Generally speaking, organizations take cybersecurity more seriously now than ever before. Spending in that category has generally increased over the course of the last several years, not even being notably interrupted in early and mid-2020 by the COVID-19 pandemic, according to McKinsey and Company.
The financial impact that can ultimately result from a malicious hack or even an accidental data breach is simply too great for chief information officers and other company leaders to write off. This issue was closely examined in IBM's latest Cost of a Data Breach Report. It will be critical for organizations to examine these fiscal ramifications, as well as other notable cybersecurity trends, if they regularly conduct automated data processing or will soon be engaging in any overhauls of either networks or mainframes.
IBM report shows some signs of optimism, other more worrisome indicators
The 2020 release of the Cost of a Data Breach Report was IBM's 15th, with the core data once again compiled by the Ponemon Institute on behalf of the computing giant. For many, the headlining fact will be that the average price tag for a breach of any kind went down to $3.86 million, representing a year-over-year decline of about 1.5% from 2019's mean figure. Another notable positive development was the 27% drop in the average time needed to identify a data breach observed when using automated cybersecurity solutions, though this was slightly tempered by the fact that the mean breach life cycle did not drop: Per the report, it took surveyed organizations about 207 days to identify a breach and 73 to contain it — 280 days total, which was about the same as what 2019's data showed.
Personally identifiable information belonging to businesses' customers was by far the most common data to be exposed in the course of a breach, with approximately 80% of all such incidents leading to PII being compromised. Given that the typical financial loss per each exposed record is higher for customer PII than the overall mean loss per piece of data ($146), the majority exposure of customer data should be especially alarming to all organizations. Additionally, the average cost per record in the event of breaches caused by hacking, i.e. 52% of all breaches, was far higher, at $175 per piece of information.
Health care had the highest average total cost for its breaches among the 17 industries examined within the IBM-Ponemon report, with a mean price of $7.14 million per exposure. Energy wasn't far behind, as companies in that sector lost about $6.39 million per breach, and finance took third place due to its mean cost per incident coming in at $5.85 million. Media firms, research institutions and public-sector organizations were at the opposite end of the spectrum with the lowest typical costs per breach — $1.65 million, $1.53 million and $1.08 million, respectively.
Ransomware, botnets and misinformation on the rise
Findings from another IBM research project, the Threat Intelligence Index 2020 report compiled by its elite X-Force cybersecurity team, provide valuable context when examined in conjunction with the breach-cost study.
Phishing, often a prelude to ransomware scams, remains the most common threat vector for cyberattack launches. Additionally, banking trojans — variants on the well-established trojan malware style — which are focused specifically on stealing financially exploitable information like payment card numbers, are not only rising in prominence but also novelty: Nearly half (45%) of such viruses seen in 2019 used new code, meaning that organizations' firewalls and other cybersecurity tools were less likely to recognize and thwart them. This trend seems unlikely to shift through the remainder of 2020.
Lastly, the ongoing COVID-19 crisis has created an environment of fear, now being exploited by cyberattackers through misinformation about the disease and the new coronavirus that spreads it. According to Interpol, phishing scams executed via email or as bogus websites surged massively in the early months of the pandemic and will remain a significant threat for the foreseeable future.
The need for cybersecurity transparency
The U.S. Department of Justice indicted former Uber chief security officer Joseph Sullivan Aug. 20, 2020 on counts of obstruction of justice and misprision of a felony due to his role in covering up a cyberattack the rideshare service experienced in November 2016. The hack exposed millions of records belonging to over 600,000 Uber drivers, and Sullivan allegedly kept it under wraps for more than a year.
Sullivan's charges illustrate the folly of businesses failing to be transparent with staff, customers and the federal government regarding cyberattacks. Cover-up attempts are almost always discovered and not only endanger businesses but severely diminish their reputations. Should such events occur, company leaders must inform all appropriate parties and take immediate measures to mitigate the damage. But it may perhaps be even more valuable to proactively focus on thoroughly updating IT and OT to help minimize breach risk.