South Africa’s financial sector has experienced the highest average cost of data breaches totalling R73.1 million, with the industrial and services sectors second and third, with R71.37 million and R58.78 million, respectively.
This is according to IBM Security’s annual Cost of a Data Breach Report, based on an analysis of real-world data breaches experienced by 553 organisations globally (including 21 in South Africa) between March 2022 and March 2023.
Research showed the average data breach cost for South African organisations reached R49.45 million in 2023 – an all-time high for the report.
This represents an 8% increase over the last 3 years and a 73% increase since South Africa was added to the report eight years ago.
The per record average cost of data breaches reached an all-time high at R2 750, a 20% increase from R2 300 in 2021.
IBM Security said detection and escalation costs reached R20.88 million, the highest portion of breach costs and indicating a shift towards more complex breach investigations. This was followed by costs associated with lost business at R13.56 million, post-breach responses at R13.29 million and notifying relevant stakeholders at R1.72 million.
The repor found that most cyber threats were the results of stolen or compromised credentials and phishing scams, constituting 14% each as the initial attack vectors. Attacks through compromised business e-mails were second at 12%, and attacks due to cloud misconfiguration were third at 11%.
Globally, 95% of studied organisations have experienced more than one breach. However, breached organisations were more likely to pass incident costs onto consumers (57%) than to increase security investments (51%).
“South Africa is the financial centre and economic gateway to the rest of the continent. This knowledge is not exclusive to the business community; cyber attackers are aware of it too as the financial sector is the most targeted,” said Ria Pinto, GM and technology leader at IBM South Africa. “Organisations should look to modernise their perimeter security strategies to enhance protection of their financial data by using zero-trust security solutions, underpinned by AI and automation, to increase their cyber resiliency, manage the risks and comply with strict data privacy policies such as the Protection of Personal Information Act (POPIA).”
AI and automation
IBM Security’s research also showed that AI and automation had the biggest impact on speed of breach identification and containment for studied organisations.
Organisations with extensive use of both AI and automation experienced a data breach lifecycle that was 95 days shorter compared to studied organisations that did not deploy these technologies (190 days versus 285 days), and only 28% of studied organisations have extensively implemented security AI and automation.
Organisations that deployed security AI and automation extensively saw, on average, nearly R10.49 million lower data breach costs than organisations that did not deploy these technologies – the biggest cost saver identified in the report.
“And with nearly 29% of studied organisations not yet deploying security AI and automation, and 43% using them sparingly, organisations still have a considerable opportunity to boost detection and response speeds,” the company added.
...with nearly 29% of studied organisations not yet deploying security AI and automation, and 43% using them sparingly, organisations still have a considerable opportunity to boost detection and response speeds.
Chris McCurdy, GM worldwide IBM Security Services, said, “Time is the new currency in cyber security, both for the defenders and the attackers. As the report shows, early detection and fast response can significantly reduce the impact of a breach. Security teams must focus on where adversaries are the most successful and concentrate their efforts on stopping them before they achieve their goals. Investments in threat detection and response approaches that accelerate defenders' speed and efficiency - such as AI and automation - are crucial to shifting this balance.”
In early June the office of South Africa’s Information Regulator (IR) said to date, it had received 1 021 data breach notifications, almost double the 564 data breaches or security compromise notifications the organisation had indicated in February.
In the first week of July 2023 ITWeb reported that the IR imposed a fine of R5 million on the Department of Justice and Constitutional Development (DoJ&CD) for breaching POPIA – the first time a South African organisation has been fined for contravention of the data privacy law.
South African organisations including Dis-Chem, TransUnion, Experian, the Development Bank of Southern Africa, First National Bank, the Western Cape Provincial Parliament, and Dimension Data have all reported attacks.