Keep It Simple:Security System Complexity Correlates With Breach Costs
Published on August 23, 2023
By Max Dorfman, Research Writer, Triple-I
Artificial intelligence is helping to limit the costs associated with data breaches, a recent study by IBM and the Ponemon Institute found. While these costs continue to rise, they are increasing more slowly for some organizations – in particular, those using less-complex, more-automated security systems.
According to the study, the average cost of a data breach was $4.45 million in 2023, a 2.3 percent increase from the 2022 cost of $4.35 million. The 2023 figure represents a 15.3 percent increase from 2020, when the average breach was $3.86 million.
However, not all organizations surveyed by the study experienced the same kinds of breaches – or the same costs. Organizations with “low or no security system complexity” – systems in which it is easier to identify and manage threats – experienced far smaller losses than those with high system complexity. The average 2023 breach cost $3.84 million for the former and a staggering $5.28 million for the latter. For organizations with high system complexity, this is an increase of more than 31 percent from the year before, amounting to an average of $1.44 million.
As David W. Viel, founder and CEO of Cognoscenti Systems, put it: “The size and complexity of a system directly results in a greater number of defects and resulting vulnerabilities as these quantities grow. On the other hand, the number of defects and cybersecurity vulnerabilities shrinks as the system or component is made smaller and simpler. This strongly suggests that designs and implementations that are small and simple should be very much favored over large and complex if effective cybersecurity is to be obtained.”
The research also noted that organizations that involve law enforcement in ransomware attacks experienced lower costs. The 37 percent of survey respondents that did not contact law enforcement paid 9.6 percent more than those that did, with the breach lasting an average of 33 days longer than those that did contact law enforcement. These longer breaches tended to cost organizations far more, with breaches with identification and containment times under 200 days averaging $3.93 million, and those over 200 days costing $4.95 million.
AI and automation are proving key
Security AI and automation both showed to be significant factors in lowering costs and reducing time to identify and contain breaches, with organizations utilizing these tools reporting 108-day shorter times to contain the breach, and $1.76 million lower data breach costs relative to organizations that did not use these tools. Organizations with no use of security AI and automation experienced an average of $5.36 million in data breach costs, 18.6 percent more than the average 2023 cost of a data breach.
Now, most respondents are using some level of these tools, with a full 61 percent using AI and automation. However, only 28 percent of respondents extensively used these tools in their cybersecurity processes, and 33 percent had limited use. The study noted that this means almost 40 percent of respondents rely only on manual inputs in their security operations.
Cyber insurance demand is growing
A recent study by global insurance brokerage Gallagher showed that the vast majority of business owners in U.S. – 74 percent – expressed extreme or very high concern about the impact of cyberattacks on their businesses. Indeed, a study by MarketsandMarkets found that the cyber insurance market is projected to grow from $10.3 billion in 2023 to $17.6 billion by 2028, noting that the rise in threats like data breaches, ransomware, and phishing attacks is driving demand.
Organizations are now responding more thoroughly to these threats, with increased underwriting rigor helping clients progress in cyber maturity, according to Aon’s 2023 Cyber Resilience Report. Aon states that several cybersecurity factors, including data security, application security, remote work, access control, and endpoint and systems security – all of which experienced the greatest improvement among Aon’s clients – must be continually monitored and evaluated, particularly for evolving threats.
Insurers and their customers need to work together to more fully address the risks and damages associated with cyberattacks as these threats continue to grow and businesses rely ever more heavily on technology.