As a self-professed cybersecurity data nerd, I look forward each year to IBM’s annual Cost of Data Breach report. It’s a “fun” read if you like this sort of thing. And just in time for summer beach reading, the report landed last week. And after taking a deep dive into the report, I wanted to share some insights and findings.
First, the report highlights the value MSPs offer to their clients. As someone who talks to many MSP owners and businesses weekly, MSPs are on the frontlines of the battles against hackers and cybercriminals. I still run into many companies that shrug or wave off cybersecurity expenditures, but as the IBM report shows, spending money on prevention – services offered by most MSPs – is far cheaper than cleaning up a mess afterwards.
Data breaches contribute to inflation
One of the report’s main takeaways is that companies are finding data breaches to be more common and costly. So not only is this eating into bottom lines, but it is also causing businesses to raise the prices of goods and services. So, while inflation is a complex phenomenon caused by various factors, data breaches are also one of the contributors. MSPs have many roles and thinking of themselves as “inflation fighters” might be a new twist, but evidence points to that.
Another intriguing aspect of the report is the lingering impact of a data breach. It’s like the unfortunate gift that keeps on giving. The report says:
Another factor rising over time is the after-effects of breaches on these organizations, which linger long after they occur, as nearly 50% of breach costs are incurred more than a year after the breach.
Cleanup is neither simple nor cheap
Many companies think their MSP will clean up the mess from a data breach, yet in reality the business and the MSP will do a little damage control and then move on. However, it is becoming increasingly clear that it is not that simple or cheap. The immediate cost of a data breach consists of lost sales, shuttered doors, and hiring experts to clean up. Over time, the lingering effects can include reputational damage and the need to ramp up sales to replace lost customers.
So, for companies that are still not convinced of the value that MSPs offer in providing preventative security services, the IBM report is a great tool to win over the reticent.
Among the other takeaways from the report that are worth discussing:
- Critical infrastructure lags in zero trust – Almost 80 percent of critical infrastructure organizations studied don’t adopt zero trust strategies, seeing average breach costs rise to $5.4 million – a $1.17 million increase compared to those that do. All while 28 percent of breaches amongst these organizations were ransomware or destructive attacks.
I am always amazed at how slow some companies are to adopt zero trust. While it isn’t a cure-all, nothing is, so anything that tilts the odds in favor of the good guys is worth embracing. My advice to MSPs with critical infrastructure clients in their portfolio is to insist they implement zero trust and show them the cost of not doing so.
- It doesn’t pay to pay– Ransomware victims in the study that opted to pay threat actors’ ransom demands saw only $610,000 less in average breach costs compared to those that chose not to pay – and this doesn’t include the price of the ransom. Factoring in the high cost of ransom payments, the financial toll may be even higher, suggesting that simply paying the ransom may not be an effective strategy.
Ransomware is perhaps the toughest one to come to firm conclusions about, with some experts solidly on the side of “okay, if you have to pay, pay,” while others say, “no way.” On the one hand, a business doesn’t want to be shut down as this can be costly. On the other hand, writing a check to the criminals to get your business up and running may seem logical on the surface, but does it make financial sense? The IBM report casts doubt on whether paying is all that economical in the long run. However, it still appears that paying the ransom for some organizations can make sense economically, although not rewarding bad actors.
- Security immaturity in clouds – 43 percent of studied organizations are in the early stages or have not started applying security practices across their cloud environments, observing over $660,000 on average in higher breach costs than studied organizations with mature security across their cloud environments.
Cloud security is another way MSPs can flex their muscle and shouldn’t be shy in doing so. Customers need to understand the value MSPs offer. So often, businesses and people just “stick something on the cloud” and think it’s done and secure. But MSPs that offer security services know better. Simply putting something up into the cloud isn’t good enough. Encryption and MFA are basics, but other areas are often overlooked, such as having a comprehensive offboarding process for departing employees, so they don’t have access to all the material stored on the cloud. A cybersecurity expert I spoke with several weeks ago said, “the lack of good ‘offboarding cyber-hygiene’ causes more problems than most people realize when it comes to security.” An MSP can remedy that by creating a process.
- Security AI and automation leads as multi-million-dollar cost saver – Participating organizations fully deploying security AI and automation incurred $3.05 million less on average in breach costs compared to studied organizations that have not deployed the technology – the biggest cost saver observed in the study.
AI is a no-brainer. As MSPs continue to battle a huge talent gap, AI can help close that at a fraction of the cost. I have seen short-staffed MSPs “muscle up” by implementing AI. While I don’t believe people are yet replaceable as cybersecurity talent, a solid AI-driven security program is the next best thing if the talent isn’t available, and I have seen MSPs close the gap by embracing it. Some MSPs are slow to come around, but they are missing out. And this is an area the IBM report shows concurrence:
“Businesses need to put their security defenses on the offense and beat attackers to the punch. It’s time to stop the adversary from achieving their objectives and start to minimize the impact of attacks. The more businesses try to perfect their perimeter instead of investing in detection and response, the more breaches can fuel cost of living increases.” said Charles Henderson, Global Head of IBM Security X-Force. “This report shows that the right strategies coupled with the right technologies can help make all the difference when businesses are attacked.”
If you need some summer beach reading, or in this case, “summer breach reading”, you can read the whole IBM report here!
Photo: SEVENNINE_79 / Shutterstock