Companies should calculate the costs of data breaches

CREATING a secure and resilient cyberspace is becoming a more complex and costly challenge, with a growing need to protect our systems and data against criminal attacks that are becoming increasingly sophisticated. The annual global cost of cybercrime is now US$600 billion or 0.8 per cent of global GDP. Data is the "new currency" and so long as it remains easier to steal than money, the cybercriminal will continue to profit. An increase in data protection and cybersecurity regulation does not yet appear to be taking full effect with organisations now suffering more, and larger breaches. Costs of data breaches rose last year by 6.4 per cent, indicating that many organisations are still not doing enough to protect their data.

In Asia, we are aware of the impact of the mega breaches (losses of more than one million records). In March 2016, the Philippines experienced the COMELEC hack affecting 20 million citizens. In July 2018 in Singapore, the SingHealth breach was the nation's largest with 1.5 million patient records compromised. In China, Huazhu Hotel Group is investigating a data breach potentially affecting millions of its customers.

There is a rising cost of data breaches, with the average cost of a data breach now at US$3.86 million and the cost of a single lost data record at US$148. Organisations suffering breaches and which have fully automated cybersecurity systems experienced lower average breach costs (US$2.88 million), while those without experienced costs at US$4.43 million (sounds like a convincing argument for that investment). The time taken to identify, investigate and contain breaches also has an impact. Companies containing breaches within 30 days saved an average of US$1 million in total costs. Those with incident response plans saved US$14 per compromised record. With the average time to identify a breach at 197 days (and a further 69 days to contain it), it is clear that attackers are motivated not only to gain access to systems but to stay for long periods and harvest data for increased financial gain. What about share price? Estimates suggest an average drop (post-breach) of 5 per cent, with a medium-term loss of 1.4 to 1.7 percentage points. While most stocks recover over time, organisations with clear security strategies, policies and incident response plans do better.