For several years now, the concern of security managers and organizational leaders has been the cost of security breaches. Lately, the environment in different sectors has become more rigorous in the fulfillment of key security objectives, and any breach is a justified reason to fire the CEO and CISO of an organization.
IBM and Ponemon Institute have been developing a study for several years with more than 500 companies worldwide to obtain clear metrics on the cost of security breaches, and the key data are:
Against the indicator of average time to identify and contain data breaches, a deterioration is identified compared to 2018 going from 266 days to 279: 206 days to detect the threat and 73 days to contain it, a 4.9% increase in incident management.
The average total cost of a data breach in the U.S. across the companies studied has grown from $3.54 million in 2006 to $8.19 million in 2019, a 130% increase over these past 14 years.
Smaller organizations had higher costs relative to their size than larger organizations. The total cost for organizations with more than 25,000 employees averaged $204 per employee, while organizations with between 500 and 1,000 employees had an average cost of $3,533 per employee.
What are we doing wrong in our security operation to cause this indicator to deteriorate?
There are two elements to analyze. The first is the evolution of TTP (techniques, tactics and procedures) used by attackers to achieve their objectives (see Threat Hunting Webinar). The second is the ineffectiveness of our incident response processes.
In the same IBM and Ponemon Institute report, it states that the controls that most mitigate the impact of the cost of breaches is to have an incident response team and continuous testing of the organization's response capabilities and the automation of security tasks, reducing up to 95% of the cost of breaches.
However, according to the study, only 16% of companies reported full implementation of security automation, 36% indicated partial implementation. Another 36% do not currently use security automation but plan to deploy automation technologies in the next 24 months. Finally, 12% had no plans to implement security automation.
While the evolution of the attackers' TTPs is somewhat sensitive, our focus should be on evolving our prevention, detection and response processes through key technologies such as artificial intelligence, analytics, machine learning; and automation and orchestration of the tasks in our processes, which will help us meet our key security objectives and continue to generate confidence to stakeholders, ensuring the fulfillment of our business objectives.
