Data breaches of critical national infrastructure (CNI) cost on average $1m more than those hitting other organisations, a new report says. Deploying a zero trust environment is one way to mitigate these heavy losses, according to the 2022 Cost of a Data Breach research from IBM and the Ponemon Institute.
Released today, the report shows that the overall average cost of a data breach globally in 2022 was $4.35m, up 2.6% year-on-year. For CNI organisations, this rises $4.82m, 22.9% more expensive than the average cost for other businesses polled by researchers ($3.83m).
The IBM survey spoke to 550 organisations around the world which suffered a data breach between March 2021-March 2022.
Cost of a data breach 2022: critical infrastructure attacks are
Critical national infrastructure like power plants and other utilities are increasingly popular targets for hackers because of the destruction that can be caused. In April the Five Eyes security alliance, which includes the UK and the US, issued a warning that CNI could become a target for Russian hackers, while a hacking gang also recently claimed responsibility for a fire at an Israeli power plant, though experts believe these claims are dubious.
The increased cost comes despite the fact that CNI organisations usually detect breaches of their systems quicker than the average, the report says. It shows the mean time to identify in critical infrastructure industries was 204 days, compared to 211 days for other industries. CNI also fix problems slightly quicker, with the average to remediate a breach being 69 days, compared to 71 days for other industries.
This proficiency in detecting a breach may be due to the heavy consequences of shutting down the systems. “If a utility company gets compromised, they have the potential to shut down all businesses connected to electrical distribution, which then could cause millions of dollars of loss per second,” says Paul Smith, field CTO of OT security company SCADAfence.
CNI organisations that implemented a zero trust approach to security were able to reduce the cost of a data breach, the report notes. Those with a zero trust set-up incurred average costs of $4.23m per breach, compared to $5.4m for those that selected a different security set-up.
But despite this, zero trust remains an uncommon strategy among CNI organisations, with only 21% deploying zero trust security environments, less than half the global average.