Events > Home > Features

The Cost of Cyber Security

Creating a secure and resilient cyberspace is becoming a more complex and costly challenge with a growing need to protect our systems and data against criminal attacks that are becoming increasingly sophisticated. The annual global cost of cybercrime is now $600 billion, which is 0.8% of global GDP. Data is the ‘new currency’ and so long it remains easier to steal than money the cybercriminal will continue to profit. An increase in data protection and cyber security regulation does not yet appear to be taking full effect with organisations now suffering more, and larger breaches. Costs of data breaches rose last year by 6.4% indicating that many organisations are still not doing enough to protect their data.

Recent Mega Breaches in Asia

In Asia we are aware of the impact of the mega breach (losses of more than 1 million records); in March 2016 the Philippines experienced the COMELEC hack affecting 20 million citizens. In July 2018, in Singapore, the SingHealth breach was the nation’s largest in history with 1.5 million patient records compromised. Currently, in China Huazhu Hotel Group, is investigating a data breach potentially affecting millions of customers.

The Rising Cost of Data Breaches (all costs in US$)

The average cost of a data breach is now $3.86m with the cost of a single lost data record at $148. It is noteworthy that organisations suffering breaches who had fully automated cyber security systems experienced lower average breach costs (at $2.88m), whilst those without experienced costs at $4.43m (sounding like a convincing argument for that investment). Time to identify, investigate and contain breaches also has an impact. Companies containing breaches within 30 days saved an average of $1m in total costs. Those with incident response plans saved $14 per compromised record. With the average time to identify a breach at 197 days (and a further 69 days to contain it) it is clear that attackers are motivated not only to gain access to systems but to stay for long periods and harvest data for increased financial gain. What about share price? Estimates suggest an average drop (post breach) of 5% with a medium-term losses of 1.4 to 1.7 % points. Whilst most stock recovers over time, organisations with clear security strategies, policies and incident response plans do better.

What makes up the majority of breach costs?

Breach costs are best calculated using activity-based-costing. Detection and Escalation costs include; investigative and forensic services, crisis management and communications. Post Breach Response activity includes; identity protection services, issue of new accounts or cards, legal expenses, compensation costs, penalties and fines. Notification Costs include emails, letter and outbound calls to affected customers and supervisory authorities with Lost Business costs including business disruption and downtime with inevitable loss of customer goodwill plus reputational damage.

The Cost of Securing your Enterprise

So let’s consider what organisations should be spending on cyber security to reduce risks of data breach impacts. According to research by IBM the ideal cyber security spend is between 9.8% and 13.7% of IT budget. For certain industries this is likely to exceed 13.7% and for long term strategic planning (out to 2025) these figures are projected to rise to as high as 30%. It may be prudent to start forecasting increased annual spending (% of IT spend on cyber) by at least 3% annually. Many solutions are available to organisations with threat identification, data governance and other protective and detective measures. These should all form part of the overall cyber security strategy. Of note, two critical security components; enhanced identity management (e.g. multi factor authentication) and data encryption are regarded as two of the foremost effective countermeasures. Secure email and web browsing and the security of public facing workstations that are directly connected to back end systems and databases are also currently very much in focus. Organisations should also consider the use of professional security consulting and managed services if the skills aren’t available in-house. Of course, simply buying technology solutions is not in itself enough, these need to be carefully configured, managed and monitored. Variance in cyber security expenditure depends on certain factors, these include:

  • The size of your organisation
  • Your industry; financial services, health, hospitality and retail sectors are commonly targeted for data theft. Others such as pharma, tech and manufacturing may be intellectual property theft targets. Critical National infrastructure (CNI) is prone to disruption and denial of service threats;
  • Your risk appetite; the level of risk your organisation will take to meet business objectives.
  • Your organization’s cybersecurity posture. Everything your organization does to manage cybersecurity risks including employee training, systems configuration and maintenance, updating software and preparing your cyber incident response plans.
  • Compliance considerations. In South East Asia, national laws and regulations exist for data protection and cyber security including Singapore, Indonesia, Malaysia and the Philippines. There will of course be other industry and sector based financial and regulatory controls that should be considered.

In exploring the cost of cyber security then we see that, in reality there is a choice to be made; significantly reducing your risk exposure to these losses by investing in a comprehensive cyber security strategy or risking paying the price of significant financial and reputational damage by not doing so.

 

References:

--------

i) https://www.nmhc.org/news/articles/cyber-hygiene-prevents-80-percent-of-breaches/

Original article written for British Chamber Singapore's Orient magazine

Worker using a server terminal