IBM’s Cost of a Data Breach 2024 report reveals critical trends that should be on every business leader’s radar. The escalating costs of data breaches are staggering, particularly in the United States where the average breach cost far exceeds that of other regions.
This year’s findings highlight the severe financial toll of breaches, driven by increasingly complex security environments and a shortage of skilled cybersecurity professionals. Matt Sayler, Manager, Product Management, for Fortra’s Alert Logic, offers in-depth analysis and key insights from this year’s Cost of a Data Breach report.
Delving into the Cost of a Data Breach
1. Why do you think there’s been an increase in the cost of a data breach? And why is the cost so much more than any other country/region that was studied?
Matt Sayler (MS): It’s sad to say, but when I’m speaking with business leaders, almost everyone has a story about a breach. I don’t think this is just better awareness on our part! There is real money to be made by ransoming businesses or re-selling sensitive data. But of course, the damage that’s done — outages, investigations, the clean-up, and long-term effects — that’s always a bigger price tag. We haven’t turned the corner on any of those costs.
When you start to drill into the details in this year’s report, you can see more bad actors looking for the really juicy data, those crown jewels that we’re always talking about. Why sell passwords or even credit cards, when you can get to trade secrets or something like patient data?
One of the things I think drives the U.S. as an outlier in terms of breach cost is the size of the healthcare system, which continues to grow faster than the rest of the economy. This report touches on IT weaknesses and the cost of personal data breaches, but Chrissa McFarlane had a great summary in Forbes earlier this year that covers the challenges in this sector.
It’s not all doom and gloom in this space. While the cost of hacker-disclosed breaches is sky-high ($5.53 million on average), security teams themselves are doing a better job locating and containing attacks before that phase. The big game hunt right now is in early detection.
2. According to the report, the top three factors that amplified breach costs were security system complexity, security skills shortage, and third-party breaches. What are your thoughts on this?
MS: We often talk about “when, not if” a business will face a breach or significant security incident. I don’t think this is fatalistic, just realistic. The biggest driver of cost is time — the longer it takes you to identify and contain a breach, the worse the clean-up and the damage to long-term business. If you and your team identify and resolve a breach in less than two hundred days, the cost to the business on average goes down by $1.4 million.
Reduce the complexity of your security landscape, and you’re going to save time by standardizing data and streamlining processes. The fewer screens and sources of alerts, the better. This also helps with the skills shortage, by consolidating hard-to-find skillsets and reducing time to train up staff. Of course, I’m a fan of managed services to augment the availability and expertise of your in-house team. As for third-party breaches, you’re only as good as your vendors and suppliers. Where you have choices, look for companies with well-defined security and compliance practices (think SOC2 or ISO27001, or even ask about disclosure and incident response practices).
3. 70% of organizations shared that they experienced a significant or very significant disruption to business as a result of a breach. Can you shed some light into what these typical disruptions look like?
MS: IT and security teams handle minor breaches with minimal fuss — the typical example would be a phishing episode that’s contained to the victim’s laptop. That’s going to hurt for the victim, of course but the business probably won’t notice.
Major breaches, usually with undetected long-term instruction, are entirely different. There’s always a spike of activity at the time of detection, with all hands-on deck and the security team in the hot seat to gather evidence and minimize any further impact.
But after a breach, only 8% of business say they’re recovered within 75 days. What’s happening in that time? Beyond the recovery of lost data or rebuilding systems, teams have to actually complete disrupted work, explain to customers what happened (and why it won’t happen again), and implement the “why this won’t happen next time” recommendations.
4. The research found that applying security AI and automation is lowering breach costs by an average of USD 2.2 million. In your experience, how can automation be successfully used to enhance security outcomes?
MS: Automation and AI keep us humans from being overwhelmed by the daily grind. Coming back to the security skills shortage, I have talked to so many entry-level SOC analysts or people in training who are discouraged by this thought that they’re going to be looking at the same stream of alerts and running the same playbooks 50 weeks a year, until they can get into a more senior position.
That’s the promise of automation, and I think that’s why successful organizations are deploying it and seeing these huge reductions in breach cost. Again, reducing detection time is money in the bank — and the more interesting data you can put in front of your team, the faster they can do that detection. We don’t lack for signal, just the ability to pull it out of the noise.
