Cost of Australian IT security incidents rises despite improving information sharing

Australian companies paid an average of $2.8 million per data breach during 2013, an IBM and Ponemon institute study has found as a growing number of small data breaches reinforce the increased financial risk of poor information-security practices.

The jointly executed 2014 Cost of Data Breach Study: Australia surveyed 22 Australian companies in 11 industry sectors, with more than 170 individuals interviewed over 10 months about past data loss incidents involving an average of 20,073 records each.

Average cost per lost or stolen record increased from $141 in the 2013 report to $145 in 2014, while average total cost of the breaches increased from $2.72 million in last year's survey to $2.8 million over the most recent year.

The cost associated with business losses grew from $760,000 in 2013's survey to $850,000 in this year's, while rates of customer loss from compromised companies increased by 5 percent. Compliance with data breach notification costs an average of $55,000 per year.

Glen Gooding, director of IBM Australia's Institute for Advanced Security, believes the Ponemon research highlights both the increasing financial risk of IT security, and the way increasing collaboration and sharing amongst businesses is fostering growing visibility into security breaches.

“I was happy to see that we are below global averages in terms of the per-capita cost of data breaches,” Gooding told CSO Australia, adding that better collaboration engendered better capabilities for planning and executing on security strategies.

“Being able to be more open in the right scenarios and situations, with the right peers and partners around you, we can start to share and collaborate a bit more about what's going on in our collective organisations. People are becoming more open and comfortable in sharing their breaches and concerns.”

In many cases, the research found that procedural or process deficiencies were to blame for losses. Malicious or criminal attacks were responsible for the breaches in 46 percent of cases during 2013, while 27 percent involved negligent employees or contractors and another 27 percent was due to IT and business process failures.

Breaches due to data theft or abuse were more expensive than other types of compromises, costing $161 per record each compared with $136 for data breaches involving system glitches and $128 per record for breaches involving a negligent employee.

Read more: Shareholder sues IBM for hiding Snowden slowdown in China

Data breaches in the financial industry costed an average $225 per record, while industrial breaches costed $188 per record, technology $130, retail $100 and transportation $91 per record.

The use of smartphones and tablets – which are regularly identified as a particular area of weakness in enterprise security defences – increased the cost of breaches significantly. Data breaches involving the loss or theft of data-bearing devices increased the data breach cost by as much as $15 per compromised record, the survey found.

Previous research, such as Symantec's 2013 Norton Report, has similarly found that Australians are ahead of world averages when it comes to the cost of cybercrime.

However, other recent Ponemon Institute research found business executives were still far behind the times when it came to recognising the financial risks posed by information-security breaches. In that survey, 82 percent of respondents said their corporate leaders didn't equate the loss of confidential data with a potential loss of revenue.

Read more: Multi-skilling CSOs keen to share learnings with peers

Attitudes may be changed over time by a growing body of research refuting that idea, Gooding said, noting that high-level capabilities such as IBM's Security Intelligence initiative and acquisition of financial-security firm Trusteer were helping fill out blackspots in corporate knowledge about security threats.

Equally effective was the high-profile departure of Target CSO Beth Jacob, who fell on her sword after a massive data breach at the retailer last December.

“There's a very senior level person who doesn't have a job anymore,” Gooding said.

“I think that alone will start to wake up a number of the senior, non IT related executives to the fact that IT security is important. It is critical to the reputation of their brand, and if they don't focus on it then they are at much higher risk than probably what they thought they were at.”

Join the CSO newsletter!

Error: Please check your email address.

Tags 2014 Cost of Data Breach StudysymantecIBMsecurityGlen Gooding2013 Norton Reportdata breachIBM's Security Intelligence initiativePonemon Researchinformation security practices

More about CSOIBM AustraliaIBM AustraliaNortonSymantecTrusteerTrusteerTrusteer

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts