Subscribe
About

Data breach recovery costs in SA reach new high

Simnikiwe Mzekandaba
By Simnikiwe Mzekandaba, IT in government editor
Johannesburg, 31 Jul 2024
South African organisations increasingly face cyber threats and data breaches.
South African organisations increasingly face cyber threats and data breaches.

Amid the increase in data breaches locally, the cost implication of these incidents for organisations has reached a new high.

IBM’s newly-released 2024 Cost of a Data Breach Report shows data breaches in SA now cost R53.10 million per incident, on average. This figure is up from R49.45 million in 2023.

Driving the costs are factors such as business disruption, post-breach customer support and remediation, states the report. In addition, security staffing challenges, security system complexity and non-compliance with regulations also played a factor.

“South African organisations are facing cyber threats and data breaches at an exponential rate, and this highlights the urgent need for robust cyber security measures,” says Ria Pinto, GM and technology leader at IBM SA.

Now in its 19th year, the report is conducted by IBM Security and Ponemon Institute. It studied 604 organisations globally, including SA, impacted by data breaches between March 2023 and February 2024.

Researchers looked at organisations across 17 different industries, in 16 countries and regions, and breaches that ranged from 2 100 to 113 000 compromised records. In SA, 24 organisations, representing 4% of the total sample, were included.

Data collection methods excluded actual accounting information and instead relied on participants estimating direct costs by marking a range variable on a number line, explains IBM.

Crisis mode

The CSIR estimates the impact of cyber crime on the South African economy to be at R2.2 billion per annum, with the country described as a “very attractive” testbed for cyber criminals.

The last few years have seen local organisations, particularly government entities, healthcare and financial firms, falling victim to attacks and data breaches, or being forced offline.

This led to the Information Regulator (InfoReg), SA’s data privacy enforcer, noting the alarming rate at which data breaches are increasing in the country.

In the 2022 financial year (February 2023), the InfoReg said it received 500 notifications of data breaches or security incidents. In the 2023 financial year (February 2024), the number spiked to over 1 700 reported security compromises – more than triple.

According to the IBM report, in SA, stolen or compromised credentials was the most prevalent initial attack vector, representing 17% of breaches. This was followed by phishing at 12% of cases and business e-mail compromise was at 10% of breaches studied.

The report further highlights that49% of breaches involved data stored across multiple environments, including public cloud, private cloud and on-premises. “These breaches were also the most expensive, at R59 million on average, and took the longest to identify and contain (263 days).”

In addition, the organisations needed an average of 227 days to identify and contain incidents − 31 days below the global average for the data breach lifecycle, which was 258 days.

When looking at industry-specific insights, the report shows SA’s financial services sector saw the costliest breaches across industries, with average costs reaching R75.31 million, followed by the industrial sector (R67.26 million) and hospitality (R61.76 million).

Last year, the average cost of a data breach in the financial sector totalled R73.1 million.

Overcoming challenges

The IBM report makes it clear the large-scale skills crisis within cyber security is not a uniquely South African problem. More than half of the organisations studied globally indicated that severe or high-level staffing shortages last year led to significantly higher breach costs.

“This comes at a time when organisations are racing to adopt generative artificial intelligence (AI) technologies, which are expected to introduce new risks for security teams,” says the report.

Despite this, IBM anticipates the mounting staffing shortage may soon see relief, as more organisations worldwide stated they are planning to increase security budgets compared to last year (63% versus 51%), and employee training emerged as a top planned investment area.

“Globally, organisations also plan to invest in incident response planning and testing, threat detection and response technologies, identity and access management and data security protection tools.”

Meanwhile, 78% of organisations studied are deploying security AI and automation across their security operation centre − a nearly 10% jump from the prior year.

IBM says when these technologies were used extensively, local organisations incurred an average R19 million less in breach costs, compared to those without security AI and automation deployments.

“As the complexity and frequency of these threats continue to grow, deploying AI-driven security solutions becomes crucial in safeguarding our national digital infrastructure,” comments Pinto. “AI-driven security solutions can support the detection and mitigation of risks more efficiently.”

Methodology:

Participants in the IBM report were instructed to mark the number line in one spot between the lower and upper limits of a range for each cost category. The numerical value obtained from the number line, rather than a point estimate for each presented cost category, preserved confidentiality and ensured a higher response rate.

The benchmark instrument also required respondents to provide a second separate estimate for indirect and opportunity costs. In the interest of maintaining a manageable dataset for benchmarking, the report included only those cost activity centres with a crucial impact on data breach costs.

Based on discussions with experts, a fixed set of cost activities was chosen. After collecting benchmark information, each instrument was carefully re-examined for consistency and completeness.

The scope of data breach cost factors was limited to known categories that apply to a broad set of business operations involving personal information. The choice was to focus on business processes instead of data protection or privacy compliance activities, to yield better-quality results.

Share