The threat of a data breach has evolved along with the development of technology, and many companies are not adapting sufficiently to what is becoming an embarrassing and costly issue for the majority of businesses.
What is the financial cost of a data breach?
According to Verizon’s RISK team, the size of an organisation does not necessarily affect the cost of a data breach. The variable that affects cost most heavily is the number of records involved in the data breach. So when headline-grabbing data breaches that affect multinational companies are hit by costs that reach to tens or even hundreds of millions of dollars, it’s usually due to the large number of records involved in the breach, rather than the size of the organisation.
Nonetheless, it’s clear that the cost of information security breaches is on the rise. The 2015 Information Security Breaches Survey, released by the UK Government, shows that for a large organisation, the cost of the worst data breach in a year is on average £1.46m - £3.14m. That’s more than double the figure reported in 2014, when the average was £600k - £1.15m. Similarly, the average cost to a small business is now £75k - £311k.
This cost includes factors like business disruption, lost sales, recovery of assets, fines, and compensation pay-outs.
Who Is Responsible for Security?
A major issue with defence against cyber-attacks and other forms of data breach is that it is sometimes unclear who within an organisation is responsible for data security. The Information Security Breaches Survey suggests that 33% of large organisations admit the responsibility for ensuring the protection of data has not been clearly assigned, and only 63% of respondents currently invest in or plan to invest in active threat monitoring or other threat intelligence services, while 74% of small businesses and 90% of large organisations have been affected by security breaches in the last year.
Who Owns the Risk?
Knowledge is an excellent defence, forewarned is forearmed. While 82% of respondents claimed that data security was a high or very high priority of senior management, security policies are often poorly understood by employees, and 72% of companies with poorly understood security policies experienced data breaches due to a mistake by the staff. In fact 75% of security breaches in large organisations over the last year are the fault of staff, and 50% of the worst breaches in the year were caused by inadvertent human error, which is up from 31% in 2014.
Are You Spending Enough on Data Security?
While most senior management are in agreement that data security is a high priority issue, it is still not being sufficiently addressed. Only 39% of large organisations have insurance that would cover them in the event of a breach, and this has fallen from 52% last year, in spite of the costs of breaches more than doubling! The development of a more targeted form of cyber-attack is seeing a move away from large scale denial-of-service attacks in favour of malicious software designed to retrieve passwords or confidential information. This along with an ever-increasing reliance on digital information storage means that companies are more vulnerable to data breaches than ever before, yet less than half of organisations have increased information security spend in the last year. Security and data breaches that involve smartphones and tablets have more than doubled, and businesses need to keep their security policies and practises up-to-date to address this technically evolving threat.
Do Your Stakeholders Know?
21% of organisations have not briefed their board on data security risks in the last year, and 14% have never briefed the board on the risks, in spite of the fact that close to 9 out of 10 organisations are affected by breaches every year.
Making the Business Case for Data Security
If you are trying to argue the case for additional data security spend, the following factors should be taken into account:
- The exponential increase in costs associated with data breaches in recent years
- The security of customer information
- The risk of damage to your organisation’s reputation
- Adoption of new technology and cloud computing services means that existing policies and security systems are becoming obsolete
- The inevitability of a data breach, almost 9 out of 10 organisations have been affected in the last year
- The importance of educating staff and issues caused by avoidable human error or poorly understood security policies
- A business expanding, or even just staying in business, will mean an increase in magnitude of company records, which is directly related to the cost of a data breach