Over the last couple of years, data security has catapulted up the agenda for many businesses, with this now seen as a key business risk and one that needs attention from the most senior executives and not just the IT department.
One of the key reasons for this is a growing awareness of just how severe the repercussions can be if a firm does fall victim to a data breach, in terms of direct financial penalties, reputational damage and lost business.
Financial impacts can be hard to measure accurately, but one annual study has released its latest report this month, and it warns that however you measure it, costs are going up. In fact, according to IBM’s 2019 Cost of a Data Breach study, it has climbed by 12 per cent over the last five years, with the average breach now costing $3.92 million (£3.22 million), and expenses will continue to be felt for many years after an attack.
Expect multi-year financial impacts
This year was the first time IBM’s study has examined the longtail financial impact of a data breach, and it revealed recovery is a long process.
While two-thirds of the financial impacts (67 per cent) were felt in the first 12 months after a breach is discovered, a further 22 per cent of costs accrue in the year following this, while 11 per cent of the total expenses come more than two years after the incident. Longer-lasting financial challenges were particularly common for firms in more highly regulated industries, such as finance, healthcare and energy.
Small and medium-sized businesses are particularly at risk. The study found firms with fewer than 500 employees saw average losses of more than $2.5 million, which IBM said could be”potentially crippling” for these firms, which typically generate less than $50 million in annual revenue.
Wendi Whitmore, global lead for IBM’s X-Force Incident Response and Intelligence Services, said: “With organisations facing the loss or theft of over 11.7 billion records in the past three years alone, companies need to be aware of the full financial impact that a data breach can have on their bottom line – and focus on how they can reduce these costs.”
Malicious actors a growing threat
The study found that the root cause of breaches is split almost equally between malicious and accidental incidents. Incidents caused by human error or system glitches account for 49 per cent of all cases, compared with 51 per cent caused by malicious actors.
However, while these can be hugely costly, setting businesses back $3.5 million and $3.24 million respectively, it is malicious actions that are potentially the more serious problem. IBM noted such incidents have increased by 21 per cent over the past six years, from 41 per cent of all incidents to 51 per cent, and are often more costly than accidental breaches, with average expenses reached $4.45 million.
Misconfigured cloud servers are said to be a particularly large threat, with this contributing to the loss of 990 million records in 2018, or 43 per cent of all compromised data records.
How can firms minimise their costs?
Despite these threats, IBM noted there are several things businesses can do to reduce the cost of a data breach, even if such incidents cannot be prevented altogether.
The most important factor that reduces these expenses is the speed and efficiency at which a company is able to respond, IBM stated. It found the average lifecycle of a breach in 2018 stood at 279 days, with firms taking 206 days to detect an incident and a further 73 days to fully contain it.
However, companies that were able to reduce the time taken for detection and containment to under 200 days spent significantly less on the total cost of a breach.
“Having an incident response team in place and extensive testing of incident response plans were two of the top three greatest cost saving factors examined in the study,” the report continued. “Companies that had both of these measures in place had $1.23 million less total costs for a data breach on average than those that had neither measure in place ($3.51 million vs. $4.74 million).”
Other factors businesses should consider include deploying security automation technologies, which can cut the cost of a breach in half, while using strong encryption reduces expenses by $360,000.
Enterprises also need to be particularly wary when dealing with third parties, such as partners and suppliers, as breaches that originate here cost companies $370,000 more than average. IBM said this emphasises the need for firms to closely vet the security of the companies they do business with, align security standards, and actively monitor third-party access.