Weak defences arising from system complexity and security skills shortages are putting more companies at risk of a data breach and raising the costs of those breaches, according to IBM’s Cost of a Data Breach Report 2024.
What’s the damage? Globally, $4.88 million — 10% more than the global average last year, the biggest jump since the pandemic, the report said. The top three drivers of this increase were security system complexity, security skills shortage, and third-party breaches.
The US led the world in average breach cost — $9.36 million — for the 14th year, the report said. Making up the other top spots were the Middle East, Germany, Italy, and Benelux (Belgium, Netherlands, Luxembourg).
When asked how they’re dealing with these costs, more than half of respondents said their organisations are passing them on to customers, according to the report. “Having customers absorb these costs can be problematic in a competitive market already facing pricing pressures from inflation,” the report said.
The 2024 study was conducted across 16 countries and regions, and 17 industries.
Nearly half of cyberattacks reported this year were caused by system failures and mismanagement. “Malicious attacks — those committed by outside attackers or criminal insiders — made up 55% of all breaches,” the report said. “As concerning as these breaches are, it’s important to remember the remaining 23% are due to IT failure and 22% are due to human error.”
The most common type of data stolen or compromised was customer personally identifiable information.
Costs from lost business and post-breach response also rose nearly 11% over the previous year. Following a breach, the report said, companies report revenue loss to system downtime, lost customers and reputation damage, and regulatory fines.
Companies turning to AI fare better
Artificial intelligence (AI) and automation can play key roles in identifying and reducing the cost of data breaches.
“AI and automation solutions are reducing the lifespan needed to identify and contain a breach and its resulting damage,” the report said. Those tools reduced the time to identify and time to contain for companies.
Using AI for preventing attacks is also cutting costs, the report said. Organisations using AI averaged $2.2 million less in breach costs compared to those with no AI use in prevention workflows.
But employee training, alongside AI and machine learning, is also important in improving defence systems and reducing breach costs. “Employee training continues to be an essential element in [cyber defence] strategies, specifically for detecting and stopping phishing attacks,” the report said.
However, rushing to adopt technologies such as generative AI in understaffed cybersecurity teams is a double-edged sword.
“The continuing race to adopt [generative] AI across nearly every function in the organisation is expected to bring with it unprecedented risks and put even more pressure on these cybersecurity teams,” the report said.
4 ways to prepare for a breach
The report sets out recommendations to reduce costs and lower the time it takes to identify and contain breaches:
Understand your data landscape. More than one-third of data breaches involve “shadow data”, the report said. Security teams must now assume their organisations have unmanaged data sources, and data encryption strategies must consider the types of data, its use, and where it resides to lower risk in case of a breach.
Utilise AI and automation. “Organisations that applied AI and automation to security prevention saw the biggest impact from their AI investments in this year’s study compared to three other security areas: detection, investigation, and response,” the report said.
Secure generative AI models. Securing generative AI model development requires scanning for vulnerabilities in the pipeline, hardening integrations, and enforcing policies and access.
Invest in cyber response training. Security leaders are advised to work with business functions across the organisation and with communications teams to draft and test response plans ahead of time.
— To comment on this article or to suggest an idea for another article, contact Steph Brown at Stephanie.Brown@aicpa-cima.com.