Cost of a Data Breach Average $15.01 Million: Black Kite

Black Kite has today released ‘The Cost of a Data Breach: A New Perspective’ which examines the impact of 2,400 cyber incidents between 2017-2022. The most notable takeaway being that of the 1,700 companies with a digital presence that could still be monitored, the overall average cost of a data breach is now over $15.01 Million. Additional key findings include:

  • Overall average cost of a data breach (outliers removed) – $15.01 million
  • Overall average cost of a data breach (including outliers) – $75.21 million
  • Most financially devastating threat actor: Conti, with ten attacks averaging at $84.98 million per incident
  • Seven hundred of the companies breached within the last five years – or one-third – no longer have a digital presence or never disclosed their company name
  • Seventy-nine percent of the 1,700 analyzed breached companies are highly susceptible to a phishing attempt
  • Finance and Insurance had the highest number of incidents (445), with an average cost of $35.34 million per incident

None of those are trivial numbers. And Mark Bower, VP of Product Management for Anjuna Security had this to say:

     “While many of the classical threats, including ransomware penetrate and devastate traditional on-premises servers and IT, the stakes are even higher with increasing cloud transformation driven by the need to handle more data, more analytics at a scale not previously possible. To avoid such projects becoming part of the trillion-dollar data breach debt, forward-thinking organizations are embracing completely new confidential computing models to essentially eliminate the new and vulnerable cloud attack surfaces. By embracing this, the most sensitive workloads can be executed with controls locked by cloud computing hardware itself – and highly resistant to attack from inside threats or external exploitation.”

My take home from this report is to not be a victim. Because based on these numbers, it’s cheaper to prevent being a victim than to be pwned.

UPDATE: I have two additional comments. The first is from Sanjay Raja, VP of Product at Gurucul:

     “As successful breaches continue to pile up and the cost of a breach continues to escalate, too many vendors are claiming to have the silver bullet to solve the challenges that security operations teams face, while really providing a cobbled together set of capabilities like a house of cards. We have seen the direct result of more advanced and costly attack campaigns combined with unadaptable and insufficient SIEM and XDR solutions leading to security struggling to detect, investigate and respond to attacks from just 2 to 3 months extended to 7 to 9 months in recent years. Tacking on analytics or functional pieces is not the solution. Organizations need an integrated approach that not only detects an attack, but also helps security teams prioritize and validate the full attack campaign early in the kill chain. This requires significant breadth and depth of open and interconnected security analytics across a wide set of data sets, behavioral-based detection methods working in conjunction, not siloed, and accurate and precise context and risk scoring to drive the entire security operations lifecycle till the attack is fully eradicated before an organization loses millions of dollars, brand reputation and shareholder value.

As always, the best defense is an effective offense to protect against data breaches. Organizations need newer and more advanced technologies beyond current XDR and SIEM platforms. Prioritizing solutions that automate detection, prioritize seemingly random indicators of compromise for further investigation and automate responses with a high-level of confidence are critical in deciding where to invest.”

The second is from Kevin Novak, Managing Director at Breakwater Solutions:

     “Small to Mid-Sized Businesses (SMBs) are particularly susceptible, and very financially exposed, to threats today. To compete, they are being forced to deliver technological capabilities that rival their larger competitors, but they simply don’t have the benefits of scale that those larger companies have to support that technology.  In fact, we often see SMBs without any formalization of cybersecurity within the enterprise but maintain a significant online presence.  The good news for these SMBs is that third parties and the use of public cloud services has made it possible for firms to offer technology solutions riveling the larger institutions.  The bad news is that these third parties often maintain a “shared security responsibility” model, one that is regularly misunderstood by enterprise’s purchasing their services.  This leaves the door open for accidental misconfigurations and account for one of the most significant causes of security events today.  

Often, when thinking about cybersecurity, an enterprise will consider things like data being leaked, or bank accounts being compromised.  Their decision making around these threats leads to only partially informal decisions about loss appetite.  They fail, unfortunately, to consider many of the other aspects of cyber risk including cyber events that, for instance, create operational downtime or a complete unrecoverable loss of company data.  This is particularly seen with attacks that leverage destructive malware and Ransomware (one of the top attack types seen today).  Companies that suffer such events face the possibility of a complete, extended operational meltdown, one that is very difficult to explain to clients and regulators.  It should come as no surprise then, that these types of attacks tend to cost companies the most.  For this reason, firm’s need to consider not only those controls that can be used to prevent a cyber event, but also those principles that detect, respond, and recover from an event.  This includes the development and maintenance of a security operations center focused on threat detection, an Incident Response program, and a Business Continuity and Disaster Recovery Program.  One that is particularly focused on ensuring for the resilience of the most critical business processes and data.

It is very important that companies consider the spectrum of potential loss events in the context of their own design, with knowledge of their total loss potential with and without controls.  This includes developing an understanding of the possible cyber scenarios that might befall that company, and further mapping the likelihood of each scenario from occurring.  While tail events understandably don’t happen often (though more so in the past several years) those tail events may be large enough to threaten the firm’s ability to maintain itself as a going concern, or minimally create a material, reportable loss for the firm.  For this reason, Black Kite has posted their findings with and without consideration for tail events.  It’s important to recognize that while the average without tail events (the most comment events) is $15.01MM, the average with tail events jumps to $75.21MM…clearly a number of very significant loss events in that mix…ones that firms should consider when determine overall cyber risk loss exposure.

With SMBs and even larger firms, we often see significant opportunities for focus when it comes to cybersecurity and dollar spend strategies.”

Leave a Reply