Subscribe

SA's average data breach costs escalate

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 12 Jul 2018
The hidden costs in data breaches are difficult and expensive to manage, says IBM Security.
The hidden costs in data breaches are difficult and expensive to manage, says IBM Security.

The average costs of a data breach have escalated in SA from R32 million in 2017 to a whopping R36.5 million this year.

This is according to IBM Security, which announced the results of a global study examining the full financial impact of a data breach on a company's bottom line.

The rise in the costs of data breaches in SA represents a 12.2% increase from the prior year. In 2016, the average cost of a data breach was R28.6 million.

Overall, the study found that hidden costs in data breaches, such as lost business, negative impact on reputation and employee time spent on recovery, are difficult and expensive to manage.

IBM Security and Ponemon Institute conducted the 2018 Cost of a Data Breach Study. Data collection began in February 2017 and interviews were completed in April 2018.

The average number of breached records found in the 2018 study was 21 090, representing a 6.31% increase in the size of the average data breach.

Based on in-depth interviews with 20 companies that experienced a data breach, the study analyses hundreds of cost factors surrounding a breach, from technical investigations and recovery, to notifications, legal and regulatory activities, and cost of lost business and reputation.

"South African-based businesses and organisations are increasingly exposed to cyber threats and vulnerabilities of which they are blissfully unaware," says Graham Croock, director of BDO IT Advisory and Cyber Lab.

"There is no doubt that we currently find ourselves in an age where highly technical targeted cyber attacks are the order of the day, and I don't think South African executives take these threats seriously enough."

Held to ransom

The average number of breached records found in the 2018 study was 21 090, representing a 6.31% increase from last year.
The average number of breached records found in the 2018 study was 21 090, representing a 6.31% increase from last year.

The report comes as more and more South African organisations suffer data breaches, the latest being insurer Liberty, which was subjected to unauthorised access to its IT infrastructure by an external party who demanded ransom for it.

In May, South Africans suffered a massive data leak which resulted in close to a million personal records being exposed. This was after another mega leak in October 2017 that saw personal information of over 30 million South Africans compromised.

"While highly publicised data breaches often report losses in the millions, these numbers are highly variable and often focused on a few specific costs which are easily quantified," says Wendi Whitmore, global lead for IBM X-Force Incident Response and Intelligence Services.

"The truth is there are many hidden expenses which must be taken into account, such as reputational damage, customer turnover and operational costs. Knowing where the costs lie, and how to reduce them, can help companies invest their resources more strategically and lower the huge financial risks at stake."

The study also examines factors which increase or decrease the cost of the breach, finding that costs are heavily impacted by the amount of time spent containing a data breach, as well as investments in technologies that speed response time.

The average time to identify a data breach in the study was 150 days, and the average time to contain a data breach once identified was 40 days. The three root causes of data breaches were identified as malicious or criminal attack (45%), human error (30%) and system glitches (25%).

On average, malicious or criminal attacks took 163 days to identify and 45 days to contain, while human error breaches took 139 days to identify and 33 days to contain.

Escalation costs

According to IBM, detection and escalation costs also increased, rising from R9.5 million in 2016, to R11.6 million in 2017 and R12.3 million in the 2018 study.

The amount of lost or stolen records also impacts the cost of a breach, costing R1 792 per lost or stolen record on average, a 9.35% increase from 2017.

Globally, the study calculated the costs associated with "mega breaches" ranging from one million to 50 million records lost, projecting that these breaches cost companies between $40 million and $350 million, respectively.

In the past five years, the amount of mega breaches (breaches of more than one million records) has nearly doubled, from nine mega breaches in 2013, to 16 mega breaches in 2017, says IBM.

For mega breaches, the biggest expense category was costs associated with lost business, which was estimated at nearly $118 million for breaches of 50 million records, almost a third of the total cost of a breach this size.

IBM analysed the publicly reported costs of several high profile mega breaches, and found the reported numbers are often less than the average cost found in the study.

It says the Equifax data breach was reported to cost the company $275 million; Target's 2016 financial report estimated $292 million loss as a result of 2013 data breach; and Ruby Corp (the parent company of Ashley Madison) reportedly paid $11.2 million for the settlement of its 2015 breach.

Loss of business

Commenting on the report, Ilia Kolochenko, CEO and founder of Web security company High-Tech Bridge, says: "I would probably highlight loss of business as a main, albeit long-term, cost of a data breach.

"New customers may hesitate to work with you; old customers can simply refuse to renew their contracts."

Kolochenko notes the second pillar of costs are legal expenses, fines and penalties imposed by regulatory authorities, often aggravated by individual and class-action lawsuits the victims may have against the breached company.

"Last, but not least, breach investigation and remediation can be quite expensive and require partial shutdown of operations and interruption of business-critical processes. Even worse, you never know how long the impact will last: in some cases, people may quickly forget about the incident; in others, it can take decades to expunge negative memories and stereotypes."

Share