IBM’s Cost of a Data Breach Report makes the argument for a data-centric approach to security

The 2024 edition of IBM’s annual Cost of a Data Breach Report makes it clear that organizations that fail to understand their data do so at their peril—and their customers’.

While there are no shortage of surveys, reports and studies focused on cybersecurity, IBM’s annual report has come to occupy a kind of bellwether role in the industry, offering a consistent, comprehensive look at how organizations across the world manage the impact of data breaches. So, how are they doing?

In short — badly.  

Data breaches cost more than ever, and companies and their customers are feeling the impact. But some companies are avoiding the steepest costs thanks to investing in artificial intelligence (AI) and automation, as well as developing a strong understanding and control of their data.

Key findings

The report showed a 10% jump in the average cost of a data breach, up to US $4.88 million, the biggest jump since the pandemic.

But organizations that made extensive use of AI and automation across prevention workflows—attack surface management (ASM), red-teaming and posture management—saw US $2.2 million lower breach costs compared to those that did not use AI in prevention workflows.

Other key results included:

• Healthcare was the costliest industry for breaches, at US $9.77M/breach. It’s held this distinction since 2011.

• The industrial sector saw the highest annual increase in cost, rising by an average of US $830,000 per breach.

• 46% of breaches involved customer personal identifiable information (PII), such as tax identification numbers, emails, phone numbers and home addresses. Intellectual property records were a close second, with 43% of breaches involving this data.

• 16% of breaches were caused by compromised credentials, at an average cost-per-breach of US $4.81M, with 15% caused by phishing, at a cost of US $4.88M.

How should organizations respond?

The report makes it clear that data breaches are increasingly inevitable, and the best organizations can hope for is to limit the opportunities for, and the impact of, a breach. So, what should organizations prioritize?

Data security posture management

The report makes a clear argument for investing in a data-centric approach to cybersecurity.

According to the report, 40% of data breaches involved data stored across multiple environments, and when breached data was stored in public clouds, it incurred the highest average breach cost at US $5.17 million. When organizations had centralized control over their data, it took 23.3% less time to identify and contain a breach (an average of 224 days vs 283 days).  

Meanwhile, for the third of organizations that had shadow data residing in unmanaged data sources, a breach cost 16.2% more, or an average US $5.27 million.

These data points make it clear that it’s time to move past securing the perimeter, and data security posture management (DSPM) is now table stakes for organizations taking breach preparedness seriously, alongside traditional approaches like network and application security. Organizations need a clear view of all the sensitive data they hold, so they can manage security and access—which is of particular importance given stolen credentials and phishing account for a combined 31% of breaches.

Data discovery

The first step in DSPM is data discovery: the process of mapping your data landscape to identify structured and unstructured data sources across your on-premises and cloud environments.  

For the report, organizations with more “centralized control” over their data were ones holding data on-premises, rather than distributed across environments. For many or most organizations, data sprawl is now the norm, and moving data back on-premises is impractical. A better way to gain this control is to leverage a platform like RecordPoint to manage data in place.

Data classification

Once you understand where your data is, the next step is to understand it. Classify the sensitive data, while determining who has access to data, how the data is being used, and whether your data governance policies are enforced by any regulatory frameworks, such as the General Data Privacy Regulation (GDPR) or Health Insurance Portability and Accountability Act (HIPAA).

Data minimization

Data you no longer have can’t be breached, meaning it costs you nothing in the event of a data breach. Ensure you store the minimum amount of data you need in line with regulations like the GDPR and CCPA. In addition to improving your risk posture, a robust data minimization strategy will reduce ongoing storage costs and improve employee productivity.

Integrate AI and automation into your prevention strategies

The biggest impact organizations can make in terms of data breach costs is to integrate AI and automation into their data security and breach prevention processes. In addition to the US 2.2 million savings outlined above, automation in any security function—prevention, detection, investigation or response—reduced the Mean Time to Identify (MTTI) and Mean Time to Contain (MTTC) for data breaches by 33% for response and 43% for prevention.

Organizations that applied AI to security prevention saw the biggest impact, saving an average of US $2.2 million over those organizations that did not apply AI in prevention.

Take a security-first approach to AI

The report had worrying news when it came to a different type of AI adoption: only 24% of generative AI initiatives are being secured, threatening to expose data and data models to breaches.

This is the other reason we advocate for a data-centric approach. Organizations need to ensure that any gen AI models like Microsoft Copilot do not have access to sensitive customer data or Redundant, Obsolete and Trivial information (ROT). In the case of Copilot, the model also provides another argument for properly configuring access, as the model inherits the permissions of the user and so can act as accelerant for existing security weaknesses. If your organization is considering Copilot as a gen AI solution, this article can help you understand how to do so safely.

How prepared is your team?

Once you have the above prevention and automation pieces in place, you need to ensure your team is prepared in the event of a breach. How organizations respond and communicate during and after a breach, including internally, with customers, and with regulators, matters. Leaders must work with business functions across the organization to create and stress test response plans.

Given the prominent role that phishing attacks play—and the fact that generative AI can make them more convincing than ever—non-technical staff must complete security training and understand what to do if something looks suspicious.

How can RecordPoint help?

RecordPoint offers next-generation data lifecycle management and acts as a core component of a DSPM strategy, with robust solutions for securing PII and PCI, and guarding against data breaches and cyber-attacks. Our platform empowers you to understand where sensitive data resides across systems, apply data encryption and access controls, and properly manage and restrict access to confidential data.  

The platform facilitates proper retention and disposal of sensitive records and conducts risk assessments to identify vulnerabilities, ensuring compliance with industry regulations. With the RecordPoint platform, you can minimize risk, ensure compliance, and safeguard your sensitive information assets effectively.

‍