The global six-year average cost of a data breach is $3.78 million. To address this liability head-on, organizations must incorporate industry and security best practices into their cybersecurity posture to reduce the cost of what most cybersecurity professionals recognize as an inevitable data breach.
FortiGuard Labs’ Chief of Security Insights & Global Threat Alliances, Derek Manky, recently teamed up with Dr. Larry Ponemon of the Ponemon Institute for Fortinet’s Executive Cyber Exchange: The Perspective Series. This presentation, titled “The Economics of Data Breaches & Cybersecurity Exploits” centered on the economic impact of data breaches and cyberattacks, while also noting the investments that organizations should make to minimize the financial burden of such an event.
Below are some of the key takeaways from Ponemon and Manky that explain why organizations should shift from a detection-based focus to one that is centered on breach prevention to save on the resources, costs, damages, time, and loss of reputation that occurs following a successful attack.
What Factors Contribute to the Cost of a Data Breach?
Benchmark research conducted by the Ponemon Institute concluded that, the global six-year average, cost of a data breach amounts to $3.78 million. However, the financial consequences of a data breach can vary based on several factors, including root causes, network size, and the type of data held by an organization.
Overall, malicious attacks were found to be the leading root cause of data breaches, followed by human error and system glitches. Loss of business was determined to be the most significant cost contributor resulting from business disruption, system downtime, customer turnover, and reputational damage that inevitably result in revenue losses. Additionally, cost amplifiers like cloud migration, IT complexity, and third-party breaches were found to add close to $370,000 to the total cost of a breach.
So, what can organizations do to address these security challenges? Derek Manky highlighted the importance of incident response and automated threat intelligence, explaining how his team leverages these concepts to lessen the impact of data breaches:
“At FortiGuard Labs, we are essentially an external SOC for customers in the sense that we’re creating definition updates, antivirus updates, and actionable intelligence. We’ve seen considerable cost benefits stemming from machine learning models, particularly with application vulnerabilities with actionable intelligence on malware. We have one system on the backend that analyzes malware and when it can properly identify that something is malicious, it creates actionable updates that are then pushed out to our Security Fabric and our customers. That system is effectively doing the output job of a team of several analysts. Therefore, organizations can realize a considerable cost benefit by implementing machine learning within their incident response plans.”
On the other hand, cybercriminals are also leveraging automation and machine learning to increase the speed and efficiency of attacks. Manky notes:
“Cyber adversaries are weaponizing AI and leveraging swarm technology as a catalyst to speed the attack cycle up even further. The use of offensive automation results in decreased latency for attackers, or a reduced time to breach (TTB), thereby increasing their rate of success. Security teams need to account for the fact that attacks are happening at a much quicker pace and adjust their defensive strategies accordingly. This requires advanced automation technology.”
The Cybersecurity Lifecycle and the Importance of Prevention
There are five phases of the cybersecurity lifecycle, ranging from prevention to remediation, that should be part of every organization’s security strategy. Each stage is crucial to reducing the impact of a breach through threat identification, incident response, and resolution.
- Prevention is the effort to stop malicious threats from infiltrating the network and to classify the types of attacks that are targeting the organization in real-time. In this phase of the lifecycle, organizations can stop attacks before any process can run on the network.
- Detection is the effort to recognize and identify threats within an organization’s IT security infrastructure that have managed to bypass prevention efforts. During this phase, organizations need to be able to identify malicious processes that are running on a device in the network.
- Containment refers to the effort to stop the spread of a cyber threat once it has been detected and identified on the network.
- Recovery occurs following threat containment. In this phase of the cybersecurity lifecycle, security teams work to restore the IT infrastructure to its previous, stable state.
- Remediation refers to the effort made to ensure that processes and technologies are updated to mitigate future cyber events. This includes updating training and awareness programs when individuals played a role in enabling a breach to occur.
Most organizations tend to focus the majority of their cybersecurity efforts on the detection of cyberattacks because they perceive prevention as too complicated to achieve. In fact, 76% of respondents to a Ponemon survey agree or strongly agree that prevention would be too challenging to accomplish within their cybersecurity program. When asked about their reasoning, respondents noted issues around attack identification, deploying effective technologies, their own in-house cybersecurity experience, and the challenge of false-positive cyber threats.
Although preventing a cyberattack is challenging, Dr. Larry Ponemon explained that organizations can realize significant cost savings when an attack is thwarted during this phase of the cybersecurity lifecycle. He detailed such cost savings with the following example:
“Fending off phishing attacks costs an average of $832,500. But 82% of that cost is spent during the detection, containment, recovery, and remediation phases, and only 18% is spent during prevention. So, if an attack is prevented, total cost savings would be $682,650.”
Security Operations Centers and Cost Efficiency
According to findings from the Ponemon study, most organizations believe their security operations centers (SOCs) are a crucial element of their security strategies. When asked to rank the importance of SOC activities, respondents reported that most of their SOC value comes from the minimization of false-positive detections, the enhanced reporting of threat intelligence, the monitoring and analysis of alerts, and improved intrusion detection. However, close to half of all respondents also reported dissatisfaction with their SOC’s overall ability to detect attacks.
Additionally, after investigating the economics of security operations centers, researchers found that outsourcing SOC services does not improve cost efficiency. On average, organizations spend $2.86 million per year on their in-house SOC – but this cost increases to $4.44 million when outsourcing SOC functions to a managed security service provider (MSSP).
However, those numbers depend on having the right SOC resources in-house. Three-quarters of organizations rated the management of a SOC environment as challenging. At the same time, only half of those organizations found they were able to hire the right talent to manage their SOC. Which may also be why only half of those organizations felt that their SOC environment was effective. The crucial takeaway is that cost is only part of the equation in establishing an effective SOC environment. Organizations need to focus on assembling the best possible SOC team.
AI Improves Incident Response and Lowers Costs
Considering the high success rate of data breaches, Manky highlighted the critical role of incident response and automation in reducing data breach costs. He emphasized that Artificial intelligence (AI) is an essential tool that can help SOC teams overcome the challenges associated with breach mitigation and incident response.
Most organizations report success with AI implementation, seeing increases in the speed of threat analysis, acceleration in threat containment through the automatic separation of infected endpoint devices or hosts, and improved identification of security vulnerabilities. By realizing these benefits, organizations can leverage AI to reduce the time and cost of incident response. Dr. Larry Ponemon further explained:
“When AI is used to contain cyber exploits, the time and cost are significantly reduced. The average cost of not using AI to address cyber exploits is more than $3 million, versus $814,873 if AI is used. Thus, a company can potentially save an average of more than $2.5 million in operating costs.”
Final Thoughts
Top CISOs and experts in the security field warn that data breaches are inevitable. With breach costs reaching close to $4 million, organizations must be fully prepared to prevent or deal with the fall out associated with a successful attack. For this reason, organizations should focus their efforts on developing a security framework that highlights prevention and incident response while also leveraging AI capabilities to decrease the economic impact of a breach.
Learn how FortiGuard Labs provides unmatched security and intelligence services using integrated AI systems.
Find out about the FortiGuard Security Services portfolio and sign up for our weekly FortiGuard Threat Brief.
Discover how the FortiGuard Security Rating Service provides security audits and best practices to guide customers in designing, implementing, and maintaining the security posture best suited for their organization.