Costs of data breaches in SA up by 50%
The latest IBM Security Cost of a Data Breach Report indicates that the global average cost of a data breach has risen to $4.24 million in 2021, a 10% increase overall and the largest percentage increase in the 17-year history of the report.
This is according to Camille Singleton, strategic cyber threat lead at IBM Security X-Force, who was speaking during a webinar hosted by IBM in collaboration with ITWeb.
Singleton revealed that in South Africa, the average cost was $3.21 million – the highest in the southern hemisphere.
“The average cost of a data breach in South Africa has grown a massive 50% between 2020 and 2021 – the second-highest growth rate worldwide after Latin America, which has seen a growth rate of 52.4%. The cost of a data breach is increasing rapidly in South Africa and has the potential to catch up to some of those northern hemisphere countries in future years,” she said.
Singleton said the reasons for this could include remote work and the time it takes organisations to respond to breaches.
“We know a larger percentage of employees working remotely is generally associated with a higher data breach cost: in organisations with 80 – 100% remote workforces, the average data breach cost is the highest, at $5.54 million,” she said. “A second factor pushing up the cost of the breach is the amount of time it takes to detect and respond to a breach. If the attack lifecycle is longer than 200 days, the average cost of a breach is $4.87 million, compared with $3.61 million when the attack lifecycle is under 200 days. The concerning part about this trend is that the average time to identify and contain a breach has been growing yearly and is consistently longer than the 200-day lifecycle.”
Singleton said this year’s Cost of a Data Breach Report, conducted by Ponemon Institute and sponsored and analysed by IBM Security, also delved into correlations between the initial attack vector and the cost of a data breach.
Average costs when the initial attack vector was a business email compromise were $5.01 million, followed by phishing ($4.65 million), malicious insider ($4.61 million), social engineering ($4.47 million) and compromised credentials ($4.37 million).
“Even though the percentage of attacks using business email compromise is relatively low at 4%, at X-Force we have seen a rise in this attack type throughout 2021. Compromised credentials are associated with 20% of attacks and cause average costs of $4.37 million per breach,” she said.
“Our research and experts suggest that one key measure could probably decrease attackers’ success rate for both business email compromise and compromised credentials and that is effective implementation of multi-factor authentication as part of a zero trust model. We have observed that when threat actors encounter multi-factor authentication, it simply acts as a brick wall for them. It’s not even worth their time to try to circumvent,” Singleton said.
In addition, having an incident response team and an incident response plan that is tested and practiced can assist in bringing down the cost of a data breach. “It’s not a matter of if but when an attack is going to happen. For organisations that had both an incident response team and tested incident response plan, the average cost of a data breach was $3.25 million in 2021, compared with $5.71 million for organisations that had neither,” she said.
Security automation is another key factor that can help to bring down the costs of a data breach, Singleton said. “Organisations that had fully deployed security automation technologies such as SOAR and SIEM incurred average breach costs of $2.90 million, compared with $6.71 million among organisations that had not deployed security automation. The cost of not having any form of security automation is getting higher every year.”
Zero trust
Also speaking at the IBM Zero Trust Forum, Mukhtar Khan, information risk & protection technical sales at IBM, and Eren Ramdhani, IBM EMEA digital trust sales leader, recommended a zero trust approach to support compliance with the Protection of Personal Information Act (POPIA).
Khan said: “To support compliance, organisations need to make sure the information they have is protected. Many technologies and programmes can help you achieve compliance – including discovery, monitoring who accesses the data and keeping an audit log of these records, protecting the data with encryption and multi factor authentication, and then finally, having a response plan in the event of a breach.”
Ramdhani noted: “Equally important is organisational culture – the users need to understand their responsibilities in supporting compliance. The controls organisations put in place are dependent on the type of risk and threat they are trying to mitigate against. In the past, attacks were mostly ‘passive’ in that data was copied and exfiltrated, but business as usual carried on. In that case adequate controls could be preventative – like identity and access management, application security and data activity monitoring. But in more ‘active’ attacks that may alter data and impede business as usual, organisations need more detection measures. And with the proliferation of ransomware one really has to consider encryption.”
Khan and Ramdhani also recommended deploying data activity monitoring leveraging analytics to identify trends, using multi factor authentication and preparing structured responses to breaches.