It should be no surprise that the costs associated with a corporate data breach can be high. (The average total cost is now nearly $5 million, according to IBM.) What may be more alarming is the average length of time it takes for businesses to recover from a breach – and what that means for their security teams, business operations, and bottom line.
To unpack these numbers and the rest of IBM’s latest Cost of a Data Breach Report, Michael “Roo” Fey, Head of User Lifecycle and Growth at 1Password, sat down with Troy Bettencourt, a global partner at IBM and head of IBM X-Force, on the Random But Memorable podcast.
Beyond costs, the conversation ranged from AI-powered prevention tools to how executive leadership can make or break a response, even if all the right technology is in place.
To learn more about these topics, as well as Bettencourt’s advice for developing an effective incident response plan, read the interview highlights below or listen to the full podcast episode.
Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password.
Michael Fey: Can you give a little background on yourself and the work you’ve done in cybersecurity?
Troy Bettencourt: My career started about 20 years ago in cybersecurity in United States federal law enforcement. I worked for an agency focused on cybercrime against U.S. resources, mostly military defense. When I was there, I led some of the largest investigations we’ve had. In the interest of not doxing myself, I won’t drop any particular case names because we were targeted by Anonymous and other groups. So, we’ll try to stay off that radar!
After about nine years of federal cybercrime service across two different agencies, I worked for a security consultancy and then moved into the private sector with IBM two years ago. My background is primarily on the incident response side but my background is definitely on the blue side. I have really smart people on the red side. I took this role in March as the head of X-Force and, as I mentioned, we’re a security consultancy that pretty much brings the full spectrum of blue and red solutions.
MF: Let’s get into the Cost of a Data Breach Report. Can you start off giving us some background on how the research is conducted and the main purpose of the report?
TB: We’ve been doing the Cost of a Data Breach (CODB) Report for 19 years. The 19th-year trend analysis is pretty cool. It’s conducted by a third party, the Ponemon Institute, with whom we partner, and they survey companies that are not just IBM clients.
This is really key because a lot of the ‘this is the state of cybersecurity’ reports out there are all going to have their own aperture. For example, if you’re a managed security service provider (MSSP) or a product company in a specific vertical, you may do a survey or a study of your own clients. Or you may only survey large enterprise or small business. Or maybe you skew towards a sector like financial services or industrial. It narrows the aperture.
We feel the CODB report adds a certain layer that isn’t there in most reports, but I’m not saying it’s better than any of the others. A smart security practitioner should be taking all of these reports, understanding where their data comes from, the methodology behind them, and then really tailoring all of that to be something that’s meaningful for them.
MF: What are some of the most important findings?
TB: Three big ones. First, the impact of breaches isn’t increasing, it’s just continuing. And by impact, costs are part of it. This year was about a 10% year-over-year increase in cost.
Second, we’ve really started focusing on what’s the business disruption, not just the cost itself, but the things that might be a little harder to quantify. Seventy percent of the businesses that were surveyed this year reported significant disruption from their breach, and recovery on average took longer than 100 days.
“Recovery on average took longer than 100 days."
Companies are already trying to run lean operations with staffing and resourcing that matches what their demand is now, under normal circumstances. When you throw something like a breach on for 100 days, it can overwhelm security teams and infrastructure teams. It’s pretty challenging.
Third is the impact of AI-powered prevention. Right now that’s mostly in the form of security solutions that use AI, like EDR solutions (endpoint detection and response), XDR solutions (extended detection and response), SIEM (security information and event management), SOAR (security orchestration, automation, and response), that area. That saves on average about $2.2 million on breach costs.
“The human mind cannot digest the number of alerts coming out of any of these security solutions in a meaningful way."
Fundamentally, that comes down to what we refer to as the mean time to identify or detect that you’ve been breached. And then mean the time to respond or contain – so how quickly can you get your hands around it and minimize future damage. If you can reduce those times, you reduce costs. With the scale of telemetry nowadays, you need AI to do that. The human mind cannot digest the number of alerts coming out of any of these security solutions in a meaningful way.
MF: Over a quarter of the year spent trying to recover from a breach is wild. That’s a huge disruption.
TB: It’s insane, isn’t it? Take everything else out of it. If you’re a business, that’s 100 days with a lack of laser focus on your objectives and your business operations. And then, the data theft.
Everyone is talking about ransomware. It’s still a risk, I’m not minimizing it. But our report and most others have seen a decline in the use of ransomware. Several years back you started to see ransomware and data theft, and we moved into other threat actor activities. But data theft still continues to be a key objective. It’s getting harder and harder to get ransomware to work impactfully with security tools getting better, but data theft is still pretty easy.
