The cost of data breaches globally is growing, with the average cost of a data breach in 2021 totalling a staggering $4.24 million, according to the latest IBM report - a 10% increase from the previous year and the largest single-year cost increase in the last seven years. Data leaks also likely accounted for a majority of breaches with the most common attack vector being compromised credentials.

Healthcare organisations experienced the highest average cost of data breaches for the eleventh year in a row, seeing a 29.5% increase from $7.13 million to $9.23 million between 2020 and 2021.

Overall, ransomware attacks were the costliest type of breach, averaging $4.62 million. These costs are only expected to increase; after reaching $20 billion in 2021, the total cost of damages globally is expected to reach $265 billion in 2031.

Verizon recently reported a similar increase of 13%, labelling the jump to be “alarming” and larger than the past five years combined. Both reports agree that this issue is only getting exponentially worse – real change is needed before it is too late.

Julia O’Toole, Founder and CEO of MyCena Security Solutions, argues that without rethinking how businesses approach cybersecurity, these costs and consequences will continue to mount for years to come.

“As cybercriminals continue to perfect their tactics to minimise costs for maximum impact, the scale and cost of ransomware will keep increasing. With the proliferation of services such as ransomware-as-a-service, phishing-as-a-service, malware-as-a-service and initial access brokerage, little technical knowledge is needed today to exploit persisting vulnerabilities in companies’ cybersecurity. Over 80% of breaches involve human errors over credentials, according to the last 15 years of Verizon Data Breach Investigation Report. So long as those access vulnerabilities remain, criminals will keep on gaining unimpeded access to networks.”

“In business, nothing beats good information. Following best practice, criminals like to look for a company’s cyber-insurance policy coverage after the initial breach so they can quote the ransom amount to be paid that can be claimed back from their insurers. To find this information at scale, criminals have also breached into insurance and reinsurance companies directly, so they can use their database as a “ransomware shopping list”.

“But for organisations, the cost of a cyber breach doesn’t stop with paying ransom fees. When you factor in the cost of lawsuits, including class actions after supply chain attacks, reputation damages and even bankruptcies, the financial consequences can be a lot higher. Earlier this year, we saw healthcare technology company CaptureRx pay an additional $4.75 million to settle 10 lawsuits claiming they didn’t do enough to protect more than 2.4 million patients’ data from being stolen in a data breach. Marriot’s third data breach in four years saw many lifelong patrons of the brand swear off using the company entirely. In August 2020, Travelex fell into administration after a ransomware breach at the beginning of that year.”

O’Toole believes that businesses need to reassess their cyber security strategies so they can start addressing their biggest vulnerabilities effectively. “Instead of strengthening their biggest vulnerability which is access security, businesses have focused on improving user access convenience by diminishing passwords use. Focusing on the wrong problem has led organisations down the path of single access (Single Sign On, Identity Access Management, Privileged Access Management), which is removing all obstacles after you pass the first door. Its large adoption may explain why from 2019 to 2021, the average time from the first breach to ransomware was reduced from more than 2 months to 3.85 days, as all criminals need is one phished password to win it all fast.”

“For small and large businesses, fixing access security, especially removing human errors surrounding credentials, should be a priority. But despite 82% of breaches starting with login credentials, cybersecurity investments so far have focused on the other 18%, which are infrastructure and system flaws – of which only 29% are detected. That means cybersecurity spends have, historically, not addressed 95% of the risks, which explains why companies are being breached again and again.”

“Organisations have to take the bull by the horns”, says O’Toole. “Detection, backup, remediation, training and recovery are important but can only take you this far when your digital access security, the foundation of your cybersecurity, is completely open for exploit. Organisations also don’t realize that when employees create, own, know and can share in any phishing event the digital keys to companies' and customers’ data, they have in fact designed a process in breach of data privacy laws. Because companies that do not have custody, possession and control of their digital keys, simply cannot have custody, possession and control of their data either, since they are accessible from those keys.”

“To stop increasing the costs of cyber breaches and avoid future data privacy breach penalties, companies need to move away from access management systems where users create and know their passwords and where a single access such as identity or master key is used to open all the doors. Passwords are just digital keys which no one ever needs to know. Just as no one cuts their keys before opening a door. To properly secure all their doors, companies should rather adopt an encrypted access management system where passwords stay encrypted from end to end – throughout creation, distribution, storage, and use to expiry. Contrary to non-encrypted and single access solutions, users don’t know any passwords, therefore they cannot be leaked to criminals by accident which protects companies from credential-based human errors.”

“By having as many passwords as there are systems, companies isolate each entry by default, which creates barriers for criminals and prevents a single breach on one system from spreading to other systems. Without changing their infrastructure, companies can therefore both increase their cyber resilience and reduce the risk, size, impact and cost of a cyberattack.”

“For all sectors, encrypting access is the most effective way to fend off credential attacks while isolating each access is the best way to prevent lateral movement and privilege escalation. Combined, they offer the tremendous advantage of eliminating the biggest unknown in cybersecurity: how did criminals find a key to infiltrate and take down their house. By retaking custody, possession and control of their digital keys, organisations can also demonstrate to customers and authorities that they are fully in charge of their data.”