Poor Cyber Hygiene can Cost Organizations up to an Average of $677 Million
It’s been a turbulent year for cybersecurity leaders regarding risk management. Rising geopolitical tensions and intensifying ransomware activity continue to grow in volume and scale, putting everyone on high alert.
In 2024, we witnessed all industries fall victim to large-scale security breaches – from healthcare and financial services to the public sector and communications services. As we head into a new year of escalating, malicious cyber activity, the costly long-term fallout of security breaches will start to impact many on an even larger scale.
ExtraHop’s second annual ‘The True Cost of a Security Breach Report’ examined the short- and long-term financial impacts of high-profile security breaches on publicly traded companies in 2023 and 2024. The findings showed that misconfigurations, compromised credentials and phishing attackers were critical elements of all major security breaches examined in the report.
Knowing that insider threats and poor cyber hygiene are well-known as some of the worst threat vectors, prioritizing security controls that can keep pace with modern threats is fundamental for all organizations moving forward.
The Hidden Costs of a Security Breach
Where conventional research indicated that in 2023 the average security breach cost was around $9 million, ExtraHop’s report showed evidence that poor security hygiene often catalyzes high-visibility and high-impact security breaches. The findings prove that long-term costs averaged $677 million.
Aside from any ransom payments, security incidents often result in many direct costs for the organizations. These costs range from hiring third-party digital forensics and incident response (DFIR) firms, to remediations and investments in new protections. Additionally, lost revenue, regulatory fines, legal fees and higher insurance premiums significantly impact corporate earnings. While other business factors may have also contributed to companies’ financial performance following an attack, these breaches directly impacted performance.
We often don’t account for indirect costs after a security breach. These include the repercussions on shareholders – like decreased earnings and market capitalization and investor confidence. Stock performance is also likely to take the brunt, as organizations’ stock prices dropped an average of 7% just one month after reporting a breach. It’s also important to realize the impact on customers, like the loss of personal information and service disruptions. More often than not, a security breach causes a loss of trust and brand value that can snowball into a loss in market share and competitiveness for the targeted company.
Poor Cyber Hygiene: A Recipe for High-Impact Breaches
The top three most significant security breaches examined in the report show one commonality: stolen credentials. Credentials are often compromised by inadequate cyber hygiene practices, such as poorly trained employees, lack of protection, unencrypted data, unsecured servers and unpatched vulnerabilities. In all cases, threat actors relied on credentials to access company systems, ultimately impacting millions of people and costing billions of dollars. This should signal to leaders that cyber risk is a business risk, and investments in cyber defense measures should be a primary concern in 2025.
Additional research from ExtraHop found that half of IT and security leaders reported more than half of their security incidents were related to poor cyber hygiene. In a threat landscape plagued with increasingly sophisticated tactics, many organizations aren’t paying enough attention to the hygiene-related vulnerabilities that put them at risk. Concurrently, organizations are experiencing more ransomware attacks than reported in recent years, with 58% experiencing six or more attacks in the past year – moreover, 91% paid at least one ransom. It’s essential to understand how attackers use poor cyber hygiene to carry out these attacks, and what organizations need to remain resilient.
The ultimate end game of threat actors is infiltrating the network, achievable through methods organizations can easily overlook, such as stealing credentials. Threat actors can easily find credentials on the dark web or coerce users to share them through social engineering and phishing emails. Third-party vulnerabilities are another critical risk, as many organizations don’t have visibility into how partners use sensitive company data or protect credentials. Moreover, far too many employees across organizations need more training on potential risks like identifying phishing emails, using and securing complex passwords and using unsecured networks or unauthorized software.
There are also far too many leaders who don’t view cybersecurity risks as core business risks, and they are making common mistakes that encourage continual cyberattacks. Whether lacking in training, C-suite planning, the proper visibility tools, or keeping up with patches to identify vulnerabilities before they become wide-scale attacks, establishing strong cyber hygiene is essential for all businesses moving forward.
Taking Steps Towards Better Cyber Hygiene
Going into 2025, cybersecurity planning should be at the forefront of all business priorities. However, effective planning also requires a mindset shift across the entire organization. Adopting a zero-trust mindset from the C-suite down is key to ensuring organizational-wide alignment and protecting all employees, devices, data and the network.
The first step is investing in the right solutions, but no security solution is a one-size-fits-all. Prioritizing solutions that best serve their purpose – such as network monitoring, visibility and response – will result in the greatest ROI and level of protection. Aside from core security solutions like network monitoring, organizations should invest in software like multifactor authentication (MFA), virtual private networks (VPNs) and secure passport management.
Once leaders invest in solutions, they should take a complete inventory of all assets, users, devices, data flows and processes. Establishing a baseline of normal behavior helps ensure processes operate as intended. Part of this process includes continuously authenticating, assessing, and monitoring activity patterns to govern access and privileges. They should also always have a handle on the health and status of devices to inform risk decisions and inspect, assess and patch devices in real-time.
It’s also important to look at what is outside business infrastructure. First, it’s essential to improve security hygiene among employees. Ensuring they know how to identify a potential attack and prioritize flagging the incident to security teams may seem small; however, one mistake can result in a catastrophic attack. Training should also be required upon hiring and regularly throughout the calendar year, such as quarterly or biannually, including interactive scenario training.
Finally, look at the security of third-party vendors. Ensuring partners have the proper guidelines in place should be the first step, in addition to understanding the types of company or customer data they handle. Doing so helps leaders determine the potential impact should a partner suffer an attack.
Cyber Risk is a Business Risk
Cyber risk management is a maturing discipline, and organizations are increasingly looking inward to ensure they have the tools and processes to help manage and mitigate threats. Cybersecurity is never “done,” and strategies for improving cyber hygiene require routine adjustments.
Modifying policies over time is vital as security teams examine what works best for their unique needs. Most importantly, making cybersecurity a core focus across the C-suite and board helps verify that plans are successful and everyone at the company is aligned. As we learned from 2024’s most significant security breaches, all companies are at risk of significant financial implications following an attack. To avoid substantial direct and indirect costs associated with a security breach, leaders should go back to basics to promote better cyber hygiene and protect themselves from the inevitable.
