The costs of data breaches in ASEAN countries have reached a record high of US$3.05 million per incident in the 12 months leading up to March 2023, according to an IBM report released yesterday.
In this region, the financial and energy sectors were the hardest hit. Financial services paid an average of nearly US$4.81 million per breach, while the energy sector paid US$3.60 million on average.
Detection and escalation costs were the highest portion of breach costs, which grew 15 per cent from 2022, signalling a move to more complex breach investigations. Other costs of dealing with a breach include notification, post-breach response, and lost business.
In addition, 95 per cent of organisations in the global study experienced more than one breach, with 57 percent of breached organisations responding by passing on incident costs to consumers, and 51 per cent increasing security investments.
The IBM Data Breach Report is based on responses from 553 organisations globally between March 2022 and March 2023. The ASEAN region includes companies located in Singapore, Indonesia, the Philippines, Malaysia, Thailand and Vietnam.
AI and automation have the biggest impact on improving speed of identifying and containing breaches, said IBM.
In Singapore, the breach lifecycle for organisations that used AI and automation was 99 days shorter, with nearly US$1.25 million lower data breach costs than those that did not use these technologies.
“In 2023, the industry is reaching a tipping point in the maturity curve for AI in security operations where enterprise-grade AI capabilities can be trusted and automatically acted upon via orchestrated response,” said Chris Hockings, chief technology officer of IBM Security for Asia Pacific.
The IBM report also found that organisations still have misconceptions about ransomware. Of respondents who were ransomware victims, 37 per cent preferred not to involve law enforcement, and nearly half of them paid the ransom.
Paying the ransom and avoiding law enforcement may drive up incident costs and slow the response. In contrast, the report found that involving law enforcement saved ransomware victims US$470,000 in breach costs.
Another notable finding was that the organisation’s security teams uncovered only one-third of breaches. Instead, 27 per cent of such breaches were disclosed by an attacker, and 40 per cent were disclosed by a neutral third party, such as law enforcement.
In particular, breaches disclosed by the attacker cost nearly US$1 million more on average than those that organisations’ security teams identified.
Organisations need to be mindful of protecting their environments on multiple fronts. Nearly 38 per cent of breaches in ASEAN occurred across multiple environments including public cloud, private cloud, and on-prem. Such breaches also resulted in higher breach costs of an average of US$3.14 million.
An advantage that organisations can have against attackers is having a higher level of DevSecOps. In this development practice, where security considerations are taken into account at every stage of the software development lifecycle.
Organisations that took a more DevSecOps approach had a global average cost of a data breach nearly US$1.7 million lower than those with a low level/no use of a DevSecOps approach.
