Don’t let your cloud deployment rain on your cybersecurity parade
Gasoline, groceries, cars, and housing aren’t the only things that cost more these days. In the online world where virtually all businesses live, the global average cost of a data breach is at an all-time high of $4.35 million, up 12.7% in the past two years, according to IBM Security’s “Cost of a Data Breach Report 2022.” The report, conducted by the Ponemon Institute, covered breaches between March 2021 and March 2022.
And it found that not only do breaches cost more, but that there are more of them. They’re rampant. According to the study, 83% of about 550 organizations surveyed reported they had suffered more than one data breach.
And 45% of breaches occurred in the cloud, where an increasing percentage of organizations run their operations and which is marketed as a more secure option.
If there is any good news, it’s that the rate of increase slowed during the second of the two years. From 2020 to 2021 the average went from $3.86 million to $4.24 million, up about 9.8%, while from 2021 to 2022 the increase to $4.35 million was just 2.6%.
But the bad news for the U.S. is that average breach costs are $9.44 million, the highest in the world and more than double the global average. Also, the increase of 4.3% from 2021 is considerably more than the global average increase for the past year.
Among the predictable results? Trickle-down inflation. Given that their costs of doing business were up by millions, 60% of those surveyed acknowledged they had “raised their product or services prices due to the breach.”
The costs of immaturity
But the report also documented that the major reason for the stress and expense of being breached is that too many organizations’ cybersecurity is figuratively stuck at the middle-school level. It’s immature.
There is no way to be bulletproof from a skilled, determined, well-funded adversary, but organizations could considerably lower the risks of the expense, time, and trauma of being breached by investing in security fundamentals. As the security saying goes, they can avoid being low-hanging fruit.
That’s true of cloud deployments, where 45% of the breaches occurred, and which is the major focus of this post. The survey found that about 43% of respondents acknowledged that they were in the “early stages or have not started applying security practices across their cloud environments.”
Which is asking for trouble because the costs of a data breach go beyond detecting and mitigating it. It can include paying a ransom. Still more costs can include sanctions or other legal trouble for failure to comply with security protocols, brand damage, and lost business.
Indeed, the value of security investments in the cloud is right there in the numbers.
For starters, IBM reported that the cost of a data breach to organizations with a hybrid cloud model was less than those using a public cloud. That’s probably because both the organization and the cloud provider have responsibility — and incentives — for better security.
Thomas Madden, managing consultant at Synopsys, said when an organization puts everything, including sensitive client data, in a public cloud rather than just a subset of data to meet the needs of a specific application, “the exposure is greater. Additionally, there may be some lax oversight of security controls in the cloud for various reasons.”
But with a hybrid cloud model, “there is greater focus on security control adherence and testing as well as third-party testing and validation,” he said, noting that there is lots of competition in the cloud provider market — an incentive for vendors to make security a priority.
“There are enough providers on the market that are more than willing to take the place of those with recurring missteps resulting in breaches,” he said.
His Synopsys colleague, Monika Chakraborty, associate principal consultant, agrees. “Probably a combination of on-premises and multi-cloud architectures is better,” she said, “since each cloud services provider may manage their infrastructure differently.”
“Even the cloud security posture management [CSPM] of those providers may be important,” she added.
CSPM, a term coined by IT research and advisory firm Gartner, refers to security tools that can help automate security and provide compliance assurance in the cloud by comparing a given cloud environment against a defined set of best practices and known security risks.
Second, organizations with mature cloud security were able to detect and contain a breach faster, spending an average of $660,000 less to recover from it than those with cloud security programs still in the early stages.
Madden said better security and response from a hybrid cloud model “is likely a result of multiple teams with ‘eyes on glass’ identifying out-of-band activity. In hybrid cloud models, such activities are noticeable and reviewed with both internal and provider teams to come up with an action plan to identify nefarious activity and to swiftly isolate and remediate potential damages,” he said.
In other words, maturity saves time and money. And if an organization doesn’t have to jack up its prices due to breach costs, it is likely to gain a competitive edge, or at least not lose what it has.
All about the basics
So what does it take to be mature? Actually, it doesn’t require mysterious or extraordinary security bells or whistles. It’s much more about doing the basics — basics that are tested and effective, and for which tools and services are available.
The report lists 28 “key factors” that, for better and worse, can affect the cost of a data breach. The top six that can help reduce costs are:
- Security artificial intelligence (AI) and automation. The report described this as “security technologies that augment or replace human intervention in the identification and containment of incidents and intrusion attempts. Such technologies depend upon AI, machine learning, analytics, and automated security orchestration.” The potential cost savings from AI and automation is significant — about $3.05 million per breach.
- Extended detection and response. According to the report, average savings from this technology aren’t major (9.2%), but its greater value is in helping cut detection and response time by about a month. “Extra time to identify and contain a breach can add a lot to the overall cost of a breach and its consequences,” the report said.
- Incident response (IR) teams that regularly test an IR plan. The report found that this cut the average cost of a breach by $2.66 million from the average.
- Risk quantification. This means setting priorities — spending time and money on significant risks, not the trivial or irrelevant. Obviously, this can vary by organization, but as the report puts it, “Risk quantification can highlight financial loss types by impact, including […] loss of productivity; cost of response or recovery; reputation impact; and fines and judgments.” According to the report, risk quantification could cut up to $2.10 million from the cost of a breach.
- Zero trust. While this security concept goes back decades, it remains relevant. It was popularized in 2010 by John Kindervag, then a vice president and principal analyst on the Security and Risk Team at Forrester Research, who wrote last year in the Wall Street Journal that “the hallmark of zero trust is simplicity. When every user, packet, network interface, and device is untrusted, protecting assets becomes simple.” Or, as the IBM report puts it, zero trust “operates on the assumption that user identities or the network itself may already be compromised, and instead relies on AI and analytics to continuously validate connections between users, data and resources.” As in, don’t trust until you verify. Organizations using zero trust spent an average of $950,000 less on data breach costs.
- Encryption. The goal of encryption is obvious — to render compromised or stolen data useless. But as any expert will tell you, if encryption isn’t rigorous, skilled attackers will have little trouble defeating it. IBM recommends using “fully homomorphic encryption,” which enables analytical functions to be run directly on encrypted data while yielding the same encrypted results as if the functions were run on plaintext. This makes it a security measure that doesn’t make things more difficult for those using it. And as experts at any security conference will tell you, the best way to get employees to adopt security measures is to “make the secure way the easy way.”
To this list, Madden said “training and ongoing testing is necessary to validate foundational aspects of their programs such as DevSecOps/AppSec.
“Third-party risk management is another often overlooked area. Organizations need to understand how cloud vendors impact their risk profile, so they need to work very closely with those vendors and make this part of their risk-quantification process.”
Not all of these measures are easy. They cost time and money. But, as the data from the report shows, they are an investment — collectively they will help an organization avoid making itself an easy target for hackers.