Did Data Breaches increase in 2021?
One of the biggest changes that occurred as a result of the COVID-19 pandemic is the way in which we work. Whilst remote work began as a temporary fix to deal with lockdowns, it is a shift that has been embraced by numerous businesses over the past two years. Such a sudden change, however, was not free of risk. The unpredictability of recent years has seen a focus on survival, with security falling by the wayside. And while we are all distracted by global happenings, hackers have been taking advantage.
Data breaches and the costs associated with them have been on the rise over the past several years, but the average cost per breach jumped from US$3.86 million in 2020 to US$4.24 million in 2021, becoming the highest average total cost seen in the history of IBM’s annual Data Breach report. Remote working is not solely to blame for increased data breaches, however, companies that did not implement any digital transformation changes in the wake of the pandemic had a 16.6% increase in data breach costs compared to the global average. For Australian companies, it is estimated that 30% will fall victim to some sort of data breach, and consequences can be felt for years. The Australian Cyber Security Centre (ACSC) estimates the cost of cybercrimes for Australian businesses and individuals was AU$33 billion in 2021. To protect your business from becoming a part of these statistics, it is crucial to understand how data breaches can affect you and how to take necessary precautions.
What exactly is a data breach?
Data breaches are diverse; they can be targeted, self-spreading or come from an insider; affect individuals or businesses; steal data or demand ransoms. Although certain Australian businesses are mandated by law to notify customers when a breach has occurred, many attacks are kept quiet, meaning their frequency is higher than commonly believed.
What are the different types of data breaches?
- Scams/phishing: Fraudulent emails or websites disguised as a known sender or company.
- Hacking: Unauthorised access gained by an attacker, usually through password discovery.
- Data spill: Unauthorised release of data by accident or as a result of a breach.
- Ransomware: Malicious software (malware) accesses your device and locks files. The criminals responsible then demand payment in order for access to be regained.
- Web shell malware: Attacker gains access to a device or network, a strategy that is becoming more frequent.
The most common category of sensitive data stolen during data breaches is the Personal Identifiable Information (PII) of customers. This data not only contains financial information such as credit card details, but can also be used in future phishing attacks on individuals. The average cost per record is estimated between US$160 and US$180, meaning costs can add up very quickly for a business that loses thousands of customers’ PII in a single attack. All industries can be affected by data breaches, but those with the highest costs are healthcare, financials, pharmaceuticals and technology. According to the 2021 IBM report, each of these industries had a slight decrease in costs associated with data breaches from 2020 to 2021, except for healthcare which increased by a shocking 29.5%
What are the costs?
IBM identified the ‘Four Cost Centres’ which are the categories contributing most global data breach costs. In 2021 the costs were: Lost business cost (38%), Detection and escalation (29%), Post breach response (27%), Notification (6%).
Lost business, the highest cost category for seven consecutive years, includes business disruption and loss of revenue through system downtime (such as delayed surgeries due to ransomware in hospitals), lost customers, acquiring new customers, diminished goodwill and reputation losses.
Detection and escalation costs refer to investigative activities, auditing services, crisis management and communications.
Post breach response costs are associated with helping clients recover after a breach, such as opening new accounts and communicating with those affected. These also include legal expenditures, and, with compliance standards such as HIPAA and CDR becoming more commonplace, regulatory fines are adding significantly to costs in this category. Businesses with a high level of compliance failures are spending on average 51.1% more on data breaches than those with low compliance failures.
Notification costs include communications to those affected and regulators, determination of regulatory requirements and recruiting the assistance of experts. In Australia, businesses and not-for-profits with an annual turnover of more than $3 million, government agencies, credit reporting bodies and health service providers are required by law to inform customers of data breaches and how they can protect themselves from such breaches. It is crucial for businesses to be aware of these responsibilities or they may be subjected to paying further fines.
With lost business being the highest cost associated with breaches, it is no surprise that consequences can be felt years after the initial breach. Reports have found 53% of costs to be incurred two to three years after the breach for highly regulated industries such as healthcare and financial services.
Although significantly less than the global average, the average cost of a data breach in Australia still sits at around AU$3.35 million. Approximately 164 cybercrimes are reported each day in Australia and the attacks are growing more organised and sophisticated. One predictive factor of overall costs is the response time: the longer the lifecycle of a data breach, the more it will cost. Whilst a hacker can access an entire database in just a few hours, detecting a breach takes the average Australian organisation over six months! Many organisations never even identify that a breach has occurred, or find out through victory posts on the dark web. IBM reported that breaches contained in over 200 days cost a business US$1.26 million more than those contained in under 200 days. In addition, they found the average data breach lifecycle was a week longer in 2021 compared to the previous year.
How to avoid data breaches?
The way to protect your business against malicious use of advanced and sophisticated technology is by utilising advanced and sophisticated technology in your security systems. IBM found significantly lower overall costs for businesses with mature security postures, utilising zero trust, cloud security, AI and automation. It is estimated that with AI and machine learning, breaches are detected 27% faster. Mature zero trust systems also resulted in savings of US$1.76 million compared to organisations not utilising zero trust. Organisations with mature cloud modernisation contained breaches 77 days faster than other organisations, and those with high levels of compliance significantly reduced costs.
With data breaches on the rise, and modern businesses relying on technology more heavily than ever before, it is reasonable to predict the cost of data breaches in Australia will only increase in 2022. You can avoid becoming a victim and having to pay the price for years to come by modernising your data and meeting industry compliance regulations.
DNX has the solutions and experience you need. Contact us today for a blueprint of your journey towards data security.