Average data breach costs SA R32m

Staff Writer
By Staff Writer, ITWeb
Johannesburg, 28 Jun 2017
Compliance failures and extensive use of mobile platforms contributed to the increased cost of a data breach.
Compliance failures and extensive use of mobile platforms contributed to the increased cost of a data breach.

The average cost of a data breach in SA is R32.36 million, a 12% increase since 2016.

This is according to a study by IBM and the Ponemon Institute. According to the study, these data breaches cost companies on average R1 632 ($124) per lost or stolen record.

This year's annual study was conducted in 11 countries and two regions: the US, Germany, Canada, France, the UK, Italy, Japan, Australia, the Middle East (Saudi Arabia and the UAE combined), Brazil, India, ASEAN (Association of Southeast Asian Nations) as well as SA.

When compared to other markets, organisations in SA saw an average cost of a data breach at R32.36 million, have direct per capita cost of R809 and are among the markets that spend R8.07 million on post data breach response.

The 2017 Cost of Data Breach report also revealed malicious or criminal attacks are the most frequent cause of a data breach in SA.

Forty-seven percent of incidents involved data theft or criminal misuse. These types of incidents cost companies R1 903 per compromised record, compared to R1 425 and R1 432 per compromised record as a result of a breach caused by a system glitch or employee negligence, respectively.

Top factors that contributed to the increase of cost of a data breach in SA include compliance failures and the extensive use of mobile platforms, says IBM. Companies reported that compliance failures and the extensive use of mobile platforms increased the cost of each compromised record by R79 and R90, respectively.

"Data protection continues to be a challenge as businesses hold more and more sensitive information, pushing cyber security higher up the agenda," says Sheldon Hand, security business unit leader in SA.

"According to the study, malicious or cyber attacks are a major cause of data breaches in South Africa. Such attacks are financially damaging and present great threat to the reputation of organisations. It is important to start looking at security hygiene measures as an opportunity to avoid falling victim to the next big security threat rather than a nuisance."

The study found that having an incident response (IR) team in place significantly reduced the cost of a data breach to R1 494 per compromised record. In contrast, a third-party error increased the cost to R1 763 per compromised record.

IBM says the speed at which a breach can be identified and contained is in large part due to the use of an IR team and having a formal incident response plan. IR teams can assist organisations to navigate the complicated aspects of containing a data breach to mitigate further losses, it adds.

According to the study, how quickly an organisation can contain data breach incidents have a direct impact on financial consequences. The cost of a data breach was nearly R5 million lower on average for organisations that were able to contain a data breach in less than 30 days compared to those that took longer than 30 days.

With such significant cost savings in mind, the study revealed there's room for improvement with organisations when it comes to the time to identify and respond to a breach. On average, organisations in SA took 155 days to identify a breach, and 44 additional days to contain a breach once discovered.

In SA, financial, services and industrial companies topped the list as the most expensive industry for data breaches, costing organisations over R1 632 per compromised record.

"Data breaches and the implications associated continue to be an unfortunate reality for today's businesses," says Dr Larry Ponemon. "Year-over-year we see the tremendous cost burden that organisations face following a data breach. Details from the report illustrate factors that impact the cost of a data breach, and as part of an organisation's overall security strategy, they should consider these factors as they determine overall security strategy and ongoing investments in technology and services."