Data breaches are increasing. Pick up any newspaper and, more often than not, there will be mention of a new data breach. Some are big and some are small, and most go undetected for long stretches of time. So what are the similarities between these data breaches? Other than the aspects such as brand reputation, customer churn and regulatory issues, there is a big financial impact as well. How much? What is the average cost of a data breach? What is the cost per record? Which industries are being impacted? How can this be reduced?
Cyberattacks in the Asia-Pacific region are rising at a particularly high rate. Is your defense in place? The Ponemon Institute’s “2016 Cost of Data Breach Study: Global Analysis,” which was sponsored by IBM, answers these questions and many more.
What Do the Numbers Say?
It is fascinating to see findings of the global data breach report. Some key takeaways included:
- Health care experienced the most expensive per-record cost of a data breach compared to other industries at $355 per record.
- About 48 percent of data breaches were caused by malicious attacks from people both inside and outside of the organization.
- Nearly 25 percent of breaches were associated with human error.
- The single biggest factor in reducing the cost of a data breach was having an incident response team in place, which decreased the cost by nearly $400,000.
Download the Ponemon Institute 2016 Global Cost of a Data Breach Study
How Does the Asia-Pacific Market Look?
The above findings are based on data collected from organizations across the globe. We can zoom in a little more to see what the numbers look like in the Asia-Pacific region, specifically the two markets of Australia and India.
The report examined 63 organizations across 12 industries, focusing on the time after these companies experienced the loss or theft of protected personal data and had to notify victims and/or regulators as required by law. It is important to note that the costs presented in this research are from actual data loss incidents. They are based on estimates collected over a 10-month period.
Analyzing the costs with which these Asia-Pacific organizations were faced led to some interesting findings:
- The cost of a data breach is steadily increasing. In India, the average total cost of a data breach increased from 88.5 million Indian rupees in 2015 to 97.3 million rupees in 2016 — a 10 percent spike. Australia, however, bucked the trend, with the cost of data breach falling marginally from $2.8 million in 2015 to $2.6 million in 2016.
- Certain industries have higher breach costs In India, financial institutions, services, and industrial and technology companies had a per-capita cost well above the mean. In comparison, the public sector and research institutions had a per-capita cost significantly below the mean.
- Malicious or criminal attacks were the primary root causes of data breaches. More than 41 percent of companies experienced a data breach as the result of malicious or criminal attacks. A similar trend was seen in the Association of Southeast Asian Nations (ASEAN) and Korea. Meanwhile, in India, 35 percent of organizations experienced system glitches, compared to 27 percent in Australia. Twenty-four percent of incidents in India involved employee or contractor negligence (aka the human factor) compared to 27 percent in Australia.
- Industries with higher breach costs are more vulnerable to churn. In 2016, financial services and technology companies experienced relatively high abnormal churn, and public sector and energy companies experienced a relatively low abnormal churn.
Additionally, based on the India and Australia data, detection and escalation costs increased significantly. Notification costs also increased along with post-breach expenditures. It also led to increased customer acquisition activities, reputation losses and diminished goodwill.
Can the Cost of a Data Breach Be Reduced?
There is a silver lining: Steps can be taken to reduce the cost of a data breach. Here are the top five factors that can help decrease the cost:
- Having an incident response team;
- Extensive use of encryption;
- Participation in threat sharing;
- Employee security awareness and training; and
- Appointing a CISO.
Unfortunately, it’s not always possible for an organization to take these measures by themselves because of issues related to people or a lack of security-skilled personnel. There are also obstacles relating to the process, such as having the right security policies in place, and technology, or having the right set of tools to do the job.
While you need to take the right steps to protect your organization from bad actors, you should not miss out on the detection and response aspects as well. These are the three legs of the security tripod.
In most cases, having an external partner with expertise in security is recommended. Look for a partner that has received analyst recognition, with proven capability in the security space and a complete portfolio to address your security needs. Your partner should have trained and certified consultants who can help you. Additionally, having a global presence is an added advantage since you can benefit from the best practices adopted in a different part of world.
As the cost of data breach rises, so should your defense mechanisms. Download the full data breach report today and stay ahead of the curve.
Partner, Asia Pacific IBM Security Services, IBM