Monthly Archives: August 2023

Half of Breached Organizations Unwilling to Increase Security Spend Despite Soaring Breach Costs

The global average cost of a data breach reached $4.45 million in 2023 – another record high and a 15% increase over the last 3 years, according to this year’s Cost of a Data Breach study, just published by IBM and conducted by The Ponemon Institute. Detection and escalation costs jumped 42% over this same time frame, representing the highest portion of breach costs, and indicating a shift towards more complex breach investigations.

According to the 2023 IBM report, businesses are divided in how they plan to handle the increasing cost and frequency of data breaches. The study found that while 95% of studied organizations have experienced more than one breach, breached organizations were more likely to pass incident costs onto consumers (57%) than to increase security investments (51%).

The 2023 Cost of a Data Breach Report is based on in-depth analysis of real-world data breaches experienced by 553 organizations globally between March 2022 and March 2023. The research, sponsored and analyzed by IBM Security, was conducted by Ponemon Institute and has been published for 18 consecutive years. Some key findings in the 2023 IBM report include:

  • AI Picks Up Speed – AI and automation had the biggest impact on an organization’s speed of breach identification and containment. Organizations with extensive use of both AI and automation experienced a data breach lifecycle that was 108 days shorter compared to studied organizations that have not deployed these technologies (214 days versus 322 days).
  • The Cost of Silence – Ransomware victims in the study that involved law enforcement saved nearly half a million ($470,000) in average breach costs compared to those that chose not to involve law enforcement. Despite these savings, 37% of ransomware victims studied chose not to bring law enforcement in.
  • Detection Gaps – Only one third of studied breaches were detected by organizations’ own security teams, compared to 27% that were disclosed by an attacker. Data breaches disclosed by the attacker cost nearly $1 million more on average compared to studied organizations that identified the breach themselves.

“Time is the new currency in cybersecurity both for the defenders and the attackers. As the report shows, early detection and fast response can significantly reduce the impact of a breach,” said Chris McCurdy, General Manager, Worldwide IBM Security Services. “Security teams must focus on where adversaries are the most successful and concentrate their efforts on stopping them before they achieve their goals. Investments in threat detection and response approaches that accelerate defenders’ speed and efficiency – such as AI and automation – are crucial to shifting this balance.”

Every Second Costs

According to the 2023 report, organizations that fully deploy security AI and automation saw 108-day shorter breach lifecycles on average compared to organizations not deploying these technologies – and experienced significantly lower incident costs. In fact, organizations that deploy security AI and automation extensively saw nearly $1.8 million less in average breach costs than organizations that didn’t deploy these technologies – the biggest cost saver identified in the report.

At the same time, adversaries have reduced the average time to complete a ransomware attack. And with 40% of studied organizations not yet deploying security AI and automation, there is still considerable opportunity for organizations to boost detection and response speeds.

To read the full report, visit IBM’s website — click here

The Frances Haugen interview. Two years after Facebook, now what?

Bob Sullivan

Nearly two years after focusing the world’s attention on Big Tech’s big problems, Frances Haugen remains a powerful force in the technology industry.  I redently interviewed Haugen for the Debugger podcast I host at Duke University.

In this interview, Haugen tells me how Covid lockdowns played a key role in her difficult decision to come forward and criticize one of the world’s most powerful companies, what she’s doing now to keep the pressure on tech firms, and how she handles the slow pace of change.

For a new book she’s just published, Haugen researched Ralph Nader’s battle against the automotive industry in the 1970s — her fight is like his in some ways, very different in others. She’s created a non-profit to pursue research into harms that tech companies cause — some of that will be conducted this summer by Duke University students —  and she offers up some simple things companies like Facebook could do immediately to mitigate those harms.

I hope you’ll listen to the episode. Haugen is an engaging speaker.  But if podcasts aren’t your thing, a full transcript is at this link

Click the play button below or click play to listen. You can also subscribe to Debugger on Spotify or wherever you find podcasts.

A brief excerpt from our conversation:

“One of the things I talk about in my book is… why was it when Ralph Nader wrote a book called Unsafe at Any Speed, that within a year … there were Congressional inquiries, laws were passed, a Department of Transportation was founded. Suddenly seat belts were required in every car in the United States. Why was that able to move so fast? And we’re still having very, very basic conversations about things like even transparency in the United States.”

Bob: So we’ve talked a lot about platform accountability on this podcast, the worry that Big tech doesn’t have to answer to anyone, not even governments. And this recent report by the Irish Council for Civil Liberties, which says that two thirds of cases brought before Ireland’s Data Protection Commissioner, which basically serves as the enforcement agency for the whole EU … says that and two thirds of the cases before it just resulted in a reprimand. Francis as someone who’s done a lot to try to make at least one big tech company accountable, how do you react to that?

Frances Haugen: One of the largest challenges regarding tech accountability is … legislation and democracy takes a lot more time than technical innovation. Pointing at things like adoption curves … you know, how long did it take us to all get washing machines? How long did it take for us to get telephones? What about cell phones? How many years do these processes take? And they’re accelerating. The process of adoption gets condensed. And when it comes to things like the data protection authority, it’s one of these interesting …  quirks, I would say, of how we learn to pass laws. Because when GDPR was passed, it was a revolutionary law. It was a generational law in terms of how it impacted how tech companies around the world operated. But we have seen over the years that the Irish Data Protection Authority is either unable or unwilling to act, and that pattern is consistent. One of the stats I was trying to find before I came on today was the fraction of complaints that they’ve even addressed is very, very small. So yes, they’ve only acted on a handful of cases in the last few years. It’s something like 95% of all the complaints that have been brought, they’ve never responded to. So I’m completely unsurprised by the recent report.

Bob: Is it frustrating that we’re still in this place?

Frances Haugen: Oh, no. This is one of these things where perspective is so important, trying to change the public’s relationship with these tech companies. And that’s fundamentally what the core of my work is — the idea that we should have an expectation that we have the right to ask questions and get real answers. That’s a fundamental culture shift … coming at a project like that from a place like Silicon Valley, where if you can’t accomplish something in two years, it’s, it’s not really considered valuable, right? Things get funded in Silicon Valley based on expectations two years out. If it takes five years or 10 years, that’s considered way too slow. And so I come at it assuming that it’ll take me years, like years and years, to get where I want the world to get. And that means that when there are hiccups like this, they’re not nearly as upsetting. And so I think it’s unfortunate. I think it’s unacceptable. But I think it’s also one of these things where I’m not surprised by it.