises Have a Big Impact
Running live adversarial tests of your data environment is a good idea and will help to discover weaknesses that an automated scanner may not. This is still one of the CIS critical security controls. It just happens to be near the bottom of this list. This is due to the people, time and expertise that are required to effectively perform red team exercises as well as the impact that some of the more fundamental controls have on overall security posture. What surprised me in the report was the outsized impact on cost of a breach this control had. According to the report, red team testing reduced the cost of a breach by an average of $243k. As an investment, training a team to add this control to your toolbox may be worthwhile. The skills will strengthen your overall security posture, decrease the skills gap, and, best of all, allow your teams to have fun! To review IBM and Ponemon’s report in full, click here.