The average cost of a data breach in ASEAN countries, including in Singapore, reached an all -time high at US$3.05 million in 2023– a 6% increase year-to-year, according to the recently released Cost of a Data Breach Report commissioned by IBM Security.
The report also showed that detection and escalation costs jumped 15% over this same time frame, representing the highest portion of breach costs, and indicating a shift towards more complex breach investigations.
The 18th edition of the report, which is being published annually, is based on in-depth analysis of real-world data breaches experienced by 553 organisations globally between March 2022 and March 2023.
It is conducted by Ponemon Research and analysed by IBM Security.
The ASEAN region includes a cluster sample of companies located in Singapore, Indonesia, the Philippines, Malaysia, Thailand and Vietnam.
AI picks up speed
One of the key findings revealed the impact of AI and automation on the speed of breach identification and containment for organisations polled for the research.
In ASEAN countries, including in Singapore, organisations with extensive use of both AI and automation experienced a data breach lifecycle that was 99 days shorter with nearly US$1.25 million lower data breach costs compared to studied organisations that have not deployed these technologies – the biggest cost saver identified in the report.
“In addition to time to identify and contain a data breach, extensive security AI and automation use is also a crucial factor that delivers significant cost savings to organisations in ASEAN countries,” said Chris Hockings, chief technology officer, IBM Security, Asia Pacific.
“In 2023, the industry is reaching a tipping point in the maturity curve for AI in security operations where enterprise grade AI capabilities can be trusted and automatically acted upon via orchestrated response. This will unlock tangible benefits for speed and efficiency, which are desperately needed in today’s business landscape where early detection and fast response can significantly reduce the impact and losses of businesses.”
Chris Hockings, IBM Security
The report also quantified the cost of silence to companies that suffered ransomware attacks. Globally, ransomware victims in the study that involved law enforcement saved nearly half a million dollars or US$470,000 in average costs of a breach compared to those that chose not to involve law enforcement. Despite these potential savings, 37% of ransomware victims studied did not involve law enforcement in a ransomware attack.
According to the 2023 IBM report, globally businesses are divided in how they plan to handle the increasing cost and frequency of data breaches. The study found that while 95% of studied organisations have experienced more than one breach, breached organisations were more likely to pass incident costs onto consumers (57%) than to increase security investments (51%).
Ransomware “discount Code”
Furthermore, the research pointed to detection gaps among the polled companies. At a global level, only one third of studied breaches were detected by an organisation’s own security team, compared to 27% that were disclosed by an attacker. Data breaches disclosed by the attacker cost nearly US$1 million more on average compared to studied organisations that identified the breach themselves.
Some studied organisations remain apprehensive to engage law enforcement during a ransomware attack due to the perception that it will only complicate the situation.
For the first time this year, the IBM report looked closer at this issue and found evidence to the contrary. At a global level, participating organisations that did not involve law enforcement experienced breach lifecycles that were 33-days longer on average than those that did involve law enforcement – and that silence came with a price. Ransomware victims studied that didn't bring in law enforcement paid on average US$470,000 higher breach costs than those that did.
Despite ongoing efforts by law enforcement to collaborate with ransomware victims, 37% of respondents still opted not to bring them in. Add to that, nearly half (47%) of studied ransomware victims reportedly paid the ransom.
“It’s clear that organisations should abandon these misconceptions around ransomware. Paying a ransom, and avoiding law enforcement, may only drive-up incident costs, and slow the response."
Chris Hockings, IBM Security
Security teams poor in detecting breaches themselves
According to IBM’s 2023 Threat Intelligence Index, defenders were able to halt a higher proportion of ransomware attacks last year. However, threat actors are still finding ways to slip through the cracks of defense.
Globally, the report found that only one in three studied breaches were detected by the organisation’s own security teams or tools, while 27% of such breaches were disclosed by an attacker, and 40% were disclosed by a neutral third party such as law enforcement.
Responding organisations that discovered the breach themselves experienced nearly US$1 million less in breach costs than those disclosed by an attacker (US$5.23 million vs. US$4.3 million). Breaches disclosed by an attacker also had a lifecycle nearly 80 days longer (320 vs. 241) compared to those who identified the breach internally. The significant cost and time savings that come with early detection show that investing in these strategies can pay off in the long run.
In ASEAN and Singapore, nearly 38% of data breaches studied resulted in the loss of data across multiple environments including public cloud, private cloud, and on-prem—showing that attackers were able to compromise multiple environments while avoiding detection. Data breaches studied that impacted multiple environments also led to higher breach costs (US$3.14 million on average).
Additional findings in the 2023 IBM report include:
- Target industries – Financial services and energy companies see the highest breach costs. By far the most impacted across ASEAN, the financial sector is paying nearly US$4.81 million on average per breach, while the energy sector is paying US$3.60 million on average.
- DevSecOps advantage – At a global level, studied organisations across all industries with a high level of DevSecOps saw a global average cost of a data breach nearly US$1.7 million lower than those studied with a low level/no use of a DevSecOps approach.
- Critical infrastructure breach costs break US$5 Million – Globally, critical infrastructure organisations studied experienced a 4.5% jump in the average costs of a breach compared to last year – increasing from US$4.82 million to US$5.04 million – US$590K higher than the global average.