“Our report and most others have seen a decline in the use of ransomware."
A lot of large enterprises struggle to know where their data is across their disparate enterprise. Particularly hybrid companies if they’re cloud and on-prem and have multiple cloud providers. And the other is understanding the sensitivity and classification of that data across an enterprise, especially if you’re now 30, 40 years into an IT operation. There’s a lot of legacy debt there. There’s a lot of stuff stuffed in little dusty corners, and that’s really where we’re seeing a lot of impact.
MF: Does the report get into causes of data breach? Are there any new trends?
TB: I don’t think we’ve seen significant changes. We’ve seen continuation of trends. One, as I mentioned earlier, reducing the mean time to detect and respond is massive. That can save you up to $2 million a year just in breach costs.
The other is we keep seeing stolen credentials, whether that’s through an info stealer like Raccoon, through compromised breaches like the large ones that we’ve had over the years, or maybe even through targeting an employee at home who uses a remote device to log in and would have credentials stored in a browser, let’s say.
“We keep seeing stolen credentials."
That makes it really difficult because once the threat actor can leverage legitimate credentials, especially if they’re a domain administrator or a privileged account, it can be difficult for a security team to discern what is legitimate activity versus illegitimate activity.
This then slows response, which then increases cost, etc. It’s like if you have to break into a house, the easiest way is to steal the keys. Why go through figuring out how you’re going to get through a window or a lock if you can just steal the keys out of somebody’s pocket and walk in? Same thing for threat actors. It’s the easiest way in, and they’re all about minimal work for maximum financial achievement.
MF: Are there any notable differences in the cost and the frequency of data breaches across different industries? What sectors do you think are most at risk?
TB: I think we see one clear outlier. The most targeted industry with the highest cost is healthcare. It’s 60% higher than the next closest market. If you think about it, that makes sense. Threat actors are trying to target industries where disruption will have a significant impact. The goal is to get a ransom, so you’ve got to make the victim feel pain. Health care is a really easy one. You’re literally impacting people’s lives. We’ve all heard the stories of hospitals that had to shut down and reroute emergency services to other hospitals, which could have an impact on somebody living or dying.
The next markets in order are financial, industrial, and technology. Financial disruptions impact a lot of people, and there just so happens to be money. Industrial: think critical infrastructure-type industrial, as well as large-scale manufacturing that could disrupt supply chains and national economies and their technology. If you’re a technology provider that services a large number of consumers or businesses, and you can be disrupted, it’s very impactful.
MF: It’s gutting to hear that health care continues to be targeted. It seems like one of those things that would be off limits, and that everyone would just silently agree not to go after. It’s really disheartening to hear that’s not the case.
TB: It really is. And there was one a couple of years ago, it was out of one of the Scandinavian countries, if I recall. To make it even worse, it was a mental health provider. All the records were compromised and the threat actors started reaching out to the patients individually and threatening to disclose their mental health treatment records to family members, employers, etc. And I just thought: “How dirty is that? Is there no low bar that they won’t cross?” And clearly it appears there’s not.
MF: Let’s talk about cost. What was the average cost of a data breach in 2024?
TB: The average cost is $4.88 million globally. The report’s pretty extensive. We break it down by country so you can look to see if there’s anything regional or impactful in the particular countries in which you operate. We also break it down by industry. We also categorize the four main components that are contributing to cost this year.
“The average cost is $4.88 million globally."
One is lost business cost. What are those costs that you’re impacted by because your business can’t continue to operate? That could be disruption, revenue losses, system downtime, customer churn, reputational damage. This has remained relatively flat – a couple of percent increase this year.
Detection and escalation, which is the traditional thing we think of when we talk about response, forensics, investigative activity, audit, crisis management, communication. These costs have risen about 33% since 2019. So definitely seeing some costs there. That’s really notable because cyber insurance generally has driven down response costs because they’ve tightened the rates at which they’ll pay outside providers. So, to have that significant of an increase while also seeing significant down pressures on costs really shows that the costs are still on an upward trajectory.
Next, post-breach response, that is things like staffing the help desk, credit monitoring for victims, identity protection, new accounts, credit cards, all of that. Those costs have increased about 26% since 2019.
The biggest jump in costs is notifications. That’s emails and letters going outbound to consumer victims of the companies that were breached, regulatory compliance, things like that. They’ve jumped 104% since 2019. But I should note that they are only 7% of the total costs, so a 100-plus percent increase in this small number isn’t huge.
“The biggest jump in costs is notifications. That’s emails and letters to victims."
