Evaluating the true costs of a data breach

By Rick Ferguson, Country Manager, ANZ at Absolute

The costs of a data leak or data loss are rapidly accruing, with the total average cost per data breach within Australia now sitting at $AUD2.82 million, according to a 2015 study from IBM and Ponemon Institute. Moreover, the average cost per lost or stolen record has reached $AUD144, while the average number of breached records per incident is just under 20,000.

While the cost of a data breach is rising, so is the number of cases. In the last few months, we’ve seen a number of high-profile hacks and leaks targeting such companies as NSW Trainlink, Gumtree, Cabcharge, Menulog, Sydney University and LinkedIn within Australia and globally.

What these headline-hitting cases highlight is the potentially far reaching impact of a public data breach. The implications aren’t just financial, they can also impact consumer confidence and trust in an organisation and when this happens, a company’s bottom line can plummet.

In addition, with the expected introduction of data breach notification laws in Australia in the next few months, businesses will become even more legally accountable to their customers and likely more susceptible to civil litigation.

But do organisations truly understand the risks and consequences of a data breach?

It’s no longer a few negative headlines and a slap on the wrist from regulators. Data breaches - no matter how serious - can have lasting repercussions that seriously affect how a business operates and competes. It is worth noting that the damage isn’t always immediately apparent and it can take months for the real effects of a breach to appear.

The damage of a data breach

While there are countless ways a breach can damage an organisation, there are three key business areas that experience significant repercussions.

  • 1.Financial
  • 2.Operational
  • 3.Reputational

While this may seem like one of the most obvious effects of a breach, the actual financial damage goes beyond a loss of revenue or providing compensation to affected customers. Organisations now have to take into account fines that can be issued by regulators.

By digitising, capturing and utilising data, organisations can put in place initiatives to transform business productivity and innovation. However, within an organisation, a breach can result in data paralysis, where employees and customers alike are too scared to embrace data-led initiatives. It can take months, if not years for a business to get past data security concerns - making space for competitors to move in.

The reputational impact of a data breach can be one of the hardest areas to measure, yet one of the most serious. For example, the breach of Canadian infidelity based dating website, Ashley Madison has effectively crippled the business’s reputation and may make it difficult for the company to attract new customers and provide reassurance that their (highly personal) data is secure.

With all of this in mind, it is no surprise that the threat of data breaches is rapidly moving up the corporate agenda. For example, Macquarie University in Sydney, in partnership with Optus Business recently announced the creation of a cybersecurity hub dedicated to research and consulting. The two will invest $10 million over the next seven years.

Moreover with so many high profile cases being leaked to the public, businesses are increasingly realising the need to take the “front foot” by notifying affected individuals as soon as possible. Recent Deloitte research indicates that less than one third of Australian consumers who are notified of a data breach will actually lose trust.

The data challenge

A knee-jerk reaction to imposing security measures in anticipation of a data breach can open up further vulnerabilities. If staff are too scared to handle their data correctly or don’t know what polices and rules are in place, there’s a greater chance of something actually going wrong.

To tackle the data challenge, organisations need to take a holistic view of how they handle data. Existing processes simply won’t cut it in today’s data-rich environment.

The key to ensuring data security, while avoiding taking the hasty route is a three-step approach incorporating data policies, staff training and data protection technology.

Staff need to know what they’re permitted to do with the data, the measures they need to take in order to protect it and that there is a procedure in place that can limit the impact of the breach, should one occur.

Ultimately, a data breach is one of the most serious and increasingly common business threats and it’s only by understanding the full impact of a breach that organisations can safeguard themselves.

Join the CSO newsletter!

Error: Please check your email address.

Tags cabchargeIBMdata breachLinkedInPonemon InstituteMenulogdata losssydney universityData breach costGumtreedata leaksNSW TrainLink

More about DeloitteMacquarie UniversityOptus

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Rick Ferguson

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place