Victims shouldering ultimate costs of data breaches

Companies are making sure security incidents don't impact their bottom lines, finds Billy MacInnes

Blogs

Image: Dennis Publishing

It’s strange sometimes how one isolated finding in a report can often reverberate most loudly for the largest number of people. A classic example is the story this week concerning the release of the 2022 Cost of Data Breach Report by IBM Security.

There is a lot of detail about data breaches in the report. For example, 83% of the organisations surveyed had experienced more than one data breach and the average cost of a breach had risen to $4.35 million by March 2022, a record amount.

It also found that paying ransomware attackers didn’t really help victims that much, with their average data breach cost only reduced by 14% – and that doesn’t include the cost of the ransom itself. Given the high cost of ransom payments, the financial toll could be even higher, suggesting paying the ransom might not be an effective strategy.

The study contained a very strong endorsement for using AI and automation in security, finding that organisations that had fully deployed security AI and automation incurred $3 million less on average in breach costs compared to those that had not. This was “the biggest cost saver observed in the study”.

Another interesting point concerned the extra costs of breaches where remote working was a factor, with the study finding they cost $600,000 more than the global average.

It’s probably also worth noting the slightly surprising finding (to me, at least) that the largest share of costs in terms of dealing with data breaches was detection and escalation. This put it above the lost business costs involved in trying to minimise the loss of customers, business disruption and revenue losses.

In plain sight

Strangely, none of these issues were given the greatest prominence in IBM’s efforts to publicise the report. IBM Report: Consumers pay the price as data breach costs reach all-time high blared the headline on the company’s announcement of the study.

The first paragraph informed us: “With breach costs increasing nearly 13% over the last two years of the report, the findings suggest these incidents may also be contributing to rising costs of goods and services. In fact, 60% of studied organisations raised their product or services prices due to the breach, when the cost of goods is already soaring worldwide amid inflation and supply chain issues.”

You have to admit, that’s some statistic. And it’s a great way of framing the cost of security breaches in way that everyone can understand. People might find it hard to feel fully engaged with how much money a company that suffers a data breach may or may not have to pay to get things up and running. But if you tell them that it’s going to cost them more as a result, well, that might get more of their attention.

All well and good, but unfortunately, the report has only a passing reference to it under the key findings heading on page five: “Sixty percent of organisations studied stated that they increased the price of their services or products because of the data breach.”

If you want to know more, there isn’t any. The same finding is brought back on page 13 and that’s it, as far as I can see.

It’s not at all strange it should be given such prominence, merely that there’s so little detail around it to flesh it out. It’s a really significant finding. People would be very interested to hear if they are paying more for a service or goods because of a data breach at the company supplying those services or goods to them. Interested but not necessarily happy.

You can see how people might not be overjoyed to be paying more because their supplier can’t protect itself against data breaches. It’s not exactly an attractive option to pay more to a company because it experienced an IT security failure. In fact, they might want to take their custom to another business that hadn’t been a victim of a data breach. They especially wouldn’t want to be paying more at a time when their costs are already increasing due to a number of other factors.

So it’s good to highlight that people are potentially being charged more because of their suppliers’ failings. All they need to do now is work out what to do with that information.

Read More: Billy MacInnes Blog Blogs