Cost of Data breach in Australia

December 17, 2014 |

Australia lacks a mandatory data breach notification legislation in relation to breaches under the Privacy Act.  By comparison, most American States have such legislation and there is a serious effort to introduce it at a Federal level if for no other reason than to impose some uniformity on notifcation requirements.  It is good public policy to have such legislation.  Individuals are entitled to know if their personal information has been compromised.

With a lack of mandatory reporting there is a lack of understanding about the extent to which data breaches impact on Australian businesses, and the individuals.  The Privacy Commissioner does not add to the debate. The Poneman institute has attempted to assess that loss in a report titled Ponemon Institute Report: 2014 Cost of Data Breach Study: Australia.  With a small survey size and given the study is based on interviews care should be taken when reviewing the findings.  But if anything the study acts as a baseline minimum. If overseas experience is any guide, with much more rigorous analysis, a bigger data pool and mandatory reporting the likelihood is that the cost of data breaches is much higher than the study states.

Some of the findings, based on interviews and analysis of costs incurred by 22 Australian companies in 11 industry sectors, are:

  • the average per capita cost of a databreach increased from $141 to $145.2
  • the total average cost paid by a company increased from$2.72 million to $2.80million
  • number of breached records per incident this year ranged from approximately 5,600 records to 57,000 records
  • the cost per lost or stolen record increased  from  $141, in 2013, to $145 in 2014.
  • average total cost of data breach for a company increased from $2.72 million in 2013 to $2.80 million in 2014
  • the cause of a data breach was malicious or criminal attacks in 46% of occasions
  • 27% of breaches involved negligent employees or contractors
  • 27 % of breaches were due to IT and business process failures.
  • the cost associated with business losses due to date breaches increased from $0.76 million in 2013 to $0.85 million in 2014
  • the costs associated post data breach response increased from approximately $0.81 million in 2013 to $0.82 million in2014
  • a probability of a material data breach involving a minimum of 10,000records is nearly 18%

The study has been reported on in the Fairfax press in Counting the real cost of cyber attacks   which provides:

Cyber attacks are costing large Australian enterprises an average of $8.3 million a year, but the real costs could be much higher.

In a study sponsored by HP Enterprise Security, the US-based Ponemon Institute questioned 30 large Australian organisations on their experience with cyber attacks over a four-week period and extrapolated its findings to a full year. It found that each organisation was the victim, on average, of 1.6 successful attacks every week.

Ponemon calculated the average annual cost for  organisations across all industry sectors at $4.3 million. Companies in the energy and utilities sector had the highest average cost at $8.3 million, while the retail sector had the lowest, at $1.4 million annually.

The study found business disruption was the largest component of the external cost of breaches, at  40 per cent of the total, followed by information loss at 29 per cent, and revenue loss at 25 per cent.

“Internally, cybercrime detection and recovery activities account for 53 per cent of total internal activity cost … followed by containment and investigation (20 per cent and 14 per cent, respectively),” the report said.

However James Turner, a security analyst with IBRS, questioned whether such cost estimates reflect the true external or internal cost, particularly the human cost – the impact on staff.

“It really does depend on how far you want to measure, and whether you are measuring the right things. Does the cost of responding to a breach factor-in the lost opportunity cost of what else you could have been doing?” he said.

“I have yet to see a survey that factors in the psychological impact on the people within the organisation who are dealing with breaches. I think this is something everyone is going to become increasingly aware of.”

Mr Turner predicted that organisations could face compensation claims.

“These people are victims of crime. There will come a point when they’re going to say they have been traumatised, and that will create additional costs. I’ve spoken to people who were involved in a very significant attack and they said it had a very big impact on a couple of the team.”

Ponemon found that, on average, it took 23 days for an organisation to resolve a cyber attack, and Mr Turner said this would be a period of great stress for the personnel involved. “Security people are going to be working extra hours, and this is not the sort of problem that they will leave at the door when they go home.”

In addition, he said it was important to undertake thorough forensics investigations to understand how the attack had been made and to ensure that attacker had not left any backdoors for later use, but security personnel were often pressured to skip these.

“Forensics takes a long time and a lot of effort. You have to take systems offline. Unless there is any chance of prosecuting someone and getting money back most businesses will say: ‘I don’t care about the forensics, just get everything up and running’.”

Shane Bellos,general manager, Enterprise Security Products with HP South Pacific, said the study showed most organisations did not optimally spend their security budget, allocating the bulk to perimeter protection such as firewall and intrusion detection devices and too little to security intelligence technologies.

The study found that companies using security intelligence systems were able to deal with attacks more inexpensively than those that did not.

“Better network protection is not where people should be spending their limited security budgets,” Mr Bellos said.

“I would urge chief information officers, chief security officers and board members to read this report and ask the right questions: ‘Are we driving the right security strategy? Are we building the right security posture for our organisation?'”


One Response to “Cost of Data breach in Australia”

  1. Cost of Data breach in Australia | Australian Law Blogs

    […] Cost of Data breach in Australia […]

Leave a Reply