After you come to grips with the massive average cost of a data breach to an enterprise organization measured in the millions, it’s time to look at the factors that increase – and lower – that cost.
According to IBM’s recently-released 18th edition of their Cost of a Data Breach Report, we find that this year’s average cost is $4.45 million. That’s a staggering number, but what about the contributing factors? What can organizations learn beyond “don’t become a victim – it’s expensive”?
Let’s take a look at the initial attack vectors to see how they affect the average cost. According to the report, data breaches that began with phishing – on the average – are more expensive, coming in at $4.76 million. Phishing represented the initial attack vector in 16% of the studied cases for this report, putting it in first place for the most common initial attack vector.
You may be wondering where’s the correlation between an initial attack vector and the cost after the dust settles. According to IBM, the average breach takes 204 days to identify and 73 days to contain – a total of 277 days. When phishing is involved, both timeframes increase – 217 days to identify and 76 days to contain. Part of this is likely due to the misuse of legitimate credentials (as the majority of phishing attacks are focused on credential harvesting). According to the report, breaches where stolen or compromised credentials was considered the initial attack vector (I’m not exactly sure how, as there was some threat action taken to steal them, but I’ll go along for the ride…), the timeframes get even longer – with 240 days to identify a breach and 88 days to contain.
But there’s more correlation around phishing and reasons for the cost of data breaches to increase. Of the 27 security measures and factors that could impact the cost of a data breach, in second place was Security Awareness Training, which reduced the average data breach cost by $232K (this, just behind using a DevSecOps approach, which had the most positive impact, reducing the cost by an average of $249K). And, as you’ve read here countless times, this kind of training is the most effective way to render phishing attacks powerless.
Looking specifically at having a trained user base and comparing it to the average data breach cost of $4.45 million, those organizations with a mature Security Awareness Training program had an average data breach cost of $3.68, while those with little to no training saw an average cost of $5.18 million.
So, I’m going to call it – even IBM sees the correlations: phishing attacks increase the cost of responding to a data breach, and having continual and effective Security Awareness Training in place significantly reduces not only your risk of experiencing an attack, but (should an attack be successful in spite of the training), also reduces the impact of one.