Australian organizations experience costly data breaches with the average organizational cost of a data breach, including activities intended to prevent a loss of customer or consumer trust, at AUS$1.97 million and the average cost per compromised record at AUS$123.
The most expensive data breach cost one organization surveyed more than AUS$4 million to resolve, according to a data breach report by the Ponemon Institute, the first of its kind to quantify the costs associated with both public and private sector data breaches in Australia.
The research analyzed the actual data breach experiences of 16 Australian companies from nine different industry sectors taking into account a wide range of business costs including expensive outlays for detection, escalation, notification and after-the-fact responses. It also analyzed the economic impact of lost or diminished customer trust and confidence as measured by customer turnover (churn) rates.
The two most significant components of the cost for Australian organizations are lost business, and detection and escalation of incidents. The least significant is notification, largely due to Australian organizations not required to notify victims when a data breach occurs – unlike their US and UK counterparts which have data breach notification laws.
Malicious attacks and botnets
Malicious attacks and botnets are the primary drivers of data breaches in Australia, and cost substantially more than those caused by human negligence or IT system glitches with 44% of all cases in this year’s study involving a malicious or criminal attack that resulted in the loss or theft of personal information. The cost per record compromised averaged AUS$156, while breaches from negligence and systems glitches had an average per record cost of AUS$94 and AUS$99 (40% and 37% less) respectively.
Outsourced data to third parties are common and costly
Data breaches involving outsourced data to third parties, especially when the third party is offshore, are common and costly. Thirty-one percent of all cases in this year’s study involved third-party mistakes or flubs. The cost per compromised record for data breaches involving third parties was AUS$152 versus AUS$109 if the breach did not involve a third party, AUS$43 (39%) more. (This could be due to additional investigation and consulting fees, or additional forensics investigation and consulting fees.)
Finance, media and communications have highest customer turnover
Industries with the highest customer turnover (churn rate) were financial, media and communications (7%), which also had the highest average costs per compromised record (AUS$177, AUS$182 and AUS$141 respectively). The industries with the lowest abnormal churn rates were retail and transportation (2%), followed the public sector (1%) which had the lowest average costs per compromised record (AUS$73, AUS$72 and AUS$107 respectively).
Other key findings of this year’s report show that 31% of all cases involved a systems glitch or lost or stolen laptop computers or other mobile data-bearing devices, 25% of all data breach cases involved employee negligence, and 56% of organizations surveyed with a better security posture had lower data breach costs than their less-prepared peers.