October 22, 2021
Author: Chris Hockings, Chief Technology Officer (Cyber Security), IBM Australia and New Zealand
Cybercriminals can fly under the radar, making one type of breach harder to detect and more costly than others. Credential-related breaches take 250 days to discover, on average, and another 91 days to contain, according to the global IBM-Ponemon Institute Cost of a Data Breach 2021 report.
They cost US$4.37 million each, on average, and account for 20 percent of all breaches – making them the most common of all initial attack vectors.
It’s a threat that seems to have been exacerbated by the rapid shift to remote working during the COVID-19 pandemic.
The cost of Australian breaches surges
In Australia, the average cost per data breach surged to A$3.87 million (US$2.82 million) – an increase of 31 percent between May 2020 and March 2021.
That cost per breach is still markedly lower than in many other countries, but it grew faster than in any other Western country – third globally only to Latin America (52 percent growth) and South Africa (50 percent).
Such a high rate of growth suggests that we need to look at what changed during that time. Remote working and learning seem the most likely causes, as Australian employees and students shifted en masse to their homes virtually overnight.
Cost of a Data Breach report confirmed a strong correlation between the proportion of employees working from home and the average cost of a data breach.
In companies where around half of employees were working from home, the average cost of data breaches was US$3.15 million. By contrast, breaches in companies with 81 percent to 100 percent of home workers cost US$5.54 million.
These costs suggest that remote working has unleashed a plague of new security vulnerabilities that are often being left unresolved by overworked cybersecurity staff.
Locked down with little to do but test corporate defences over and over again, cybercriminals have exploited these vulnerabilities with great success.
How credential-related attacks are increasing
IBM’s cybersecurity teams have been warning of the dangers of stolen credentials for years, watching as cybercriminals steal and redistribute username and password combinations in their millions. But with workforces distributed well beyond traditional office security perimeters, this has reached new heights.
The largest ever compilations of credentials have leaked online this year, including RockYou2021 and COMB with 8.4 billion and 3.2 billion password collections, respectively.
Cybercriminals use these details to try to access other websites, operating under the (usually correct) assumption that many employees reuse the same passwords across different sites and services.
An underlying problem is the process of setting up new accounts, which we all know can be painful. We are in a hurry. We want to get started on a new service quickly, so what do we do? Eighty percent of Australians typically use a password for an account that they have used before. Almost 40 percent said they almost always did.
The study shows that Australians set up seven additional online accounts on average during the pandemic, and that 65 percent expected the process to take less than five minutes. More accounts mean more passwords, increasing the risk that people would use ones they have used before.
This makes it easy for cybercriminals. All they need is one successful hit, and they’ve got themselves an attack vector. One successful hit will let criminals access a business email, productivity or other system that they can piggyback to access still other systems – all while masquerading as an authorised user and enjoying the user’s network access privileges.
Cybercriminals may choose to lurk quietly on the network, looking for valuable data such as customer personally identifiable information (PII). The report found that stolen customer PII costs US$180 per record on average. Leaked employee PII costs US$176 per record and intellectual property data US$169 per record.
Once they have leveraged credentials to access the network, malicious actors might choose a more direct approach. They abuse their ill-gotten network access to infect the network with ransomware that may shut down a business, forcing the executive to consider a multi-million-dollar ransom demand.
Security automation and AI are paying off
The problem isn’t knowing how to fix them: stronger credential management is one of the key steps outlined in the Australian government’s Essential Eight cyber security model. It recommends numerous restrictions on privileged user accounts.
Yet knowing how to do something and actually doing it are different things. With so many vectors of compromise to manage, many cybersecurity experts are finding that just keeping up with the threats is extremely difficult – much less staying ahead of them.
But while this is bad news, the Cost of a Data Breach report also offers valuable advice for cybersecurity professionals. It identifies the improvements that can be achieved by deploying modern AI-driven security automation tools.
By processing and filtering security alerts at high speed, security automation has become the only way for cybersecurity experts to keep up with the volume of cybersecurity compromises. The report’s findings confirm that automation saves money and time.
Companies with fully deployed security automation were able to identify threats in just 184 days and contain them in 63 days, on average – much faster than the 239 days and 85 days, respectively, that it took companies without automation.
The use of supporting data-driven technologies was correlated with significantly reduced cost per breach. For example, companies using AI platforms in a mature way reported an average cost per breach of US$3.3 million compared with US$4.79 million – a 31 percent reduction.
Similarly, the mature use of security analytics reduced the average cost from $US4.67 million to US$3.35 million.
The report also confirms that when it comes to security, a simpler approach to enterprise architecture is easier to defend. Companies with less complex systems also reported significantly lower costs per breach – US$3.03 million on average, compared with US$5.18 million in highly complex environments.
If you’re not managing your access credentials securely, you are leaving your organisation open to a data breach, a breach that will likely cost more and take longer to discover than compromises caused by other methods. But as the financial and business costs of breaches continue to mount, embracing automation and reining in credentials is a great way to limit the exposure of your business to a data breach. Hopefully, the Cost of a Data Breach 2021 report will support the kind of proactive conversations you need to have to make this happen. Hopefully, it will help you take some pressure off your team.