Data breaches impacting UK organisations in the past year inflicted losses of up to £2.99 million to them on average, be it in terms of legal costs, technical costs, regulatory costs or costs incurred due to loss of brand equity, customers, and employee productivity.
A new study from IBM Security has revealed that the cost of data breaches is rising steadily across the world, with organisations based in the United States incurring the highest losses (£6.6 million on average per data breach) and those in the UK suffering losses of up to £2.99 million to every data breach incident.
The average cost of data breaches in the UK rose by almost 10 percent compared to 2018 even though the average size of such breaches increased by only 3.6 percent. The per capita cost per lost of stolen record in the UK now stands at £119.
The financial impact of data breaches can last up to three years
Globally, the average cost of data breaches is $3.92 million (£3.14 million) per incident and according to the IBM report, organisations continue to suffer financial losses even two to three years after an incident has occurred. Only 67 percent of losses are incurred in the first year after a breach, with organisations accruing 22 percent of losses in the second year, and 11 percent in the third year.
Organisations in highly-regulated environments such as healthcare, financial services, energy and pharmaceuticals sectors incur higher longtail losses in the second and third year compared to other organisations. On average, healthcare organisations also suffer the highest financial losses per incident of data breach, losing nearly $6.5 million (£5.2 million) per incident on average.
“Cybercrime represents big money for cyber criminals, and unfortunately that equates to significant losses for businesses. With organisations facing the loss or theft of over 11.7 billion records in the past 3 years alone, companies need to be aware of the full financial impact that a data breach can have on their bottom line –and focus on how they can reduce these costs,” said Wendi Whitmore, Global Lead for IBM X-Force Incident Response and Intelligence Services.
The report also revealed that data breaches in the past year impacted small and medium businesses the most in terms of financial costs. Organisations employing 500 or fewer people suffered losses of more than £2 million on average and since these organisations earn $50 million or less in annual revenue, these losses can protentially cripple them or force them to shut shop.
Malicious cyber attacks the root cause of 51% of breaches
What’s worrying for organisations is that more than half of all data breaches occur as a result of malicious cyber attacks, with such attacks also causing more damage compared to accidental data exposure or human error. IBM Security found that not only did the percentage of malicious cyber attacks as causes of breaches rise from 42% to 51%, malicious cyber attacks also inflicted losses of $4.45 million to organisations on average, over $1 million more than breaches occurring due to data exposure, software glitches, or human error.
A recent survey carried out by CyberArk also revealed that 43 percent of UK organisations are sure of the fact that cyber criminals can infiltrate their networks each time they try and also found that less than half of organisations have a privileged access security strategy in place for DevOps, IoT, RPA and other technologies.
The lack of privileged access management and a lack of security strategies governing DevOps and IoT infrastructure could make it easier for cyber criminals to exploit legitimate privileged access to move laterally across a network to conduct reconnaissance and progress their mission, CyberArk noted.
Misconfiguration of cloud servers also contributed heavily towards the rise in the number of data breaches globally, accounting for 43% of all breaches, significantly more than software glitches or human error.
However, the study noted that organisations that have incident response plans in place suffer lesser financial costs and take fewer days to contain breaches. While organisations take 206 days on average to identify a breach and another 73 days to contain it, those with incident response plans can identify and contain a breach in less than 200 days and also spend $1.2 million less in breach mitigation.
ALSO READ: Less than 1% of data breach investigations by ICO resulted in monetary fines