Are we fighting a losing battle when it comes to cybersecurity? Regardless of the effort and expense, data breaches keep occurring. IBM’s latest Cost of Data Breach report released last week found that the cost of data breaches are reaching record highs in Australia (AUD4.03 million), ASEAN (US$3.05 million) and South Korea (KRW4,536 million).
Banking and financial services were the hardest hit sector across this region. Other sectors that suffered data breaches included industrial, services, energy, education and technology. It’s become a business imperative to protect assets and secure data.
The reality is data is the lifeblood of businesses. The insights derived from data contributes to business growth. With data, businesses are able to define product preferences, enhance customer engagement, reduce service churn, drive growth and much more.
Businesses that used AI and automation widely across the organisations were able to identify and contain data breaches quickly, saving an average of US$1.76 million compared to those who did not.
So, how can businesses fight against the growing tide of data breaches especially with the dark web growing over 300% since 2017. Attackers will keep finding ways to infiltrate corporate networks and exploit employees through social engineering. Clearly, data breaches are not going away anytime soon. But it can be contained and prevented from inflicting more harm to business operations.
For decades, the common practice for data resilience has consisted of systems of snapshots. Data is backed up to an archive at set intervals, and when things go wrong with the local copy, administrators can simply go back and pull from the most recent clean data to replace any problematic files.
But, over time, cyberattacks have become more sophisticated and can infect the working data and the snapshots as well. This leaves compromised organisations with a difficult decision: spend countless hours poring through backups in search of uninfected data, or simply pay the ransom.
The cost of carrying out a protracted recovery effort can exceed the price of simply ponying up to the attackers. And even when successful, there’s bound to be a significant amount of data lost between the start of the breach and the end of recovery.
Automation and Security AI
The good news is that our report found that globally, businesses that used AI and automation widely across the organisations, were able to identify and contain data breaches quickly – and experienced a data breach lifecycle that was 108 days shorter compared to studied organisations that have not deployed these technologies, saving an average of US$1.76 million compared to those who did not. Those with an incident reporting (IR) plan in place were able to save US$1.49 million and others who integrated security in the software development cycle saved an estimated US$1.68 million.
However, the report also found that detection and escalation costs were the bulk of budget allocation, growing 15% from 2022. At first glance, it would seem that bigger budget allocation for cybersecurity does not reduce security risks and businesses would have no choice but to keep increasing budget to mitigate risks. But if we were to look little deeper, it becomes clear that businesses have to move beyond breach notification and response to an automated response posture.
There are many businesses who are already using AI for incident detection, investigation and response lifecycle. And the days of simple pattern recognition and rule-based detections are reaching a tipping point as AI for security operations continues to mature. Our study found that 62% of ASEAN CEOs expect to realise significant value from advanced AI over the next 3 years.
With automation and advancement in AI, businesses can now develop automated response workflows and recommend actions that are based on previous response patterns to mitigate cyberthreats. The orchestrated response, without human intervention, enables the much needed speed and efficiency to secure organisational assets and data.
Secure to the core
It is never too late to start protecting corporate assets and reduce employee vulnerability. Businesses can begin to halt the financial and reputational impacts of a data breach by adopting the following recommendations:
1. Build security into every stage of software development and deployment. And test regularly: Regulatory requirements continue to become more intricate, especially as technology becomes more intertwined with everyday activities and software becomes more feature rich and complex. A DevSecOps approach is essential to building security into any tools or platforms an organisation depends on to engage its workforce or its customers. Security should be at the forefront of the software businesses are developing. This also includes the commercial off-the-shelf software that is being deployed. Application developers must continue to accelerate the adoption of the principles of secure by design and secure by default to ensure that security is a core requirement that’s considered during the initial design phase of digital transformation projects and not simply addressed after the fact. The same principles must also be applied to cloud environments to support cloud-native app development to protect user privacy and minimise attack surfaces. Application testing or penetration testing from the perspective of an attacker can also give organisations the opportunity to identify and patch vulnerabilities before they turn into breaches. No technology or application will ever be fully secure, and adding more features introduces new risks. Hence, ongoing application testing is essential to help organisations identify new vulnerabilities.
