Organisations in the UK lost an average of £2.77 million to data breaches this year, slightly lower than the global average but much lower than the average amount lost by organisations based in the United States or Canada.
A comprehensive report on the cost of data breaches to organisations worldwide commissioned by IBM and carried out by the Ponemon Institute has revealed that organisations in the UK reported an average of 22,800 data breaches, compared to 19,442 breaches reported by organisations based in Australia but lower than the global average of 24,615 breaches per country.
Even though UK firms are comparatively better off than those in the United States when it comes to the number of breaches suffered in the past year, they suffered greater than expected loss of customers in the aftermath of a breach, saw a rise in the size of data breaches, and also saw a rise in the average cost of breaches. This, when countries like Brazil and Japan were successful in reducing the loss of customers and average total cost of breaches.
Healthcare & finance sectors the hardest-hit
A sector-wise look at data breaches that took place in the past year revealed that healthcare, finance, services and the pharmaceutical sectors were the hardest hit worldwide. While the health sector suffered an average per capita loss of $408 to every breach, financial services lost $206 and firms in the service sector lost $181 to every breach.
In contrast, public sector organisations and those in research, retail and hospitality sectors suffered much lesser per capita cost to data breaches, averaging between $75 and $120.
The research revealed that while 48 percent of data breach incidents that took place worldwide involved a malicious or criminal attack, 27 percent were due to negligent employees or contractors (human factor) and 25 percent involved system glitches, including both IT and business process failures.
In the UK, while 50 percent of breaches involved a malicious or criminal attack, 26 percent were due to negligent employees or contractors and 24 percent involved system glitches, including both IT and business process failures. In terms of per capita cost, UK organisations suffered up to $179 per breach that involved a malicious or criminal attack and $127 per breach that were due to negligent employees or contractors.
Why do data breaches occur, and why they sometimes don't?
Globally, third-party involvement was the biggest factor behind data breaches, followed by extensive cloud migration, compliance failures, and extensive use of mobile platforms. On the other hand, organisations that made optimal use of incident response teams, made extensive use of encryption and invested the most in employee training and participation in threat sharing suffered the least in terms of cost.
For instance, an incident response (IR) team reduced the cost by as much as $14 per compromised record and the extensive use of encryption reduced cost by $13 per capita. Other factors that helped reduce the cost of data breaches to organisations included extensive use of DLP, use of AI platforms, board-level involvement, the presence of in-house CISOs, insurance protection, and the use of security analytics.
On the other hand, some factors that led to the rise in data breach incidents included extensive use of IoT devices, theft or loss of company-owned devices, the use of consultants, and the rush to notify.
Healthcare firms suffered the highest churn rate
While organisations across almost all sectors lost customers in the aftermath of data breaches, certain sectors such as healthcare, finance, pharmaceutical, and service sectors suffered a greater loss of customers compared to those in the public sector, media, entertainment, and research.
"Companies in certain industries are more vulnerable to churn when customers can easily take their business to another competitor. Customers also have high expectations for the protection of their data in highly regulated industries, such as healthcare and financial services.
"When these organizations have a data breach, customers’ trust will decline and they will try to find a substitute. In contrast, the public sector, which has the lowest churn, has no competitor and customers have no other options," the research noted.
Commenting on the rising costs suffered by organisations globally due to a surge in data breaches, Tim Helming, director of product management at DomainTools, said that the cost of breaches has skyrocketed in recent years due to a commercialization of the cybercrime industry, with attack kits available to purchase for non-technical actors to ply their trade.
"Legislative changes such as GDPR will also make the administrative costs of a breach soar even further in the next five years, without even considering the implications of reputational costs. I’m slightly doubtful that human error accounts for so little of the breach activity; failing to have a proper culture cybersecurity awareness at an organisation is implicated in phishing, which is one of the leading vectors of breaches. The ultimate responsibility for this lies with humans," he added.