Data breach costs continue to rise
In its annual data breach incident report, Verizon explores the cause and effects of over 5,000 confirmed breach incidents.
In its 2023 Data Breach Investigations Report, Verizon provides a detailed breakdown of the anatomy of 5,199 breach incidents that took place between November 2021 and October 2022. Here are some of the highlights:
- The vast majority (83%) of breach incidents involved external threat actors.
- People are still a weak point in the cybersecurity matrix, with humans playing a role in 74% of incidents.
- Lost or stolen credentials contributed to almost half (49%) of all breach incidents.
- There was a significant increase in ransomware activity, contributing to 24% of breaches.
Money continues to be the primary motivator behind externally-linked breaches, with 95% of incidents being driven by the quest for financial gain.
A security system is only as strong as its weakest link. Unfortunately people are often the most vulnerable element – whether through misuse of privilege, use of stolen credentials, social engineering or old-fashioned human error.
The report highlights the rise in ransomware incidents but also notes that 93% of incidents (according to data from the FBI Internet Crime Complaint Centre) do not result in financial loss. Of the 7% that experienced a loss, the impact ranges up to $1.2million.
The real cost of a breach
However, these numbers do not really tell the whole story. If a breach incident took place and the victims were required to report it under data protection legislation (for example, if the breach involved the loss of personally identifiable customer data), the real impact could be significantly greater.
The recent attack on Latitude Financial demonstrates exactly what could be at stake for larger enterprises suffering a substantial breach of customer data. In the case of Latitude Financial, a cyber attack led to the breach of 14 million customer records, including personally identifiable information.
The cost of disclose and remediation, combined with lost revenues, financial penalties and more has led to a forecast half-year statutory loss of around $100 million. The longer terms affects are yet to be quantified, with a significant impact on reputation and impending class action suits set to pile on the misery.
In the case of Medibank, the prudential regulator (APRA) made some scathing comments about the cybersecurity culture within the organisation and instructed Medibank to set aside A$250 million to meet its remediation costs and the likely financial damages arising from the multiple class action suits it faces. This announcement led to a 4.6% drop in share prices overnight.
Trust nothing, encrypt everything
It’s a mantra we have been repeating for a while now – trust nothing, encrypt everything. A robust cybersecurity stance must combine the best in prevention and protection technologies to minimise the risk of a breach occurring, and to reduce the impact of a breach if it takes place. Trust nothing means adopting zero-trust architecture and demanding authentication/verification for every digital engagement. Encrypt everything does what it says on the tin. With many IT heads struggling to identify where personally identifiable data sits within their infrastructure, the only way to protect it is to treat all data the same and encrypt it both at rest and in motion.