Counting the cost of a data breach

The average cost of a data breach in South Africa is R1 548.00, with a total organisational cost of R28,6-million
This is according to a report that analysed the financial impact of data breaches on a company’s bottom line. Sponsored by IBM and conducted by the Ponemon Institute, the study included a first time benchmark study on the cost of data breach incidents specifically for companies in South Africa.
Globally, cybersecurity incidents continue to grow in both volume and sophistication, with 64% more security incidents reported in 2015 than in 2014. As these threats grow in number and complexity, the cost to companies continues to rise. In fact, the study found that companies lose $158.00 per compromised record.
According to the latest edition of The Global Information Technology Report’s Networked Readiness Index (NRI) published by the World Economic Forum, South Africa has performed well, jumping 10 places to 65th position overall worldwide.
“While this is fantastic news in terms of the strides the country is making with technology adoption, increased technology use can also increase the risk of data breaches,” says Kevin McKerr, security sales leader at IBM South Africa.
South African companies by comparison experience a higher cost to lost business per breach than the global average. With the average number of breached records at 18 255 per incident, the cost of breach is around R1 548.00 per lost or stolen data record. Importantly, 37% of data breaches involved malicious or criminal attacks.
Lost business costs are followed closely by detection and escalation costs – typically including forensic and investigative activities, assessment and audit services, crisis team management and communications to executive management and boards of directors.
In addition the study found that the more records and information lost, the higher the cost of the data breach. Costs range from R21,6-million for data breaches involving 10,000 or fewer lost or stolen records to R33,5-million for the loss or theft of more than 50 000 records.
In South Africa, churn was identified as a key risk factor in data breaches. In fact the more churn, the higher the cost of data breach. If companies lost less than 1% of their existing customers, the average cost of a breach could be R26,83-million, below the average of R28,6-million. But when companies had a churn rate of greater than 4%, the average cost could be R35,95-million – well above the average.
Certain factors reduced the cost of a data breach. Incident response teams and plans, extensive use of encryption, participation in threat sharing and employee training programmes decreased the per capita cost. Data breaches due to third party involvement, extensive migration to the cloud or lost or stolen devices increased the cost.
According to the study, leveraging an incident response team was the single biggest factor associated with reducing the cost of a data breach. Incident response teams and plans, extensive use of encryption, participation in threat sharing and employee training programmes decreased the per capita cost. Data breaches due to third party involvement, extensive migration to the cloud or lost or stolen devices increased the cost.
The process of responding to a breach is extremely complex and time consuming if not properly planned for. Among the required activities, a company must:
* Work with IT or outside security experts to quickly identify the source of the breach and stop any more data leakage.
* Disclose the breach to the appropriate government/regulatory officials, meeting specific deadlines to avoid potential fines.
* Communicate the breach with customers, partners, and stakeholders.
* Set up any necessary hotline support and credit monitoring services for affected customers.
Each one of these steps takes countless hours of commitment from staff members, taking time away from their normal responsibilities and wasting valuable human resources to the business.
Incident response teams expedite and streamline the process of responding to a breach, as they’re experts on what companies need to do once they realise they’ve been compromised. These teams address all aspects of the security operations and response lifecycles, from resolving the incident, to satisfying key industry concerns and regulatory mandates.
Additionally, incident response technologies can automate this process to further speed efficiency and response time.
The global study also found the longer it takes to detect and contain a data breach, the more costly it becomes to resolve. While breaches that were identified in less than 100 days cost companies an average of $3,23-million, breaches that were found after the 100-day mark cost over $1-million more on average ($4,38-million).
Globally, the average time to identify a breach in the study was estimated at 201 days, and the average time to contain a breach was estimated at 70 days.
The study found that companies with predefined business continuity management (BCM) processes in place found and contained breaches more quickly.