those organizations that pay the ransom are often targeted again within months, increasing the financial losses even more
Gee, who could have guessed?
The costs incurred by organizations suffering data losses continue to go up, and 60 percent of companies surveyed by IBM said they were passing them onto customers. According to Big Blue, the average cost of a data breach worldwide rose almost 13 percent over the past two years, hitting an all-time high of $4.35 million. In …
Nonetheless, it is a good thing to point them out.
However, the clincher is in the last paragraph :
"organizations using security AI and automation technologies had average data breach costs that were $3.05 million less than those that weren't"
No points for guessing who sells "security AI".
This whole report is just a sales pitch for IBM who is trying to scare customers into signing up for its products.
Zero trust only saves you a million. We can save you 3 million.
Sure, they're selling something. But they're not wrong in pointing out that the costs of decent prevention are much lower than the costs of a catastrophic breach. Burglar alarm manufacturers did the same thing.
Passing the costs of attacks onto customers does of course also make you uncompetitive on price compared with a better secured competitor.
The trouble is, that assumes there *is* a better secured competitor.
My experience is that there are lots of small companies all taking a fairly relaxed attitude to security, whose market niches are sufficiently narrow that they only have a handful of competitors - who are similarly relaxed.
And the cost to the customer of switching providers is often quite significant, too. Think data migration. It's not the sort of thing you want to do every year.
So yeah, in theory the company that invested in more security up front has a potential advantage - but then, so does the company that doesn't (because it saves the cost of that investment). And advantage against whom, anyway?
If a company has flexibility in its pricing that it can charge customers more, it isn't charging enough.
An ideally ran company should already be charging the maximum it can extract from customers to the point where if they increase prices they will lose business and make less money in the long run.
Because every company operates in a perfectly competitive market with identical products, perfect information for all participants, and zero costs of switching suppliers?
Look, Econ 101 is a decent start, but it's only a start. There's a lot more to be learned after that.
Of course companies pass on costs to customers, they always do.
It is even a good thing if they do it for costs of cyber attacks. In the end those that manage to prevent those cyber attacks from happening (frequently) will have lower prices and that will create pressure on those that only give lip service "your data's security is of utmost importance to us".
As other commentards have already pointed out the article is more of a sales pitch.
>Ninety-four percent of today's enterprises find at least 20 percent of their endpoints are unprotected<
What does "unprotected" mean here - i assume not covered by a cybersecurity suite?
Doesn't have to be a problem, a hardened server in a DMZ isn't really a problem.
I have a hard time believing that bigger enterprises will have 20% of their computers connected to the internet without even a firewall in between.
"I have a hard time believing that bigger enterprises will have 20% of their computers connected to the internet without even a firewall in between."
You'd be surprised unfortunately. Many companies don't even know what kit they are running - let alone the challenges with misconfigured cloud services, and shadow IT introduced by the business teams.
It isn't. Businesses charge the amount that makes them the most profit.
In effect that means charging as much as they can without pricing themselves out of too many sales.
There should be no room for upward movement of the price because they are meant to be gouging you already.
The maximum amount that a company can gouge out of its customers takes into account the amount by which it may need to increase it should the company's costs suddenly increase, such as by being asked to pay a large ransom. Without room to manouevure a maximally-gouging company would fail as soon as it had a moment's trouble in its supply or manufacture pipelines because it would be unable to increase prices to cover higher costs.
"Organizations would be better served by investing in cyber-hygiene tools and threat hunting skills than to keep throwing money at point solutions that continue to fail them"
This has always been the case. Business infosec is almost entirely reactive. This is the equivalent of skirmishing in bandit territory against locals who know the geography while you don't. The outcome is continuous attrition of your forces with nothing much to show for it.
The preferable solution is pre-emptive resilience, making you a harder target. This causes the majority - trivial attacks that would otherwise succeed - to just bounce off harmlessly, leaving plenty of resources to deal with the more dangerous minority. But to succeed it does need changes to corporate culture. The triumph of 'convenience' over common sense needs to be reversed and the susceptibility of the executive and their technophiles to marketing hype must be significantly reduced. Both will be hard to achieve
You may not be a customer any more, but there are loads who are. Or join afterwards.
Since the fines are generally as near zero as makes no difference, the small cost of cleaning up is usually cheaper than paying for security.
This only works because companies are not reduced to smoking holes in the ground by the fines for losing customer data. A couple of those, and the problems will go away.
Well..duh. Companies are not 'people' everything is just income or expenditure to them. They can offset any expense by increasing prices, reducing staff renumeration or (in extreme cases) cutting shareholder dividends. If a cost is experienced equally by their competitors they have no reason to do otherwise. Like corporation tax..