Alarming Increase in Data Breach Costs

One of the most striking findings of IBM’s recently released Security Cost of a Data Breach Report 2023 is the significant 42 per cent increase in the cost of detecting and escalating data breaches. This points to a shift towards more complex breach investigations and demonstrates the increasing sophistication of cyber attackers. Cyber threats are becoming more sophisticated and easier to learn through generative AI such as WormGPT. Therefore, businesses need to recognise the importance of investing in robust detection and response capabilities to identify security breaches early and minimise their impact.

Financial burden is transferred to consumers

Surprisingly, 95 per cent of the companies surveyed had been affected by multiple data breaches. However, instead of prioritising investment in security measures, 57 per cent of companies chose to pass the cost of the incident onto consumers. This finding is similar to the 2022 report, where 60 per cent of respondents said they raised prices. This approach remains worrying as it not only transfers the financial burden to consumers, but also fails to address the root cause of the security breach and leaves the company vulnerable to future attacks.

16 per cent of attacks are phishing activities. The cost incurred after a successful phishing is the second highest after insider threats at 4.76 million. Organisations that invest after a data leak, rather than just passing on the costs to customers, are looking at incident response planning (50%) and staff training (46%).

Employee training to reduce cost

Employee training is also identified as the second most important factor in reducing the cost of a data leak. This is followed by the integration of security processes and measures already during product development. In addition, the report shows that higher investment in training also yields better results in reducing the cost of a security incident.

At the same time, remote working is a major negative factor that increases the costs of an incident on average. Here, too, suitable training measures must be found to better protect employees in the home office or on the road.

A reduction in costs is also achieved primarily through rapid detection and remediation, although it is noticeable here that companies take a particularly long time to detect and ultimately remedy attacks such as insider threats, social engineering or phishing. Investments in security awareness training and simulated phishing are therefore highly recommended.

Training lowers click rate

The figures of this year’s benchmarking report suggest that almost one third of the employees in the organisations surveyed would probably click on a phishing email. The so-called Phish-Prone Percentage (PPP) measures the likelihood that a user will click on an infected link in a phishing email. The results show that 90 days after conducting monthly or more frequent security awareness training, the average PPP value dropped to 20 percent. After twelve months of training and simulated phishing security tests, the average PPP value dropped to six percent. The success of the measures can therefore be measured if corresponding data is collected and evaluated.

Dr. Martin J. Krämer

is Security Awareness Advocate at KnowBe4.