Australian companies paid an average of $2.8 million per data breach during 2013, an IBM and Ponemon institute study has found as a growing number of small data breaches reinforce the increased financial risk of poor information-security practices.
The jointly executed 2014 Cost of Data Breach Study: Australia surveyed 22 Australian companies in 11 industry sectors, with more than 170 individuals interviewed over 10 months about past data loss incidents involving an average of 20,073 records each.
Average cost per lost or stolen record increased from $141 in the 2013 report to $145 in 2014, while average total cost of the breaches increased from $2.72 million in last year's survey to $2.8 million over the most recent year.
The cost associated with business losses grew from $760,000 in 2013's survey to $850,000 in this year's, while rates of customer loss from compromised companies increased by 5 percent. Compliance with data breach notification costs an average of $55,000 per year.
Glen Gooding, director of IBM Australia's Institute for Advanced Security, believes the Ponemon research highlights both the increasing financial risk of IT security, and the way increasing collaboration and sharing amongst businesses is fostering growing visibility into security breaches.
“I was happy to see that we are below global averages in terms of the per-capita cost of data breaches,” Gooding told CSO Australia, adding that better collaboration engendered better capabilities for planning and executing on security strategies.
“Being able to be more open in the right scenarios and situations, with the right peers and partners around you, we can start to share and collaborate a bit more about what's going on in our collective organisations. People are becoming more open and comfortable in sharing their breaches and concerns.”
In many cases, the research found that procedural or process deficiencies were to blame for losses. Malicious or criminal attacks were responsible for the breaches in 46 percent of cases during 2013, while 27 percent involved negligent employees or contractors and another 27 percent was due to IT and business process failures.
Breaches due to data theft or abuse were more expensive than other types of compromises, costing $161 per record each compared with $136 for data breaches involving system glitches and $128 per record for breaches involving a negligent employee.
Read more: Network perimeter security still key despite virtualization shift: Watchguard
Data breaches in the financial industry costed an average $225 per record, while industrial breaches costed $188 per record, technology $130, retail $100 and transportation $91 per record.
The use of smartphones and tablets – which are regularly identified as a particular area of weakness in enterprise security defences – increased the cost of breaches significantly. Data breaches involving the loss or theft of data-bearing devices increased the data breach cost by as much as $15 per compromised record, the survey found.
Previous research, such as Symantec's 2013 Norton Report, has similarly found that Australians are ahead of world averages when it comes to the cost of cybercrime.
However, other recent Ponemon Institute research found business executives were still far behind the times when it came to recognising the financial risks posed by information-security breaches. In that survey, 82 percent of respondents said their corporate leaders didn't equate the loss of confidential data with a potential loss of revenue.
Read more: Certified security pros highly valued but under-prioritised: ISACA
Attitudes may be changed over time by a growing body of research refuting that idea, Gooding said, noting that high-level capabilities such as IBM's Security Intelligence initiative and acquisition of financial-security firm Trusteer were helping fill out blackspots in corporate knowledge about security threats.
Equally effective was the high-profile departure of Target CSO Beth Jacob, who fell on her sword after a massive data breach at the retailer last December.
“There's a very senior level person who doesn't have a job anymore,” Gooding said.
“I think that alone will start to wake up a number of the senior, non IT related executives to the fact that IT security is important. It is critical to the reputation of their brand, and if they don't focus on it then they are at much higher risk than probably what they thought they were at.”
Read more: Multi-skilling CSOs keen to share learnings with peers