Results of the global 2017 Ponemon Cost of Data Breach report announced by IBM Security yielded some anomalous findings for Australian organisations, including that while the cost of a data breach has dropped five per cent in Australia from a year earlier, the global average decrease for the same period was 10 per cent.
This is the first time since the annual global study’s inception that there has been an overall decrease in the cost. However, while the overall average cost was down, organisations in the US, Japan, India, Middle East, and South Africa all experienced increased costs in 2017 compared to the four-year average costs.
In fact, the cost of a data breach in the US rose five per cent to US$7.35 million compared to last year. By comparison, the average cost of a data breach dropped to A$2.51 million from A$2.64 million in 2016.
The average cost for each lost or stolen record for Australian organisations fell 2.1 per cent to A$139 compared to US$141 per lost or stolen record on average.
Lost business costs also decreased this year to A$0.79 million from A$0.84 million last year. These costs include customer churn, increased acquisition activities, reputation losses and diminished goodwill.
Decreasing costs are attributed to a number of factors including a reduction in the number of stolen or lost records (decreased by 5.8 per cent) and a reduction in abnormal customer churn (decreased by 5.3 per cent).
The study noted that costs vary by industry. For the seventh year in a row, healthcare topped the list as the most expensive industry for data breaches globally. Healthcare data breaches cost organisations US$380 per record, more than 2.5 times the global average across industries. The study noted that Australian financial services and services and technology companies tend to have higher per record cost than the average cost of A$139. In the financial services sector, the cost per record can be as much as A$232. On the other hand, organisations in the public sector, transportation and retail had a per record cost significantly below average and experienced lower rates of customer churn after a breach.
A key factor contributing to an increase in the cost of a breach was the involvement of third parties, increasing the cost on average by US$17 per record. The study recommended that organisations evaluate the security posture of their third-party providers, including payroll, cloud and CRM providers, to ensure the security of employee and customer data.
While 48 per cent of breaches were found to be caused by malicious or criminal attacks at a cost of A$154, 28 per cent were the result of negligent employee or contractors at a cost of A$130 and a further 24 per cent were caused by system glitches at a cost of A$121.
The speed of response was determined to impacts cost significantly. The faster that organisations are able to identify and contain a breach, the lower the overall costs. If the mean time to identify (MTTI) was less than 100 days, organisations could save 35 per cent, bringing the costs to A$1.96 million down from AUD$3.05 million.
But to date, identification and containment are not fast. Australian organisations currently take more than five months (175 days) on average to detect an incident. Although this is 16 days faster than the global average, beginning next February The Data Privacy Act will require Australian organisations to report data breaches within 30 days. After detection, Australian organisations took an average of 67 days to contain an incident, one day slower than the global average.
Moving forward, technologies such as cognitive computing and AI are expected to increase the speed of detection and containment to reduce both costs and churn.
The report identified the five most profitable investments for organisations to reduce the costs of a data breach as being extensive use of enterprise-wide encryption, having an incident response team in place, employee training, having a CISO appointed and participation in threat intelligence sharing platforms.
Additionally, to reduce costs associated with a breach, organisations can consider increasing their investments in governance, risk management and compliance (GRC) programs as well as implementing security technologies such as security analytics and SIEM. A low-tech tactic is the ongoing recruitment and retention of knowledgeable employees.
The annual Cost of Data Breach study examines both direct and indirect costs using in-depth interviews with more than 410 companies in 11 countries and two regions.