Cyber Security: How much could a breach of data cost your business?
According to a report released by the Office of the Australian Information Commissioner (OAIC) earlier this year, criminal or malicious attacks were the leading cause of data breaches in Australia over the first half of 2020. The health sector reported 22 per cent of all breaches, followed by the finance sector with 14 per cent, and the most common type of information involved was contact information. So how much could a data breach cost your business?Â
What is a data breach? Â
A data breach occurs when personal information is lost, disclosed or accessed without authorisation. If organisations are covered by the Privacy Act 1988, then they must notify the affected individuals and the OAIC. This is particularly the case when a data breach involving personal information is likely to result in serious harm.Â
How could it affect my business?
Cyber attacks in Australia can have a range of detrimental effects on businesses including:Â
- Financial loss – due to the theft of information and/or money or the disruption to business
- Business loss – due to damage to an organisation’s reputation, or those of other companies you do business with
- Cost outlay – due to getting affected systems up and running again
- Investment loss – due to the time taken to notifying the relevant authorities of the incident
How much could a breach cost?
According to IBM’s 2020 Cost of a Data Breach Report, the average data breach cost in the Asia-Pacific (APAC) region is $2.62 million, and in Australia, $2.13 million. APAC organisations have faced the theft or loss of over 11.7 billion records in the past three years, and it was also one of the worst global locations in terms of damages. ‘Damages’ refers to:
- The average size of a data breach (number of records lost or stolen)
- The average total cost of a data breach and per record cost
- Abnormal customer turnover (the greater-than-expected loss of customers since the breach occurred)
These figures were an increase of nearly five per cent year-on-year at a regional level, up from $2.53 million in 2018. In the region, 22,500 records are breached in an average attack. The cost per lost record is around $176, with the process of containing a data breach being around 69 days.
Attacks posed in the APAC region were mainly Denial of Service attacks (DoS attacks), which are massive assaults on a website, and web application attacks. The latter are attacks on computer programs that allow website visitors to submit and retrieve data to/from a database using their preferred web browser.
Businesses surveyed estimated that the total average cost of DoS attacks in APAC region was $1.1 million and the total average cost of web application attacks in APAC over the past 12 months was $2.4 million per company.
Although inadvertent breaches from system glitches and human error were still the cause of nearly half the data breaches in the report, malicious breaches are the most common and the most expensive attacks. These cost companies $4.45 million on average. These breaches are a growing threat, with criminal attacks being the root cause of data breaches. These have increased from 42 per cent to 51 per cent over the past six years of the study.
The misconfiguration of cloud servers also contributed to the exposure of 990 million records in 2018, representing 43 per cent of all lost records for the year.
The report showed that in order to recover from data breaches in Australia, companies were required to invest vast amounts of resources over a long period of time. Only 67 per cent of data breach costs were realised within the first year after a breach, 22 per cent added in the second year and another 11 per cent accumulated more than two years after a breach.
What’s involved in data breach prevention?
Malicious or criminal attacks are a leading cause of data breaches reported to the OAIC, so data privacy and security need to be top of mind as part of an organisation’s overall cyber risk assessment strategy. To mitigate data breaches or spills, the Australian Cyber Security Centre recommends:Â
- Researching, formulating and initiating a robust data breach response plan.
- Improving employee awareness of cyber security threats and issues, including phishing and spear phishing.
- Enabling prevention techniques including training employees in cyber security plans and systems.
- Ensuring employees periodically reset passwords, and increase password length and complexity.
- Discouraging employees from reusing the same password across critical services like banking sites.
- Encouraging employees to think carefully before entering credentials.
- Ensuring employees use multi-factor authentication when performing privileged actions or accessing important data.Â
- Ensuring businesses use multi-factor authentication for all remote access to business systems.
- Keeping browsers, plugins and operating systems up-to-date with patches and fixes.
- Enabling anti-virus protection to help guard against malware that steals credentials.
- Engaging with professional services that offer email security, endpoint protection, multi cloud security and integration, and Next Generation Firewall technology.