As in years past, we dive into IBM’s 2023 Cost of a Data Breach Report. This annual study sheds light on the ever-evolving landscape of data breaches and provides valuable insights for organizations looking for ways to focus their efforts and money to help prevent and reduce the costs associated with a data breach.
In this episode:
2023 Cost of a Data Breach Study – Ep 419
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Thanks to our donors.
HIPAA Briefs
[05:55] Does HIPAA apply to all health care records? No, it does not. Not all health information is protected health information under HIPAA. It only applies when you fall under HIPAA as a covered entity or the work you do makes you a business associate of a covered entity or another business associate. And that’s not all cases.HIPAA Say What!?!
[09:19] ClearDATA commissioned The Harris Poll to conduct a survey among more than 2,000 US adults aged 18 and older. They wanted to understand how patients viewed the privacy and security of their PHI.The data showed that many people assume they are protected by HIPAA when they are not, which is a continuation of the crazy debate on what HIPAA requires as stated by those who know very little about what it takes to actually manage it.
2023 Cost of a Data Breach Study
[16:57] Cost of a data breach 2023 | IBMUSD 4.45M
Global average total cost of a data breach
2023 Cost of a Data Breach Survey
53.3% – Since 2020, healthcare data breach costs have increased 53.3% The highly regulated healthcare industry has seen a considerable rise in data breach costs since 2020. For the 13th year in a row, the healthcare industry reported the most expensive data breaches, at an average cost of USD 10.93 million.
82% – The percentage of breaches that involved data stored in the cloud—public, private or multiple environments Cloud environments were frequent targets for cyberattackers in 2023. Attackers often gained access to multiple environments, with 39% of breaches spanning multiple environments and incurring a higher-than- average cost of USD 4.75 million.
$1.44M– Increase in data breach costs for organizations that had high levels of security system complexity Organizations that reported low or no security system complexity experienced an average data breach cost of USD 3.84 million in 2023. Those with high levels of security system complexity reported an average cost of USD 5.28 million, representing an increase of 31.6%.
$1.49M – Cost savings achieved by organizations with high levels of IR planning and testing In addition to being a priority investment for organizations, IR planning and testing emerged as a highly effective tactic for containing the cost of a data breach. Organizations with high levels of IR planning and testing saved USD 1.49 million compared to those with low levels.
[25:57] The cost of a data breach has been on the rise. Now, according to this study, the total cost of a data breach is $4.45 million. We don’t anticipate that it will go down. Even when you look at the per record cost of a data breach, it did the same thing. It did dip a bit between 2019 and 2020 but then skyrocketed back up in 2021 and has kept rising.
When you look at the cost of a data breach by industry, once again healthcare is at the top of the list. It’s almost twice as much as the financial industry, which is in the #2 position. The cost of a data breach in healthcare rose almost $1 million from 2022 to 2023, while the cost in the financial industry dropped between those two years. Several of the industries in the list had data breach costs go down between 2022 and 2023.
So, when we look at that $4 million number, it’s health care that’s driving that number up. Healthcare breaches are the reason the average is so high.
In 2022, it took organizations 207 days to identify a breach. In 2023, it took only 204 days. On the other hand, organizations required an average of 73 days to contain breaches in 2023, while they required just 70 days on average in 2022. The highest mean times to contain and identify breaches both occurred in 2021, at 212 and 75 days, respectively.
- Organizations with fewer than 500 employees reported that the average impact of a data breach increased from USD 2.92 million to USD 3.31 million or 13.4%.
- Those with 500–1,000 employees saw an increase of 21.4%, from USD 2.71 million to USD 3.29 million.
- In the 1,001– 5,000 employee range, the average cost of a data breach increased from USD 4.06 million to USD 4.87 million, rising nearly 20%.
- In the 10,001–25,000 range, respondents reported an average cost of USD 5.46 million, a decrease of 1.8% from 2022’s figure of USD 5.56 million. Organizations with more than 25,000 employees saw the average cost drop from USD 5.56 million in 2022 to USD 5.42 million in 2023, a decrease of USD 140,000 or 2.5%.
Phishing is still the biggest problem. 16% of the time the attack is caused by someone falling for a phishing scam. And then not too far behind phishing is stolen or compromised credentials. The thing about that is stolen or compromised credentials probably happened because of a phishing scam.
That being said, the ones that are gonna cost the most when they happen are malicious insiders, business email compromise, stolen credentials and phishing.
How to Save Money During a Data Breach
[41:04] Having a 200 day response plan designed to get everything discovered and cleaned up in less than 200 days saves a lot of money, almost $1million. The best way to keep it under 200 days is to have a response plan AND TEST IT!
New this year, the research examined how organizations prioritize risks and vulnerabilities and how this impacted the cost of a data breach. Organizations with more proactive and risk-based vulnerability management, such as vulnerability testing, penetration testing or red teaming, experienced lower than average data breach costs compared to organizations that relied solely on the industry standard Common Vulnerabilities and Exposures (CVE) glossary and the Common Vulnerability Scoring System (CVSS). Generally, proactive risk management efforts involve the organization’s IT security team adopting the perspective of a potential attacker to determine which vulnerabilities are exploitable and can cause the most harm.
The same things that help save costs in a data breach really haven’t changed a lot.
- Having an Incident Response team that has a plan that they have tested.
- Don’t make the plan too complicated.
- Respond quickly.
In a world where data breaches are as common as pigeons in the park, it’s essential to understand the risks, learn from the experiences of others, take proactive steps to better secure your networks and create and test plans that can help to reduce the costs of a data breach.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
