Breach costs down but slow forensics still threaten Australian companies’ regulatory compliance

Figures suggesting the average cost of a data breach is declining reflect a growing culture of responsibility amongst company boards, a senior IBM security executive has reflected while warning that companies’ stubbornly slow forensic capabilities threaten regulatory compliance and customer retention.

The 2017 Ponemon Cost of Data Breach Study suggested that the average Australian data breach now costs $139 per lost or stolen record. The decline – from $142 per record a year ago – reflects a “greater level of accountability by boards,” IBM Security Services ANZ business unit executive John Vine Hall told CSO Australia.

“When I would go to customers 2 years ago the usual response from the board was ‘go speak to my IT guys because I don’t know what’s going on there’,” he continued. But with new legislative burdens looming – including the Australian Notifiable Data Breaches (NDB) scheme and European Union general data protection regulation (GDPR) – that had changed markedly.

Such threats were having “a really positive impact” on Australian companies that are taking “a more responsible approach to security and data privacy,” Vine Hall said. “I think all of those things are helping us to move to a more mature approach to the way the market looks at security.”

The Australian figures were lower than global figures that pegged the average cost as having declined from $US158 ($A210) in 2016 to $US141 ($A188) this year. That puts Australia well ahead of the world standard in terms of keeping down the cost of data breaches, as well as in terms of their scope: globally, the average data breach involved 24,000 records – an increase of 1.8 percent since the 2016 survey – while the Australian average was 18,556 records.

Drawing on 12 years of analysis, the analysis isolated five common themes correlated with increasing the cost of a data breach. These included IT security complexity; lawsuits against breached organisations; poor understanding of where confidential data resides; malicious, criminal and third-party data breaches (which comprised nearly half of all analysed breaches); and disruptive technologies such as access to cloud-based applications and data, and the use of mobile devices.

While some of those factors relate to established business practices, others – such as the shift to cloud and access through mobile devices – necessitate new investments in technologies for extending authentication and access-control policies across new environments.

Implementing the right technology is crucial, Vine Hall warned, noting that in the past companies would often “buy a bunch of widgets and play Whack-a-Mole with their security process. That was typically pretty inefficient, and the expectation was that you could buy your way out of a security problem by putting in the latest technology.”

Modern security frameworks were shifting to incorporate GRC (governance, risk management and compliance) programs and incident-response frameworks that facilitate a response involving technical staff, regulators, stakeholders and other parties.

“In the long term,” Vine Hall said, “those are the things that will help us be more responsive.”

Investments in GRC programs were among the five behaviours that Ponemon Institute linked to decreasing the cost of data breaches. The others included investments in enabling technologies – such as security analytics, SIEM, enterprise-wide encryption and threat-intelligence sharing platforms – as well as recruiting and retaining knowledgeable personnel; purchase of cyber and data-breach insurance; and investing in customer trust and loyalty.

This last point is often lost on companies where coalfront-facing IT staff are primarily focused on fighting attackers; customers are usually handled in other parts of the business, and their retention left to other units that may not necessarily see cybersecurity as a real threat quite yet.

Customers see the situation quite differently: fully 65 percent of consumers in a recent Ponemon-Centrify study said being the victim of a data breach had caused them to lose trust in the organisation and nearly one-third terminated their relationship with the company.

In addition, that survey found, breaches can boost customer churn by up to 7 percent and drop share prices by 5 percent on average. Those sorts of potential outcomes reinforce the potential fines from legislative non-compliance – under Australia’s NDB and other mandates – and reflect the ever-tightening link between technological investment and hard business outcomes.

CISOs should use the customer aspect to reinforce their call for more investment in security technology and practices, Vine Hall notes: “The cost to acquire those customers helps us justify the investment in security not in terms of a regulatory requirement but more in terms of a commercial requirement,” he said.

“That’s a really important part of the strategy: to change [CSOs’] mindsets from being the traffic cops of the organisation, to look at how they can position security as part of the business go-to-market – and, therefore, help the organisation in terms of some of the key imperatives of the business.”

Even in organisations with seemingly robust detection and response capabilities, however, Vine Hall pointed out a “quite troubling” finding of the latest research: time to detect (TTD) a data breach is still 175 days on average, while the time to resolution (TTR) is still lingering at 67 days, on average.

Such long lead times are likely to create problems when reporting legislation comes into play: Australia’s Privacy Amendment (Notifiable Data Breaches) Act 2017 s.26WH requires organisations to evaluate and report incidents within 30 days. Even more worryingly, GDPR legislation – which affects any Australian company with Australian customers or partners – requires notification within 72 hours.

Australian organisations have less than a year to bridge the gaps between their response capabilities and their regulatory obligations – and despite the encouraging reduction in breach costs, Vine Hall says the biggest test will be whether companies can invest in new technologies quickly and effectively enough to bring their security processes up to par.

“In general we are probably on the more mature end” of the security spectrum, he said. “But it will be interesting to see the impact of cognitive computing, and the ability of cyber professionals to access new technologies that will help reduce the amount of time and complexity it takes to remediate threats.”

Incident response will be the “crux” of security strategy and customers will ultimately be a measure of its effectiveness, Vine Hall said, with businesses “forced to deal with the customers that they’re potentially impacting with these breaches. By increasing the speed and agility of organisations to respond, they’re also hopefully setting up an environment where they can establish a strong communications strategy that can hopefully reduce churn as well.”