Federal agencies face less costly data breaches because they often employ security automation and orchestration practices, according to a security expert.
IBM’s annual Cost of a Data Breach report, released July 29, found the public sector worldwide incurred average losses of $1.08 million per data breach—the lowest average cost compared to 17 other industries. The health care industry faced the steepest average loss per breach at $8.6 million, while the overall average was $3.86 million per incident.
Researchers surveyed over 500 organizations between April 2019 and April 2020. They calculated costs using factors such as how much a company spent on detecting and managing the breach as well as losses associated with business disruption and lost customers post-breach.
Wendi Whitmore, vice president of an IBM team working on incident response and threat intelligence, told Nextgov that the U.S. public sector cost is likely higher than average because the U.S. had the highest average cost of a data breach in regional comparisons. Still, she said, agencies at the federal level lead the way on one of the most important ways to reduce costs: automating and orchestrating security.
“Anything working under U.S. Cyber Command, which is much of the military, is a fantastic example,” Whitmore said. She added the military has been a leader in developing security automation best practices. Whitmore is a former computer crime investigator with the Air Force Office of Special investigations.
This year is the first time the study could observe how automated security practices affect the cost of data breaches, Whitmore said. Over the past 15 years IBM has been doing the study, these practices were too new and not widespread enough to effectively study.
“Now you see this huge, fundamental difference in organizations from a cost perspective for those who do have that ability, and those who don’t,” Whitmore said.
Challenges for government entities like the Defense Department remain higher than those faced in the corporate world, Whitmore said. However, agencies are less likely to lose customers, a main driver of costs when a data breach happens.
But maintaining continuous, automated security across such a large enterprise is still hard. Whitmore said it means there has to be continuous adaptation of security practices.
One organization that has announced it will adapt is the Defense Information Systems Agency, which in July indicated it will move to a zero trust security framework. Whitmore said the zero trust security architecture is consistent with the advice her team at IBM gives to companies regarding how to successfully defend against data breaches.
“We’re actually advocating to them to move to a model of ‘hey, we actually can’t trust anybody. I don’t want you to trust any other node in your network, I want you to operate like you’re under attack, every day,’” Whitmore said.