Story image

Aussie data breach costs drop but it's still an expensive game of risk

27 Jun 17

The Australian costs of data breaches are dropping but organisations are still losing $2.5 million every year, according to findings from the recent 2017 Ponemon Cost of Data Breach report.

While it represents a 10% year-on-year decrease from $2.64 million last year, it is still taking five months for organisations to get on top of breach detection and an extra 65 days to contain it.

The report suggests that costs are down because the number of stolen records has dropped 5.8% and average cost per lost stolen record dropped to $139.

In addition, different industry sectors have different breach costs. The financial services industry can have an average cost of $232.

Factoring in customer churn after breaches, that can contribute to higher costs. Overall customer churn also dropped 5.3% overall.

IBM Security's John Vine says that the statistics show interesting challenges for Australia.

“Currently Australian organisations on average are taking more than 175 days to detect an incident. From February 2018, The Data Privacy Act will require organisations to report data breaches within 30 days to the Privacy Commissioner and their customers. Technologies such as cognitive and AI can provide faster, more cost-effective incident identification, which will speed the customer response and reduce churn," he says.

The company says that if the mean time to identify (MTTI) time was decreased to fewer than 100 days, organisations could save up to 35% on costs, bringing the average breach costs down to $1.96 million.

48% of Australian data breaches are caused by malicious or criminal attacks with a remediation cost of $154; 28% are caused by negligence ($130 cost); and 24% due to system glitches ($121 cost).

The report suggests there are a number of most profitable investments organisations can make to reduce data breach costs: Encryption, incident response teams, employee training, appoint CISOs and participate in threat sharing initiatives.

The total breach costs may have dropped in Australia but it hasn't been the same story across the globe. Japan, South Africa, India and the Middle East all experienced increased costs.

“Data breaches and the implications associated continue to be an unfortunate reality for today’s businesses,” comments Dr. Larry Ponemon.

“Year-over-year we see the tremendous cost burden that organisations face following a data breach. Details from the report illustrate factors that impact the cost of a data breach, and as part of an organisation’s overall security strategy, they should consider these factors as they determine overall security strategy and ongoing investments in technology and services.”

Organisations in Australia and globally can consider the following to reduce their costs of data breach:

  • Investments in governance, risk management and compliance (GRC) programs.
  •  Investment in enabling security technologies. These include security analytics, SIEM, enterprise wide encryption and threat intelligence sharing platforms.
  • Recruitment and retention of knowledgeable personnel.
Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.
What disaster recovery will look like in 2019
“With nearly half of all businesses experiencing an unrecoverable data event in the last three years, current backup solutions are no longer fit for purpose."
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.