A lot is said in security circles about cyber hygiene. It can amount to different things depending on which vendor or security practitioner you’re talking to. But a common thread is getting the basics right — whether it’s via user education, password management, or installing anti-malware software. These are the “low-hanging fruit” that could make a positive impact on your organization’s risk profile with relatively little time, effort, and expense. Why? Because actioning them will make it harder for opportunistic threat actors to compromise the network, encouraging them to move on to an easier target.
That’s the idea, anyway. But it’s always useful to hear some proof points to back this up. That’s why the results of IBM’s latest Cost of a Data Breach report make for interesting reading. If organizations can use cyber hygiene to improve the health of their email security, software vulnerabilities, and cloud systems, they could go a long way to reducing risk and financial/reputational damage.
Breach costs are soaring
The IBM report has been running now for 17 straight years and, as such, represents a useful ongoing snapshot of both the threat landscape and corporate security posture. The cost of a breach is calculated according to analysis of incidents ranging from 2,200 to 102,000 compromised records. It includes several elements:
- Detection and escalation: Including forensics, audits, crisis management, and executive communications.
- Notification: To data subjects, regulators, outside experts, and others.
- Post-breach response: Including the cost of legal expenses, product discounts, regulatory action, credit monitoring, helpdesk calls, and issuing of new accounts/cards.
- Lost business: Including disruption and downtime, lost customers, reputational damage, and an inability to attract new customers.
Unfortunately, the cost of a breach hit a record high this year, nearly $4.4 million. It could spike much higher for organizations that lose large volumes of records. The average calculated for losing 50 to 60 million records was $387 million.
Where to focus security
The challenge for SMB security chiefs is to pick through vendor hyperbole and find the products that deliver the biggest “bang for the buck,” without ending up with an unmanageable estate of point solutions. Mean cybersecurity spend surged by 60% over the past year. But if it’s channeled into the wrong areas, security risk will remain persistently high.
In this regard, the IBM report is instructive. It claims that the costliest breaches stem from:
- Phishing ($4.9 million)
- Business email compromise or BEC ($4.9 million)
- Third-party software vulnerabilities ($4.6 million)
- Compromised credentials ($4.5 million)
In fact, the four are connected. Phishing is often a factor in BEC and can lead to compromised credentials and delivery of vulnerability exploits. This should make email security a prime focus for any IT or security leader.
There’s more. The most common initial attack vectors for breaches were:
- Compromised credentials (19% of breaches)
- Phishing (16%)
- Cloud misconfiguration (15%)
- Vulnerabilities in third-party software (13%)
These four were unchanged from the previous year, meaning they remain a favorite of attackers. But this also signifies an opportunity: Shut down these avenues for attack, and your organization could significantly improve its cyber hygiene.
The cloud angle
Cloud security can be an increasingly important differentiator for businesses. Why? Because nearly half (45%) of all breaches analyzed by IBM last year occurred in the cloud. Not only that, but incidents at organizations using the public cloud took an average of 310 days to identify and contain the breach — 33 days more than the overall average. The longer hackers are allowed to remain inside networks undiscovered, the more damage they can do.
That’s why “cloud migration” is listed as having the second biggest financial impact on the cost of breaches, potentially increasing costs by over $284,000 per incident. Breaches in public clouds cost on average more than $5 million per incident. That’s bad news in a world where in-house security teams are struggling to manage multiple cloud investments, leading to frequent misconfigurations and resulting breaches.
What are the basics?
Fortunately, there are things that organizations can do today to mitigate some of these risks. Some could save organizations hundreds of thousands of dollars on potential breach costs, according to the report. Consider the following:
- Security awareness training to mitigate the risk of phishing
- Multifactor authentication to tackle phishing and prevent credential theft/account hijacking
- Comprehensive email security including AI-powered impersonation detection
- Data loss prevention to stem the threat from negligent and malicious insiders
- Strong data encryption to render any lost data useless to data thieves
- Web application firewalls to mitigate the risk of vulnerability exploitation
- Continuous risk-based patching of software and operating systems
- Regular back-ups in case the organization is hit by ransomware
- Cloud-ready firewalls to keep advanced threats at bay
- Cloud security posture management (CSPM) to continuously find and fix misconfigurations
- Incident response tools and programs to rapidly remediate if the worst does happen
Breach costs are on the rise. That’s cause for concern. But the tactics causing the most breaches and the highest costs have not changed in 24 months, and there are tried-and-tested ways to keep them in check. That’s good news for any IT manager.
Phil Muncaster is a technology writer and editor with over 12 years’ experience working on some of the biggest technology titles around, including Computing, The Register, V3 and MIT Technology Review. He spent over two years in Hong Kong immersed in the Asian tech scene and is now back in London where information security has become a major focus for his work.