Numbers Don’t Lie: Proactive Cybersecurity Investment Matters

Every year, IBM Security publishes a report about the cost of a data breach. The 2023 Cost of Data Breach Report, conducted independently by the Ponemon Institute, underlines the essential role of proactive cybersecurity investment. The revelations are clear: invest in your company’s security now or pay a hefty price later. By focusing on proactive cybersecurity investment, companies can effectively shift from a reactive posture to a proactive one, saving both reputation and finances.

Understanding the Price of Neglect

Let’s start with some of the most eye-opening stats:

• The average data breach cost in 2023 reached an unprecedented USD 4.45 million. This is a consistent rise from previous years, representing a 2.3% increase of the prior year’s cost. It is worth noting that the average cost has increased by a staggering 15.3% from the 2020 report.
• When breaches took over 200 days to identify and contain, the cost jumped significantly, increasing the cost over an average of nearly USD 1 million.
• Regulated compliance and critical infrastructure industries, including healthcare, financial, pharmaceuticals, energy, industrial, communications, and technology, experienced 58% of the total costs.
• 16% of all breaches were instigated via phishing attacks—confirming that cyber attackers often target unsuspecting employees.
• Compromised credentials represented 15% of the breaches, and cloud misconfiguration led to 11% of the attacks.

But what stands out is not just the cost or the stats but the reaction of businesses post-breach:

• Only about half of the affected companies plan to increase their security investments after a data breach. This number is hard to fathom, considering the astronomical costs involved. And the ugly truth is that according to last year’s report, 83% of organizations have more than one data breach. [1]
• There’s an evident lack of proactiveness. Many companies only act after a breach, with a sharp rise in detection and escalation costs, suggesting a knee-jerk reaction rather than strategic planning. Another study by Kaspersky determined that 90% of SMBs have concerns about their company’s cyber-resilience or preparedness during a crisis. [2]

Operational business decisions aren’t improving the situation but complicating the problem:

• Companies are underestimating the dangers of offloading their risks. Third-party breaches, supply chain compromises, and software supply chain issues lead to higher costs and longer resolution times. Business partner supply chain compromises cost 11.8% more and took 12.8% longer to identify and contain than other breach types.
• Notably, a staggering 82% of breaches involved data stored in various cloud environments (public, private, or multiple cloud environments), and since cloud misconfiguration led to 11% of the attacks, it reveals that 1) businesses believe the cloud is secure and 2) companies are not prioritizing data security or securely hardening their cloud environments.
• Choosing to make the ransom payment resulted in marginal cost savings. Organizations that paid the ransom during a ransomware attack achieved only a small difference in total cost, at USD 5.06 million compared to USD 5.17 million, a cost difference of USD 110,000 or 2.2%.
• Security personnel layoffs and cutting security tooling are not helping, as only one-third of companies discovered the data breach through their security teams, highlighting a need for better threat detection. When breaches were reported by either other parties or the attackers themselves (67% of the cases), it cost organizations nearly USD 1 million more than internal detection.
• Since companies are not prioritizing proactive security initiatives, breach investigations are taking longer and becoming more complex. Breach notification costs experienced a significant increase of 19.4%.

The Tangible Benefits of Proactive Cybersecurity Investment

What was shocking from the report was the contrast. Businesses that proactively invested in cybersecurity:

• Those employing extensive security AI and automation reported significantly shorter times to identify and contain breaches (shorted by 108 days), leading to substantial financial savings of an average of USD 1.76 million.
• Software development organizations with a robust DevSecOps adoption and security culture saved a staggering USD 1.68 million compared to those without such practices in place.
• Companies with security leadership, board-level oversight, proper IR planning and testing, employee training, mature security controls across domains, and a strong security culture experienced a significant reduction in breach costs. In fact, the average cost of a breach decreased by USD 3.22 million when these proactive measures were in place.
• Effective Incident Response (IR) planning and testing, along with high levels of security skills, further reduce the cost of a breach. Organizations with high levels of IR planning and testing saved USD 1.49 million compared to those with lower levels of preparedness.

The message is evident: An upfront investment in cybersecurity not only saves potential future costs but also fortifies a business against threats, ensuring smooth operations and preserving customer trust. Additionally, by prioritizing proactive cybersecurity investment, businesses transition from mere reactions to forward-thinking actions, safeguarding both their reputation and bottom line.

Factors that Ether Amplified or Reduced Breach Costs

The average cost of a breach in 2023 was USD 4.45 million. However, certain challenges faced by organizations increased this average cost by another USD 1.11 million, resulting in an effective cost of USD 5.56 million instead. These challenges included security skills shortage, non-compliance with regulations, and breaches involving third parties or the supply chain.

On the other hand, when organizations had security leadership, board-level oversight, proper incident response (IR) planning and testing, employee training, mature and effective controls in various security domains (such as vulnerability management, endpoint security, data protection, and monitoring/logging), as well as mature philosophical and cultural practices, the average cost of a breach decreased significantly. In fact, it decreased by USD 3.22 million, bringing the average cost down to USD 1.23 million instead of USD 4.45 million.

These findings highlight the substantial impact that proactive security measures, security leadership, involvement of external security providers (like Managed Security Service Providers (MSSPs)), and the implementation of mature controls have on reducing breach costs. The report reveals that many companies lack these crucial components of an effective security program.

For business leaders, the message is clear: Investing in a robust security program and strong leadership upfront not only results in long-term cost savings but also mitigates risks of regulatory fines, revenue loss, reputational damage, and other consequences of a breach.

Don’t Become a Statistic

The statistics from IBM Security’s 2023 Cost of Data Breach Report leave no room for doubt—proactively investing in a comprehensive security program is no longer a choice but a necessity. Companies today face an increasingly hostile digital landscape. The ramifications of neglecting security can be both financially and operationally devastating. Attackers are becoming more sophisticated, and the costs associated with data breaches are rising. But, as shown, the solution isn’t just to react to threats; it’s to be proactive. This requires investing in technology, human resources, and strategic planning.

As business leaders, we are responsible for prioritizing security to protect our organizations, customers, and stakeholders. Partnering with cybersecurity experts who can provide tailored solutions and strategic guidance is crucial in navigating the ever-evolving cybersecurity landscape and ensuring business success.

To the business leaders reading this: Can you afford to pay millions due to a data breach? Is it worth the damage to your company’s reputation? If the answer is no, then the time to act is now. Strengthen your security measures, educate your staff, and always stay a step ahead of potential threats. Numbers don’t lie; make sure you’re on the right side of them.