SA: Data breach costs skyrocket during pandemic – IBM report

According to an IBM Security study, data breaches in South Africa now cost businesses R46 million on average. This is the highest cost in the six-year history of the study.

Based on in-depth analysis of real-world data breaches experienced by organisations in South Africa, the Cost of a Data Breach Report suggests that security incidents became more costly and harder to contain due to drastic operational shifts during the pandemic, with costs rising 15% for South African compared to the prior year.

Businesses were forced to quickly adapt their technology approaches last year, with many companies encouraging or requiring employees to work from home, and 60% of organizations moving further into cloud-based activities during the pandemic.

IBM says the new findings suggest that security may have lagged behind these rapid IT changes, hindering organisations’ ability to respond to data breaches.

The 2021 report revealed that the average time to detect and contain a data breach was at its highest in six years for organisations in South Africa – taking 237 days (184 to detect, 53 to contain).

Companies who contained a breach in under 200 days were revealed to save almost R7 million – while it cost organisations R2300 per lost or stolen record on average. The study found that data breaches in the financial, industrial and services industries were most expensive by industry – costing R1548 per record.

Sheldon Hand, Data, AI, Automation and Security Business Unit Leader for IBM Southern Africa said: “Organisations in South Africa are faced with a growing remote workforce which results in sensitive data moving across less controlled environments making it more vulnerable to a data breach. This increases the need to safeguard sensitive data at rest and in transit.”

Hand advised “Organisations need to double down on protecting their most valuable data – whether its customer, employee and company information – and ensure they have advanced security processes, like automation and formal incident response teams, in place.”

The annual report, conducted by Ponemon Institute and sponsored and analysed by IBM Security, identified the following trends amongst South African organisations studied:

• Remote work impact: With society leaning more heavily on digital interactions during the pandemic, companies embraced remote work and cloud as they shifted to accommodate this increasingly online world. The report found that the rapid shift to remote operations during the pandemic increased the average time to detect and contain data breaches. On average it took 214 days to identify data breaches and 52 days to contain it in organisations with more than 50% remote work adoption.
• Compromised credentials led to compromised data: Compromised business emails were the most common method of attack of breaches in the study – costing organisations over R71 million on average. Malicious insider attacks, social engineering and vulnerabilities in third-party software were also identified as the primary initial attack method for data breaches, with all three costing above R50 million on average.
• Modern approaches reduced costs: The adoption of AI, encryption, Incident Response testing and cyber resilience were the top mitigating factors shown to reduce the cost of a breach, saving companies between R2.7 million and R3.3 million compared to those who did not have significant usage of these tools.

Businesses That Modernised Had Lower Breach Costs

The report noted that while certain IT shifts during the pandemic increased data breach costs, organizations who said they did not implement any digital transformation projects in order to modernise their business operations during the pandemic actually incurred higher data breach costs. The cost of a breach was R10 million higher than average at organisations that had not undergone any digital transformation due to COVID-19 in comparison to those at a mature stage.

Companies studied that adopted a zero trust security approach were better positioned to deal with data breaches. South African organisations with a mature zero trust strategy had an average data breach cost of R29 million – which was R25 million lower than those who had not deployed this approach at all.

Investments in incident response teams and plans also reduced data breach costs amongst those studied. Companies with an incident response team that also tested their incident response plan managed to save R3million in the case of a data breach, while those that had put an incident response team in place, cut the average cost by R2.7 million.

A copy of the 2021 Cost of a Data Breach Report can be downloaded HERE