5. When organizations suffered from a high-level shortage of security skills, their average breach costs were $5.74 million, compared to organizations with a low-level skills shortage, with $3.98 million. Are managed security services an answer for organizations hindered by the skills shortage?
MS: I worked for more than a decade at Alert Logic — 100% managed services offerings — before we joined Fortra in 2022. It’s been interesting to work with both managed service and more customer-managed software tools here, because that’s still a significant part of Fortra’s business.
I’m a believer in deploying managed security services to close that skill gap, for the obvious reasons: quick start-up time, a deeper bench to work with, 24/7 coverage — all those good things. Not everyone has the budget or even the desire to build a fully staffed and trained security team, either.
Areas I encourage almost everyone to look outside their organization: attack simulation, red teaming, and incident management consulting. There are certainly tool-based solutions you can use in-house, but this is one area where outside perspective helps.
6. The average cost of a data breach involving shadow data was $5.27 million, 16.2% higher than the average cost without shadow data. In addition, breaches involving shadow data took 26.2% longer on average to identify and 20.2% longer on average to contain than those that didn’t. Why do you think this is?
MS: Everyone loves to hate shadow IT. I certainly remember working with traders and their Excel workflows earlier in my career. Back then, we were worried about business continuity and disaster recovery. All of that is still a problem. But what is really driving the cost of breaches involving shadow data is the lack of visibility for security teams. Whether it’s an unpatched system, an exposed S3 bucket, or an unmonitored system, we see a material effect on time to detect. The same problems play out during containment and recovery. Everything is harder, and you’re more likely to end up in a situation where there just aren’t backups or recovery steps planned. That’s when we see the real impact of destructive attacks.
One really interesting data point in this study was how shadow data wasn’t limited to the cloud. We’re still seeing traditional data centers, often with legacy workloads and limited visibility, in a plurality of shadow data breaches.
7. Approximately 40% of breaches involved data in hybrid cloud environments as compared to data stored only in a public cloud, private cloud, or on-prem. Why would this be?
MS: As ubiquitous as the cloud is today, there are few businesses who grew up full-time in the cloud — and fewer still who haven’t grown or expanded somewhere where they need real-world operations. When we analyze our MDR customer base, the majority (more than 60%) of our customers are deployed in at least one cloud environment and one non-cloud environment. I don’t think this is atypical, and I don’t expect it to change significantly. Privacy concerns, legacy workloads, office space, manufacturing … almost any business is going to be spread out over a large IT estate.
Security teams need to be versatile and able to follow the business wherever it goes.
8. When breached data was stored in public clouds, it incurred the highest average breach cost at $5.17 million. Could this be that there are extra challenges in security public clouds?
The report doesn’t dig deeply into why cloud breaches are so expensive. I see two big drivers: First, the cloud providers are great at offering baseline security and enabling best practices like minimal privilege or zero-trust. This can give a sense that the cloud provider is secure by default or responsible for all security problems. In reality, that’s a shared responsibility. Securing the cloud requires your active participation — imagine Smokey the Bear “Only You Can Prevent Cloud Breaches.” And that’s the second thing. It’s clear that complexity is the enemy of good security, and we’re still at a point where the number of cloud technologies is growing. Done well, the cloud can help make infrastructure transparent and tracible, but it takes real discipline to get there.
A great security team has eyes on everything, and opinions where it matters. Knowing that cloud presents a tempting target for developers and attackers, it’s our job to lend a hand. Be willing to review and advise, knowing you may not be able to say no. Look for any win-win situations. Identity management and centralized auditing can make it easier to get to work and track down problems.
9. When asked about security investment, 55% of respondents are investing in incident response planning and testing and 51% in threat detection and response technologies. What do you think accounts for this trend?
This is a great way to wrap up, and it shows that lots of folks already are reacting to the trends we’ve discussed here. Visibility is key — improved detection technologies that increase the breadth and depth of coverage pay off in early notice of a breach (Just make sure you’ve got the right team and automation support to find the signal in the noise!).
From there, response planning and testing are proven ways to get through a bad situation quickly. A security team that can quickly swing into action and clearly communicate with the business is going to build trust and reduce the cost of a data breach.