But I think it’s a clear indicator that we’re seeing a lot more regulatory controls around data breaches. You go back to 2019, you didn’t have a lot. Between then and now, we have General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), the Brazilian data privacy regime, New York has one. You just start adding them all up and you can see why those costs have increased.
MF: What are the modern challenges facing organizations when it comes to protecting and navigating data breaches? You talked about AI but are there any other technology advancements that are making it easier or more difficult for businesses?
TB: This could be an entire research dissertation – there’s a lot here.
On one hand, security practitioners like myself and the folks that work with me have never had more powerful tools at our disposal. If I think back 20 years ago and compare what we had versus what we have now – what operating systems did as far as recording information and the data and the logging and the fidelity – it’s insane what we have access to. But that creates a problem where you have too much data. How do you do anything with it? That’s really where the technology adds value. That’s where AI and machine learning and building automated processes really make us more powerful.
“We have never had more powerful tools at our disposal."
On the other hand, from the defense perspective, environments have become a lot more in flux. Twenty years ago, maybe you had an active directory controller, maybe used LDAP (lightweight directory access protocol) for authentication of local accounts. Everything was really an enclave. Other than your firewall, there was no exposure to the internet. You had a really defined limited perimeter that you could secure.
As we move to cloud, other platforms, to SaaS, now all of a sudden everywhere on the internet is part of your threat exposure and you have to defend it. And if it’s a shared responsibility with maybe a SaaS provider or a cloud platform provider, now there’s obligations on the company to manage it as well as their partners. All of that adds tons of complexity and makes it harder to defend.
Overall, the trends have been relatively similar. Unfortunately, most are upward, but there’s not anything that’s been hugely groundbreaking. I think the real big thing people will talk about is the three-legged stool: people, process, and technology. Often we focus so much on the technology because it’s such a huge multiplier force, but under-investments in the people or immature processes, really can hinder the ability to leverage the potential of that technology. I don’t want us to lose focus on those areas as well.
MF: Let’s talk about the process part of the stool. What are some of the best practices for developing an effective incident response plan?
TB: I would say don’t start with the incident response plan. That might sound weird coming from someone with my background. But first, do a business impact analysis. What are the most important things in your business? What would it take to have a minimum viable business if you had an incident?
“Don’t start with the incident response plan."
People might think: “Well, I’m a manufacturing company.” Clearly the manufacturing floor is most important. Maybe it is, maybe it isn’t. Maybe you’re not just-in-time manufacturing. You have enough in a warehouse to manage through those blips, and you want to focus more on the logistics side, the distribution, that might be important.
You definitely want to focus on active directory. It may not be sexy or exciting but without active directory most modern enterprises can’t function at all. It all shuts down. How do you communicate with your regulators, your incident response team, your outside counsel, your clients because email is based upon that?
After you figure out your key impacts and what the minimum viable business is, as the question: Where does your data sit? Where do your assets sit and what are they? It’s hard to defend if you don’t know what you have to defend. That’s really important.
Once you have all of that, let’s talk incident response plan. Whether that’s through NIST or others that businesses may want to align to. They should use those previous parts as inputs. The other thing is to be careful about just downloading an off-the-shelf plan or having AI generate one for you because they should be tailored to your business. Again, the business impact analysis, minimal viable business.
“Be careful about just downloading an off-the-shelf plan or having AI generate one."
Once you have it, practice, practice, practice. In our industry, we say you have two times to do a crisis simulation exercise. One you choose, one the threat actor chooses. It’s much better if you get to choose the timing.
Lastly, an executive focus. The impact of a phenomenal technical response can be squandered with poor executives. And what I mean by that is not to cast dispersion on executives, but there’s a lot of decisions that need to be made in these critical moments.
It doesn’t matter how good the technical response is, if the decision making hasn’t been exercised, and people don’t know their roles, and they haven’t been trained, they are likely to make wrong decisions. There’s plenty out there in the press, where you can look at very similar breaches and one’s considered a wonderful response and one’s considered pretty bad. The underlying technical response was pretty equal, it was the front-end dissenting that was the difference.
MF: Can you talk about where folks can go to learn more about you, IBM, and the Cost of a Data Breach Report?
TB: LinkedIn is the way to get me. There’s really not much in the way of social media otherwise. You’ve got to keep a minimal profile.
For the data breach report, check out ibm.com/reports/data-breach. You can download it and really dig through it. I really encourage everyone to start at the bottom with the methodology. Again, going back to that aperture, I don’t want people to read through the report and make assumptions. It’s better to start with the methodology then go back to the top so you’re in the right frame of mind to understand the report.
Tweet about this post