The 5 Most Expensive Types of Data Breaches

Plenty of challenges can make an enterprises’ pockets hurt, but few can break the bank and tarnish brand image like a major data breach. IBM’s 2021 Security Analysis found that the average total cost of a data breach increased by nearly 10%, ballooning from $3.86 million to $4.24 million in the past year alone. Cybercrime costs are projected to reach $10.5 trillion USD annually by 2025, highlighting a growing need for privacy-enhancing and security-enforcing solutions for data-intensive sectors.

In this article, you’ll learn about the five most expensive types of data breaches –– and how privacy-enhancing computation can better protect your enterprise while you leverage data to catalyze innovation. Estimated figures are the average total cost and frequency of data breaches by initial attack vector, as cited in IBM’s 2021 Cost of a Data Breach Report.

 #5: Vulnerabilities in Third-Party Software – $4.33 million

Supply chain, vendor-supplied, or outsourced software can solve business problems without requiring in-house development, management, or maintenance. Although third parties may be able to improve key business processes, they aren’t under your company’s direct jurisdiction, limiting your access to critical information regarding their security policies or risk management practices.

Third-party software might leave vulnerabilities that can be exploited by hackers or malicious programs, increasing the risk that your organization fronts the cost in the event of a data breach. In 2020, IBM and The Ponemon Institute also found that “data breaches caused by a third party, extensive cloud migration, and IoT/OT environments were also associated with higher data breach costs.” If sharing data is essential for a business partnership, security must be factored into any mutual data management strategies –– otherwise, your organization might face magnified consequences for tacitly compromising shared data.

#4: Social Engineering Criminal Attacks – $4.47 million

In information security, social engineering is the psychological manipulation of people into performing actions or divulging confidential information. Four popular attacks that social engineers use to target their victims include:

• Pretexting – Similar to phishing, pretexing is a method to convince victims to divulge sensitive information. Pretexing is often used to gain access to client data from banks, credit card companies, utility companies, and transportation companies.
• Baiting – Using this tactic, cybercriminals use false promises to pique a victim’s greed or curiosity. One common method of baiting is leaving a malware-infected flashdrive in an obvious location for a potential victim to find and plug in to their computer.
• Quid pro quo – This tactic involves a hacker requesting the exchange of critical data for a service, such as by impersonating your telephone service provider or banking institution.
• Tailgating – This is a physical social engineering attack where someone seeks entry into a password-protected or restricted area, most often to steal critical information or hardware from an organization.

#3: Insider Threats – $4.61 million

Insider threats are the primary cause for over 60% of data breaches. Insiders are individuals with legitimate access to company assets or information who cause security harms to a business, whether intentionally or unintentionally. Traditional security measures implemented by organizations tend to focus on external threats, so it can be challenging to identify or even mitigate threats posed from within the organization. Types of insider threats include:

• Malicious insiders – These individuals intentionally and maliciously abuse credentials to steal information for personal, financial, or criminal incentives. A disgruntled former employee who sells information to a competitor or sabotages internal infrastructure is an example of a malicious insider.
• Careless insiders – Individuals who unknowingly expose an organization to outside threats are considered careless insiders. Examples of this threat include leaving a device exposed, falling victim to a scam, or clicking on a link that infects a computer or system with malware.

#2: Phishing – $4.65 million

What’s the most popular activity for social engineers who love cyber attacks? Going “phishing.” This method is so cost-intensive for organizations facing a data breach, it deserves its own category. These are the most common types of phishing attacks:

• Deceptive phishing – With this method, cybercriminals send large-batch emails and impersonate a legitimate company. These phishing scams frequently use threats or a sense of urgency to scare users into divulging personal information, such as login or credit card details.
• Spear phishing – This targeted phishing approach involves attacking a specific individual organization. “Spear phishers” will personalize emails using details relevant only to the targeted party, leading the recipient to believe they have a connection or obligation to the sender.
• Whaling – Instead of targeting any employee or an entire organization, cyber attackers using this method focus specifically on C-suite members of a company. By researching executives and fostering seemingly-legitimate relationships, attackers gain access to even more sensitive and valuable information.

#1: Business Email Compromise (BEC) – $5.01 million

Business Email Compromise, also known as BEC, exploits email systems by targeting lower-level employees at an organization who possess administrative rights. By pretending to be an employee in another department or a C-suite executive, attackers are able to request specific and sensitive information about a company or its clients. Criminals who execute BEC scams might:

• Spoof email accounts or websites by using slight variations on legitimate email addresses, such as john.doe@acmelndustries.com instead of john.doe@acmeindustries.com. Did you see spot the difference? 
• Send spear phishing emails that appear to be from a trusted sender in an attempt to access company accounts, calendars, or sensitive data.
• Use malware to infiltrate company networks and gain undetected access to data sets, including passwords and financial account information.

How can you protect your organization and unlock the intellectual property value of your data?

Data is likely the most valuable asset to your organization. From network files with critical client information to private information gathered from years of groundbreaking research, every byte of data is foundational to business growth and operations. If you and cyber attackers both know this, what are actionable steps you can take to protect your data and unlock its intellectual property value?

1. Prioritize security at every level of your company’s operations
   The first step to managing confidential information is discussing and implementing key security measures. You can reduce the risk of a data breach by making conscious decisions about what information is collected, where it’s stored, how long you’ll keep it, and who else can access it. This includes providing comprehensive and updated training for employees at all levels and in all departments of your organization, even if they never directly interact with sensitive data.

2. Consider implementing zero-trust architecture for all network activity
   This security framework requires that all users need to be authorized, authenticated, and continuously validated before gaining access to sensitive data. In previous cases of data breaches, companies that implemented zero-trust architecture paid an average of $1.76 million less than those without zero-trust strategies.

3. Test for common vulnerabilities to guard against attacks
   From using brute force methods to hack for passwords to strategically bypassing authentication screens, cyberattackers have tech-savvy tools up their sleeves. Improve security by beating hackers to the punch and conducting a robust vulnerability assessment.

4. Use data collaboration tools without transmitting raw data
   If you’re looking to collaborate with another organization around sensitive information, privacy and security risks are likely top of mind. When considering what technical standards to follow, experts have developed comprehensive solutions that can apply to a variety of use cases for your organization. Privacy-enhancing technologies such as homomorphic encryption, differential privacy, and federated learning are all tools that can accelerate responsible innovation –– without compromising security.

TripleBlind enables organizations to pursue ambitious data projects and prevent the risks of a costly data breach. By building on well-understood principles such as federated learning, secure multi-party computation, and more, we radically improve the practical use of privacy-enhancing technologies. Unlike most third-party solutions, TripleBlind’s software is fully containerized on the end users’ infrastructure, minimizing the attack surface for most threats. With over two dozen documented use cases for mission-critical business problems, we’re ready to help you scale up data usage –– instead of cutting it back. 

Check out our whitepaper or schedule a demo with us. We’d love to explore how privacy-enhancing computation can help your business!