Subscribe

SA firms lose R28.6m to data breaches

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 27 Jul 2016
South African companies experience a higher cost to lost business per breach than the global average.
South African companies experience a higher cost to lost business per breach than the global average.

The average cost of data breach in SA is R1 548, with a total organisational cost of R28.6 million.

This is according to a study released yesterday by IBM and the Ponemon Institute. The study included a first time benchmark study on the cost of data breach incidents specifically for companies in SA.

The Ponemon Institute conducted its first cost of data breach study in the US 11 years ago. This year's study examines the costs incurred by 19 South African organisations from nine different industry sectors following the loss or theft of protected personal data and the notification of breach victims as required by various laws.

SA is still to announce a commencement date for the Protection of Personal Information Act, almost three years after it was signed into law. The Act has stringent provisions around how consumers' data must be protected, accessed and stored.

Under the new law, companies face a fine of up to R10 million - or a decade in jail - if they breach its provisions, and could also encounter civil class-action lawsuits. However, the most damaging penalty will be reputational damage, because organisations will have to inform people if their data has been breached.

Actual incidents

IBM says it is important to note the costs presented in its research are not hypothetical but are from actual data loss incidents. The costs are based upon estimates provided by the individuals interviewed over a 10-month period in the companies represented in this research.

Lost business is the biggest component of per capita and total organisational cost. According to the benchmark findings, data breaches cost the companies represented in this study an average of R1 548 per compromised record.

The highest component pertains to lost business at R552 followed by detection and escalation costs at R540. Detection and escalation costs typically include forensic and investigative activities, assessment and audit services, crisis team management and communications to executive management and boards of directors.

The total organisational average cost of data breach for the 19 companies represented in this research was R28.6 million. The largest cost component was lost business at an average of R10.55 million. The smallest cost component was notification at R560 000 on average.

IBM says globally, cyber security incidents continue to grow in both volume and sophistication, with 64% more security incidents reported in 2015 than in 2014. As these threats grow in number and complexity, it notes, the cost to companies continues to rise. In fact, the study found companies lose $158 per compromised record.

According to the latest edition of the Global Information Technology Report's Networked Readiness Index published by the World Economic Forum, SA has performed well, jumping 10 places to 65th position overall worldwide.

"While this is fantastic news in terms of the strides the country is making with technology adoption, increased technology use can also increase the risk of data breaches," says Kevin McKerr, security sales leader at IBM SA.

According to IBM, South African companies by comparison experience a higher cost to lost business per breach than the global average. With the average number of breached records at 18 255 per incident, the cost of breach is around R1 548 per lost or stolen data record. Importantly, 37% of data breaches involved malicious or criminal attacks, it notes.

Risk factor

In SA, IBM says customer churn was identified as a key risk factor in data breaches. In fact, the more churn, the higher the cost of data breach. If companies lost less than 1% of their existing customers, the average cost of a breach could be R26.83 million, below the average of R28.6 million. But when companies had a churn rate of greater than 4%, the average cost could be R35 95 million - well above the average.

Certain factors reduced the cost of a data breach, says IBM. Incident response teams and plans, extensive use of encryption, participation in threat sharing and employee training programmes decreased the per capita cost, it adds. Data breaches due to third-party involvement, extensive migration to the cloud, or lost or stolen devices increased the cost.

According to the study, leveraging an incident response team was the single biggest factor associated with reducing the cost of a data breach.

Share