25 September 2017 |
In a global study of the cost to business of cyberattacks, Kaspersky Labs has found that the average cost of a data breach has risen by 11% for enterprises globally in 2017.
The “Corporate IT Security Risks Survey” is a global survey of IT business decision makers, conducted annually since 2011, among more than 5,200 organisations globally, of varying sizes. The current report was completed in March and April of 2017.
The methodology involved asking respondents to gauge the cost of a an incident based on these cost parameters:
- Additional Internal Staff Wages
- Lost Business
- Employing External Professionals
- Damage to Credit Rating/Insurance
- Extra PR
- Improving Software/Infrastructure
- Training Staff
- Hiring New Staff
The combined cost of these gives the total financial impact for that organisation, and an average cost was calculated across businesses to gain an estimate of the typical cost of data breaches for businesses.
The survey found that among small to medium businesses (SMB) (50-999) SMBs, for example, the average total impact of a data breach amounts to $117,000 (€98,260). The rate for enterprise was found to be more than 10 times higher at $1.3 million (€1.1 million), which, the survey report states, demonstrates that cyberthreats are expensive to fight for companies of all sizes.
“The cost of cybersecurity incidents is changing, with businesses having to deal with multiple considerations – from PR to new staff – in the aftermath of a breach,” said the survey report. “This year we have seen a continued evolution in the financial impact of a data breach with the recent Equifax breach for example. This in turn, will have a knock-on effect on whether businesses view their cybersecurity spend as a cost centre, or an investment that will help them avoid the larger financial penalties associated with an attack.”
For enterprise the average cost breakdown was as follows:
- Additional Internal Staff Wages – $207,000
- Improving Software/Infrastructure – $172,000
- Employing External Professionals – $154,000
- Training Staff – $153,000
- Lost Business – $148,000
- Compensation – $147,000
- Hiring New Staff – $124,000
- Damage to Credit Rating/Insurance – $118,000
- Extra PR – $113,000
In addition, the report said, spend on training in the aftermath of a security breach is particularly expensive for enterprises, at $153,000 (€128,500) on average, with businesses realising the need to increase the cybersecurity knowledge of their staff, once they have been stung by a security incident.
The different costs experienced by enterprises and smaller businesses directly reflects the current capabilities of most organisations of these sizes, with smaller businesses clearly struggling to deal with the problem themselves and therefore seeking third-party expertise, said the report. At the same time, they are vulnerable to losing business as a result of these attacks, but are less likely to need to pay compensation (possibly due to the less formal nature of their business relationships).
For larger businesses, their greater internal capabilities change the balance between the money spent on responding to the threat, and the damages suffered. Compensation, however, remains a serious concern, with an average $147,000 (€123,500) spent on compensation per data breach.
The average cost of a data breach has risen by 11% for enterprises globally in 2017, the report says, and it reasons that cost rises are likely to continue as governments rush to introduce new legislation, requiring businesses to publicly announce data breaches that they experience, and provide better transparency about how they protect personal data.
The survey report acknowledges that developing and enacting laws takes time, which is a huge problem in the face of such a rapidly changing business IT landscape and the proliferation of cybersecurity threats.
It gives by way of example, the Japanese legislation was agreed upon in 2015 but has taken two years to come into force. And indeed, it is worth noting that for many, the legislation came too late, as there were a number of high profile failures among Japanese firms in the interim. One example is that of travel agency JTB Corp., which experienced a massive data breach in 2016, resulting in almost eight million customers having their details (including names addresses and passport numbers) stolen.
This is symptomatic, the report says, of a wider global challenge, with threats moving fast, but businesses and legislation changing slowly. It also cites the example of the European General Data Protection Regulations (GDPR), which will be enforceable in May 2018, and which will greatly limit how businesses treat EU citizen data.
With legislation changing across the world, and cyberthreats evolving faster than these regulations, says the report, businesses need to remain mindful of the gap between legislation and reality, and prepare their defences accordingly, if they are to protect their customers and their reputations. They need to start thinking about being compliant with new regulations ahead of deadlines, for the security of their data and that of their customers, rather than waiting for legislation to catch up with them before changing their policies or worrying about GDPR fines.