The cost of data breach in Australia
Data security, like many services provided by IT departments, tend to be viewed as a cost by management.
IT does not contribute to the income of an organisation and is therefore seen as an expense to be reduced during budget planning.
Yet businesses who disregard the vital role of data security do so at their peril, given that a single breach can have a catastrophic impact not only in economic terms but the wider cost impacts that accompany loss of reputation, client confidence and sensitive commercial information.
Each year, the Ponemon Institute conducts a study into the cost of data breach in Australia.
While the 2017 results showed a pleasing 5% downward trend in the total cost of data breach, the average total cost to affected Australian companies was still a hefty $2.51 million each. These figures and other findings of the report should serve as a motive to business leaders to reconsider IT costs, and in particular data security, as an investment rather than a cost.
This year saw 25 companies participate in what was the eighth annual benchmark study on the cost of data breach incidents for Australian organisation. It found that the average per capita costs of data breach declined from $142 to $139.
The impacts of data breach
The report found that several components needed to be considered by companies when calculating the potential cost of data breach.
It stated that considering these 6 factors would enable organisations to make better decisions when allocating resources to minimise the financial impacts of an inevitable data breach strike.
- Unexpected and unplanned loss of customers following a data breach (churn rate)
Organisations that had initiatives in place to improve customers’ trust in how their personal information was safeguarded reduced churn and the cost of the breach.
- Size of the breach or the number of records lost or stolen
Data classification schemes and retention programs were found to be critical to having visibility into the sensitive and confidential information that was vulnerable to a breach and reducing the volume of such information being stolen.
- Time taken identify and contain a data breach
The days taken to identify data breaches reduced from an average of 201 in 2016 to 191. The average days taken to contain a breach also reduced from 70 to 66.
- Detection and escalation of the data breach incident
Investing in governance, risk management and compliance programs were found to improve organisations’ ability to detect and escalate a data breach.
- Post data breach costs, including the cost to notify victims
Cyber and data breach insurance, as well as business continuity management, was found to reduce the cost of data, while the rush to notify victims without understanding the scope of the breach, compliance failures and the engagement of consultants increased post data breach costs.
- Attack by a malicious insider or criminal was costlier than human factor (system glitches and negligence)
Almost half of the organisations surveyed identified malicious or criminal attack as the root cause of data breaches, with an average cost was approximately $156. In contrast system glitches and human error or negligence averaged approximately $128 and $126, respectively. Factors that may decrease the cost are participation in threat sharing, use of security analytics and the recruitment and retention of knowledgeable personnel.
16 lessons for Australian business
The 2017 Cost of Data Breach report had positive findings in terms of the level of data breach attack and its cost to Australian business as well as pinpointing the greatest potential areas of attack.
- The cost of data breach continued to decline from an average of $142 in 2016 to $139 in 2017.
- The average total organisational cost of data breach declined from $2.64 million in 2016 to $2.51 million.
- Smaller breaches and the ability to retain customers influenced the decline in cost by 2.1% per capita and an average total cost decreased by 5%.
- Financial services, services and technology companies had higher data breach costs ($139) compared to public sector, transportation and retail organisations.
- Malicious or criminal attacks were the primary root causes of a data breach (48%), with 28% due to a negligent employee or contractor and 24% was due to system glitches.
- Malicious or criminal attacks are the costliest ($154) compared to system glitches ($130) and employee or contractor negligence ($121).
- Four new cost factors were added to this year’s cost analysis: compliance failures (increased per capita cost by $8.7); extensive use of mobile platforms (increased per capita cost by $10); CPO appointment (decreased data breach cost by $1); and the use of security analytics (decreased data breach cost by $7.6).
- The more records lost, the higher the cost of data breach. The average cost ranged from $0.89 million for data breaches involving less than 10,000 records to $6.65 million for incidents with more than 50,000 compromised records.
- The more churn, the higher the per capita cost of data breach. A churn rate of less than 1% had a $1.54 million average cost of data breach compared to those with a churn rate greater than 4% ($5.52 million).
- Certain industries were more vulnerable to churn. Financial services, services and technology companies experienced high abnormal churn compared while public sector, hospitality and retail companies experienced low abnormal churn.
- Detection and escalation cost increased. Detection and escalation of data breach events increased from $1.10 million in 2016 to $1.19 million.
- Notification costs were slightly lower this year from $0.06 million in 2016 to $0.05 million in 2017.
- Post data breach costs decreased from $0.64 million in 2016 to $0.61 million.
- Lost business costs decreased from $0.84 million in 2016 to $0.79 million.
- Direct and indirect costs decreased: Direct from $62 in 2016 to $60 in 2017 and indirect from $80 to $79.
- The time to identify and contain data breaches took an average of 175 days to detect and 67 days to contain. Mean time to identify of less than 100 days, the average cost to identify was $1.96 million or $3.05 million for more than 100 days. If the mean time to contain was less than 30 days, the average cost was $2.24 million or $2.78 million for more than 30 days.
At a glance – The cost of data breach in Australia
The key findings of the 2017 data breach report were:
- The cost of data breach continued to decline
- The root causes of data breach were malicious and criminal attack
- Factors that influenced the costs of data breach were:
i) compliance failures, extensive use of mobile platforms
ii) CPO appointment
iii) use of security analytics
iv) the number of records lost
vi) type of industry.
- Trends in the cost components of data breach saw notification, post data breach, lost business, direct and indirect costs decrease.
- The time to identify and contain data breaches affected the cost
Trends to reduce the risks
Trends in practices to reduce the risks and consequences of data breach were:
ii) training and awareness programs
iii) security intelligence solutions
iv) endpoint security solutions
v) additional manual procedures and controls
vi) identity and access management solutions
vii) security certification or audit
viii) data loss prevention solutions
ix) other system control practices
x) strengthening of perimeter controls.
Examining the Cost of a Data Breach with Security Data Breach Calculator
How to prevent a data breach?
CloudRecover Team offers 30 minutes free consultation to analyse your current infrastructure and offers professional advice for your data protection.REQUEST 30 MIN FREE CONSULTATION