2. Modernise data protection across hybrid cloud: Data is being created, shared and accessed at unprecedented scale across multi-cloud environments. Fast-paced adoption of new cloud applications and services is also compounding the risk of “shadow data”— sensitive data not being tracked or managed — increasing security and compliance risks. 82% of data breaches reported in this region involved data stored in cloud environments and 39% of breaches included data that spanned multiple types of environments. The cost and risk of these data breaches are compounded by an ever-evolving matrix of regulations and stiff penalties for non-compliance. In the wake of these challenges, gaining visibility and control of data spread across hybrid cloud should be a top priority for organisations of all types and should include a focus on strong encryption, data security and data access policies. Companies should seek data security and compliance technologies that work on all platforms, allowing them to protect data as it moves across databases, applications and services deployed across hybrid cloud environments. Data activity monitoring solutions can help ensure proper controls are in place while actively enforcing these policies — such as early detection of suspicious activity and blocking real-time threats to critical data stores. Additionally, newer technologies such as data security posture management can help find unknown and sensitive data across the cloud, including structured and unstructured assets within cloud service providers, software as a service (SaaS) properties and data lakes. This can help identify and mitigate vulnerabilities in underlying data store configurations, entitlements and data flows. As organisations continue to move further into hybrid multi-cloud operations, it’s essential to deploy strong identity and access management (IAM) strategies that include technologies such as multifactor authentication (MFA), with particular focus on managing privileged user accounts that have an elevated access level.
3. Use security AI and automation to increase speed and accuracy: Extensive use of security AI and automation across the organisation brought not only financial savings but also accelerated the time to identify and contain a breach by more than 100 days compared to organisations that did not use advanced technologies. Security teams can benefit from having security AI and automation embedded throughout their tool sets. For example, using security AI and automation across threat detection and response tools can help analysts detect new threats more accurately and contextualise and triage security alerts more effectively. These technologies can also automate portions of the threat investigation process or recommend actions to speed response. Additionally, AI-driven data security and identity solutions can help drive a proactive security posture by identifying high-risk transactions, protecting them with minimal user friction and stitching together suspicious behaviors more effectively. When applying AI within your security operations, look for technologies that offer trusted and mature use cases with demonstrated accuracy, effectiveness and transparency to eliminate potential bias, blind spots or drift. Organisations should plan an operational model for AI adoption that supports continuous learning as threats and technology capabilities evolve. Organisations can also benefit from an approach that tightly integrates core security technologies for smoother workflows and the ability to share insights across common data pools. Chief information security officers (CISOs) and security operations (SecOps) leaders can also use threat intelligence reports to help with pattern recognition and threat visibility for emerging threats.
4. Strengthen resiliency by knowing your attack surface and practicing incident reporting: Understand your exposure to the attacks most relevant to your industry and organisation, and prioritise your security strategy accordingly. Tools such as attack surface management (ASM) or techniques such as adversary simulation can help organisations gain an attacker- informed perspective into their unique risk profile and vulnerabilities, including which vulnerabilities are readily exploitable. Additionally, having a team in place that’s already versed in the right protocols and tools to respond to an incident has been shown to significantly reduce costs and the time to identify and contain the breach. IR planning and testing also helped organisations in this region resolve incidents 54 days faster. Form a dedicated IR team, draft IR playbooks and regularly test IR plans in tabletop exercises or simulated environments such as a cyber range. Having an IR vendor on retainer can also help speed the time to respond to a breach. Lastly, organisations should look to implement network segmentation practices to limit the spread of attacks and the extent of damage they can cause, strengthening overall resiliency and reducing recovery efforts.
The recommendations maybe familiar and already in motion at some organisations. But the difference today is the availability of “enterprise-grade” AI-driven security capabilities and automation. That would put businesses squarely on the path to secure their organisations assets and data right to the core.
About YT Kim
Yongtae (YT) Kim is the Security Leader for IBM ASEANZK (Australia, Southeast Asia, Korea and New Zealand). He has 22 years of experience in the IT industry, helping organisations in region develop and implement cybersecurity strategies to protect data and assets. A political science graduate from Korea University, YT also attended a MBA training program by IBM at Boston University.