Data breaches setting Australian organisations back AU$2.5m: IBM
The average total organisational cost of data breaches over eight years in Australian dollars
Data breaches are costing Australian organisations an average of AU$2.51 million -- approximately AU$139 per capita -- a report from IBM and the Ponemon Institute has found.
The 2017 Cost of Data Breach Study: Australia report investigated the costs 25 Australian companies incurred in 11 industry sectors after experiencing the loss or theft of protected personal data.
IBM said the number of breached records per incident in the 12 months to June 2017 ranged from 2,700 records to 69,835 records, and the average number of breached records was 18,556.
Malicious or criminal attacks were flagged as the primary root causes of a data breach by IBM, with 48 percent of companies represented in the study falling victim to a malicious or criminal attack.
Of the total breaches probed, Big Blue said 28 percent of incidents involved a negligent employee or contractor, and another 24 percent came as a result of system glitches.
"Not only are malicious attacks the most prevalent, but they are also more expensive to remediate," the report says, noting companies that experienced malicious or criminal attacks had the highest per capita cost overall.
According to IBM, there are five main factors that increase the cost of a data breach, with IT security complexity topping its list.
"Although some complexity in an IT security architecture is expected to address the many threats facing organisations, too much complexity can impact the ability to respond to data breaches," the report says.
As numerous lawsuits have been filed against breached organisations -- such as Yahoo, which has had approximately 43 putative consumer class action lawsuits filed against it in the United States federal and state courts and in foreign courts relating to security incidents -- IBM said the cost of a breach is higher in countries that are litigious, such as the US.
The report also said poor data classification schema and retention programs can result in a lack of visibility into the sensitive and confidential personal information that is most vulnerable to a breach, thus driving up the cost of a breach.
Malicious, criminal, and third-party data breaches were also flagged as more costly than other breaches to resolve, while an organisation's cloud-based applications as well as the use of mobile devices was highlighted as increasing the complexity of dealing with IT security risks and data breaches by IBM.
However, it's not all doom and gloom, with IBM noting that the cost of a data breach is on the decline. The average cost of a breach peaked in 2014 at AU$145 per capita, and the average total cost of a breach peaked in 2015 at AU$2.82 million.
The report said financial services and technology companies tend to have a per capita cost higher than the mean, whereas companies in the public sector, transportation, and retail had a per capita cost significantly below the mean.
Where sectors such as financial services are concerned, a large factor in the high cost of a data breach stems back to the sector's high churn rate in staff, the report highlighted.
IBM also said that the more records lost, the higher the cost of a data breach.
As detection and escalation of the data breach event includes forensic and investigative activities, assessment and audit services, crisis team management, and communications to executive management and boards of directors, IBM said costs in mitigation increased from AU$1.10 million in 2016 to AU$1.19 million in 2017.
According to IBM, costs relating to notification activities -- such as contact database creation, engagement of outside experts, and wading though regulatory requirements -- were slightly lower this year, with the average notification cost decreasing from AU$60,000 in 2016 to AU$50,000 in 2017.
In an effort to legislate around informing Australians of when their privacy has been breached, the federal government finally passed data breach notification laws at its third attempt in February that will see people be alerted of their data being inappropriately accessed come February 2018 under the Privacy Amendment (Notifiable Data Breaches) Act.
The legislation is restricted to incidents involving personal information, credit card information, credit eligibility, and tax file number information that would put individuals at "real risk of serious harm".
Notification laws apply only to companies covered by the Privacy Act, and sees intelligence agencies, small businesses with turnover of less than AU$3 million annually, and political parties exempt from disclosing breaches.