A new global study by IBM Security has found that the average cost to a company’s bottom line of a data breach in South Africa has risen to R36.5-million.

The study found that hidden costs in data breaches — such as lost business, negative impact on reputation and employee time spent on recovery — are difficult and expensive to manage.

Sponsored by IBM Security and conducted by the Ponemon Institute, the 2018 Cost of a Data Breach Study data collection began February 2017 and interviews were completed in April 2018. The study found that the average cost of a data breach in South Africa is R36.5-million, up from R32-million in 2017. The average number of breached records found in the 2018 study was 21 090, representing a 6.3% increase in the size of the average breach.

Based on in-depth interviews with 20 companies that experienced a data breach, the study analysed hundreds of cost factors surrounding a breach, from technical investigations and recovery, to notifications, legal and regulatory activities, and cost of lost business and reputation.

“While highly publicised data breaches often report losses in the millions, these numbers are highly variable and often focused on a few specific costs which are easily quantified,” said Wendi Whitmore, Global Lead for IBM X-Force Incident Response and Intelligence Services.

“The truth is there are many hidden expenses which must be taken into account, such as reputational damage, customer turnover, and operational costs. Knowing where the costs lie, and how to reduce them, can help companies invest their resources more strategically and lower the huge financial risks at stake.”

For the past three years, the Ponemon Institute has examined the cost associated with data breaches of less than 100 000 records, finding that the costs have steadily risen over the course of the study.

The study also examined factors which increase or decrease the cost of the breach, finding that costs are heavily impacted by the amount of time spent containing a data breach, as well as investments in technologies that speed response time.

150 days

The average time in South Africa to identify a data breach in the study was 150 days, and the average time to contain a data breach once identified was 40 days.

The three root causes of data breaches were identified as malicious or criminal attack (45%), human error (30%) and system glitches (25%).

On average, malicious or criminal attacks took 163 days to identify and 45 days to contain. Human error breaches took 139 days to identify and 33 days to contain.

Detection and escalation costs also increased, rising from R9.5-million in 2016 to R11.6-million in 2017 and R12.3-million in the 2018 study.

The amount of lost or stolen records also impacts the cost of a breach, costing R1 792 per lost or stolen record on average — a 9.4% increase from 2017.

Globally, the study calculated the costs associated “mega breaches” ranging from one million to 50 million records lost, projecting that these breaches cost companies between US$40-million and $350-million respectively.