Latest data breach costs make chilling reading

The cost of data breaches has reached an all-time high, according to hard-hitting research. But don’t look away now – because the solutions available to contact centers have kept pace too.

If you’re a CEO, CFO, IT director, contact center manager or a leader in CX, IT or security, then the Cost of a Data Breach Report 2023 is essential reading.

Based on independent research by the Ponemon Institute, this IBM study digs into the circumstances and impact surrounding 553 breaches in 16 countries. It’s a gripping insight into the targeting, tactics, and consequences of data being lost or stolen from organizations in multiple sectors.

We’ve taken a closer look and picked out key points of special relevance to contact centers, adding analysis from our team at Eckoh.

Security is a growing challenge

Despite major advances in security on multiple fronts, the report reveals that the average cost of a data breach hit an all-time high of $4.45 million in 2023, up 15.3% on 2020. But breaches cost more than double in the US, reaching an astonishing $9.48 million on average.

Often, it’s the “mega breaches” that steal the headlines. The study featured 20 organizations that suffered the loss or theft of between 1 million and 60 million records. And it’s here where the costs can become mind-boggling. At the top end of this range, a mega breach can cost $332 million.

But data breaches aren’t simply an issue for Fortune 500 companies and major brands.

Smaller organizations get targeted

It’s chilling to discover that smaller organizations saw their costs snowball. For example, those with 1,001–5,000 employees were typically left $4.87 million out of pocket from a breach – up almost 20% on last year. For those companies with fewer than 500 staff, the cost of a breach crept up to an average of $3.31 million.

Commenting on this, Shane Lewis, Group Head of Information Security at Eckoh, said: “The report shows that data breaches are a growing threat for everyone. The impact on small and mid-sized operations is particularly worrying – and a data breach might even threaten their survival. Typically, these businesses won’t have large IT security teams, so finding a trusted partner to mitigate risk is critical. But even the largest enterprises should keep their security strategy under constant review and consider how much they want to keep in-house.”

How do data breaches happen?

Researchers discovered that phishing and stolen or compromised credentials were the most prevalent initial attack vectors. Criminals also got a foothold through cloud misconfigurations, business email compromises, and unpatched vulnerabilities. It’s significant that 82% of breaches involved data stored in the cloud, including public, private, and multiple environments.

Armed with access points, the criminals then pushed on. Ransomware tactics and destructive attacks – which left systems inoperable – accounted for around one-quarter of breaches each.

Reacting to these findings, Shane Lewis added: “This report demonstrates that security must be 100% watertight everywhere because any gap or human slip-up might be exploited. The report also found that attacks initiated by malicious insiders were the costliest of all, amounting to $4.9 million on average. This illustrates the point that security protocols are extremely hard to enforce. Sensitive data – such as payment card details – need to be kept beyond the reach of contact center agents and other employees, so the risk of a breach is removed entirely.”

What’s typically stolen in a data breach?

Customer personal identifiable information (PII) was the most common target and proved the costliest. In fact, the report states that 52% of all breaches involved some form of customer PII, which was up 5% on last year. Employee data was close behind.

Researchers found that customer PII, such as names and social security numbers, cost organizations $183 per record on average when compromised.

Commenting on this issue, Dave Holliday, Global IT Director at Eckoh, said: “Personal information – which includes payment card details – is the biggest prize for criminals. Stolen PII records are the costliest for organizations too. Put simply, this kind of sensitive data must be a security priority.

“The good news is that all manner of PII, from health data to bank details, can be verified by the latest technology during interactions – and yet be completely kept out of the contact center environment. There’s nothing that can be seen, heard, or accessed by rogue employees or outside attackers. Eckoh has been at the forefront of this technology.”

When regulations bite

Researchers found that organizations with a high level of non-compliance with regulations experienced costs that averaged $5.05 million following a breach – 12.6% higher than for others.

According to the report, 31% of organizations were fined because of a data breach, with 20% of them paying penalties of more than $250,000.

“The report shows that non-compliance with industry standards comes with a hefty price of its own – in addition to the business and reputational costs of a breach,” adds Dave Holliday. “This will focus minds on the PCI DSS 4.0 security standard currently being adopted by contact centers for card payments. But organizations must remember that compliance will only take them so far – it doesn’t guarantee protection so long as sensitive data remains in their environment in one shape or form.”

Dealing with the mess – who pays?

The report found that business costs included disruption and reduced revenue from system downtime, lost customers, and damage to reputation and goodwill.

Detection and escalation costs rose by almost 10% as companies dealt with issues such as investigations, crisis management, and communications. But surprisingly perhaps, 57% of respondents said they were passing on costs to customers by increasing prices.

“Asking customers to pick up the tab sound doesn’t sound like a wise move for brands looking to build loyalty after a breach,” says Dave Holliday. “Much better to embed your security at the outset – and avoid a damaging breach completely – rather than deal with bad publicity from an attack and then pass on costs to customers, which could seem like adding insult to injury.”

How to avoid a data breach disaster

Just over half of organizations plan to step up their spending on security after a breach. Incident response planning and testing, employee training, and threat detection were among the top priorities, according to the report.

But does adding extra security really work? Researchers also came across one fact that seems counter-intuitive. Organizations with high levels of security system complexity experienced breaches that cost far more than average.

“It’s clear from these findings that adding layers of security can create a complexity of its own for enterprises — with all the associated costs,” says Nik Philpot, CEO at Eckoh. “Organizations could find themselves distracted from their day-to-day business and true innovation. Instead, increasing amounts of IT budget can get devoted to shoring defenses around valuable data.”

But there is an alternative security strategy, as Nik explains: “Increasingly, forward-thinking enterprises are using trusted partners to handle sensitive data, such as payment card details, on their behalf. None of it is stored or processed in their contact center environment, whether that’s on-premise or in the cloud. As a result, even if organizations experience a breach, the most sensitive data isn’t present for anyone to steal.

Although this IBM report raises significant concerns, partnering with data security experts is the way to go for contact centers. It’s important to find a partner that understands the shifting landscape, the evolving risks, and how to protect your enterprise.”

Discover more

Eckoh is the global leader in secure customer engagement. Our secure engagement solutions have kept pace with the latest threats. We’ll take you beyond PCI DSS security — without hefty costs and complexity.

Find out what makes us different – and how we exceed compliance requirements and enable robust security around sensitive data.