SA’s average data breach cost jumps to R43.3m

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 24 Jul 2019

The average cost of a data breach in South Africa has jumped by over 12% from last year.

This is according to the IBM 2019 Cost of a Data Study, which shows data breach costs are on the rise globally.

A total of 21 South African companies participated in this year’s study, done in partnership with the Ponemon Institute.

IBM says based on four years of historical data, R43.3 million is the average total cost of data breach, which represents an increase of 12.16% from the previous year.

It notes R2 200 is the per capita cost per lost or stolen record, which represents an increase of 9.35% from the prior year.

The company explains the root cause for 52% of data breaches in SA was malicious or criminal attacks.

The mean time to identify the data breach in the country increased from 150 to 175 days, while the mean time to contain the data breach increased from 40 to 56 days.

Rising expenses

According to the report, the cost of a data breach has risen 12% over the past five years and now costs $3.92 million on average globally.

These rising expenses are representative of the multiyear financial impact of breaches, increased regulation and the complex process of resolving criminal attacks, says IBM.

It notes the financial consequences of a data breach can be particularly acute for small and midsize businesses.

In the study, companies with less than 500 employees suffered losses of more than $2.5 million on average – a potentially crippling amount for small businesses, which typically earn $50 million or less in annual revenue.

For the first time this year, the report also examined the long-tail financial impact of a data breach, finding the effects of a data breach are felt for years.

While an average of 67% of data breach costs were realised within the first year after a breach, 22% accrued in the second year and another 11% accumulated more than two years after a breach globally.

The long-tail costs were higher in the second and third years for organisations in highly-regulated environments, such as healthcare, financial services, energy and pharmaceuticals, says IBM.

“Cyber crime represents big money for cyber criminals, and unfortunately that equates to significant losses for businesses,” says Wendi Whitmore, global lead for IBM X-Force incident response and intelligence services.

“With organisations facing the loss or theft of over 11.7 billion records in the past three years alone, companies need to be aware of the full financial impact that a data breach can have on their bottom line – and focus on how they can reduce these costs.”

Malicious attacks

The study found data breaches which originated from a malicious cyber attack were not only the most common root cause of a breach, but also the most expensive.

Malicious data breaches cost companies in the study $4.45 million on average – over $1 million more than those originating from accidental causes such as system glitch and human error, says IBM.

It points out these breaches are a growing threat, as the percentage of malicious or criminal attacks as the root cause of data breaches in the report crept up from 42% to 51% over the past six years of the study (a 21% increase).

That said, inadvertent breaches from human error and system glitches were still the cause for nearly half (49%) of the data breaches in the report, costing companies $3.50 million and $3.24 million respectively.

IBM believes these breaches from human and machine error represent an opportunity for improvement, which can be addressed through security awareness training for staff, technology investments, and testing services to identify accidental breaches early on.

One particular area of concern is the misconfiguration of cloud servers, which contributed to the exposure of 990 million records in 2018, representing 43% of all lost records for the year, according to the IBM X-Force Threat Intelligence Index.

For the past 14 years, the Ponemon Institute has examined factors that increase or reduce the cost of a breach and has found that the speed and efficiency at which a company responds to a breach has a significant impact on the overall cost.

This year’s report found that the average lifecycle of a breach was 279 days with companies taking 206 days to first identify a breach after it occurs and an additional 73 days to contain the breach.

However, companies in the study who were able to detect and contain a breach in less than 200 days spent $1.2 million less on the total cost of a breach.

Incident response

A focus on incident response can help reduce the time it takes companies to respond, and the study found these measures also had a direct correlation with overall costs.

Having an incident response team in place and extensive testing of incident response plans were two of the top three greatest cost saving factors examined in the study. Companies that had both of these measures in place had $1.23 million less total costs for a data breach on average than those that had neither measure in place ($3.51 million versus $4.74 million).

The study also examined the cost of data breaches in different industries and regions, finding data breaches in the US are vastly more expensive – costing $8.19 million, or more than double the average for worldwide companies in the study.

Costs for data breaches in the US increased by 130% over the past 14 years of the study; up from $3.54 million in the 2006 study.

Additionally, organisations in the Middle East reported the highest average number of breached records, with nearly 40 000 breached records per incident (compared to global average of around 25 500).

For the 9th year in a row, healthcare organisations in the study had the highest costs associated with data breaches. The average cost of a breach in the healthcare industry was nearly $6.5 million – over 60% higher than the cross-industry average.