JOHANNESBURG – IBM Security this week announced the results of a study examining the financial impact of data breaches, revealing that these incidents cost South African companies R40.2 million per breach on average among organisations studied.
Based on in-depth analysis of data breaches experienced by South African organisations, the study found that malicious attacks on customer, employee and corporate data were most prevalent – accounting for 48 percent of incidents – and proving to be the costliest cause of breaches to businesses.
As companies are increasingly accessing sensitive data via new remote work and cloud-based business operations, the report sheds light on the financial losses that organisations can suffer if this data is compromised. Sponsored by IBM Security and conducted by the Ponemon Institute, the 2020 Cost of a Data Breach Report is based on in-depth interviews with security professional in organisations that suffered a data breach over the past year.
Consumer credit reporting company Experian South Africa, which was recently hit by a data breach, said it was actively pursuing both criminal and civil charges against the perpetrator who walked off with records of millions of South Africans after impersonating one of the company’s clients.
Experian said it was continuing to investigate an isolated incident in South Africa involving a fraudulent data inquiry. “An individual purporting to represent a legitimate client of Experian South Africa fraudulently requested services from Experian. The services involved the release of consumer information which included telephone numbers and in some instances an address and employment details of individuals.
“No consumer credit or financial information was obtained by the fraudster in this incident. The fraudster also obtained bank account numbers on some business entities.”
Experian Africa chief executive Ferdie Pieterse confirmed that civil and criminal procedures were being pursued against the perpetrator as the credit bureau took every step available to limit the impact to citizens and businesses in South Africa.
Although data-breach costs may have decreased this year, South Africa is still heavily prone to the issue
Examining cost factors which contribute to the cost of the data breach in South Africa, the study found that:
For companies studied in South Africa, the average time to identify a data breach increased to 177 days (from 175 days in 2019), and the average time to contain a data breach once identified decreased to 51 days (from 56 days in2019). The global average to identify a data breach was higher at 207 days with an average time of 73 days to contain the breach.
In South Africa, the three root causes of data breaches identified as malicious or criminal attack (48 percent), human error (26 percent) and system glitches (26 percent).
On average, malicious or criminal attacks took 191 days to identify and 62 days to contain. Human error breaches took 164 days to identify and 40 days to contain while system glitch breaches took 163 days to identify and 44 to contain.
The amount of lost or stolen records also impacts the cost of a breach, costing R1,984 per lost or stolen record on average – a 9.35 percent decrease from 2019.
Investments in smart tech resulted in lower breach costs as companies who had fully deployed security automation technologies (which leverage AI, analytics and automated orchestration to identify and respond to security events) experienced lower data breach costs compared to those who didn’t have these tools deployed.
“It is becoming increasingly important for IT leaders to put security measures in place which reduce the impact of a data breach. With this year’s study we’re seeing how costs were much higher for South African organisations that had not yet invested in areas such as security automation and incident response processes – and how complex security systems and cloud migration cost companies the most. With growing complexities facing companies, putting measures in place which significantly reduce the time it takes to investigate, isolate, contain and respond to the damage, will significantly reduce financial and brand impact,” said Sheldon Hand, IBM Security Leader for South Africa.
Employee Credentials and Misconfigured Clouds – Attackers’ Entry Point of Choice
In global findings, stolen or compromised credentials and cloud misconfigurations were the most common causes of a malicious breach for companies in the report, representing nearly 40 percent of malicious incidents. With over 8.5 billion records exposed in 2019, and attackers using previously exposed emails and passwords in one out of five breaches studied, businesses should rethink their security strategy via the adoption of a zero-trust approach – re-examining how they authenticate users and the extent of access users are granted.
Similarly, South African companies’ struggle with security complexity – a top breach cost factor which increases the cost implication by R3.3 million on average for South African companies studied in the report.
Advanced Security Technologies Prove Smart for Business
The report highlights the growing divide in breach costs between businesses in South Africa implementing advanced security technologies and those lagging behind, revealing a cost-saving difference of R2.5 million for SA companies with deployed security analytics versus those that have yet to deploy this type of technology.
Companies in the study with fully deployed security automation also reported significantly shorter response time to breaches, another key factor shown to reduce breach costs in the analysis. The report found that AI, machine learning, analytics and other forms of security automation enabled companies to respond to breaches faster than companies that have yet to deploy security automation. The study found that South African organisations which invested in AI platforms were also found to save R2 million on the average cost of a data breach.
Incident response (IR) preparedness also continues to heavily influence the financial aftermath of a breach. According to the report, South African companies with neither an IR team nor testing of IR plans experience higher average breach costs, whereas local companies that have both an IR team and use tabletop exercises or simulations to test IR plans experience R3.4 million less in breach costs – reaffirming that preparedness and readiness yield a significant ROI in cybersecurity.
Some additional findings from this year’s global report include:
· Remote Work Risk Will Have a Cost – With hybrid work models creating less controlled environments, the report found that 70 percent of companies studied that adopted telework amid the pandemic expect it will exacerbate data breach costs.
· Majority of Cyber Insured Businesses Use Claims for Third Party Fees: The report found that breaches at studied organisations with cyber insurance cost on average R2.2 million less than the global average of $3.86 million. In fact, of these organisations that used their cyber insurance, 51 percent applied it to cover third-party consulting fees and legal services, while 36 percent of organisations used it for victim restitution costs. Only 10% used claims to cover the cost of ransomware or extortion.
Nation State Attacks – The Most Damaging Breaches: Data breaches believed to originate from nation state attacks cost organisations on average $4.43 million. Despite representing just 13 percent of malicious breaches studied, state-sponsored threat actors were the most damaging type of adversary according to the 2020 report, suggesting that financially motivated attacks (53 percent) don’t necessarily translate into higher financial losses for businesses.
About the Study
The annual Cost of a Data Breach Report is based on in-depth analysis of real-world data breaches taking place between August 2019 and April 2020, taking into account hundreds of cost factors including legal, regulatory and technical activities to loss of brand equity, customers, and employee productivity.