IT Security Economics 2020: Part 2
How businesses can minimize the cost of a data breach

 

Introduction

Protecting corporate and personal data has become a necessity for modern businesses. Unfortunately, due to the ever-changing threat landscape, more sophisticated hacking techniques and a growing desire amongst cybercriminals to harvest information for their own benefit, organizations need to be more aware of potential breaches than ever before. The good news for businesses is that, as documented in the first report in this series, the estimated financial impact of a data breach has started to decline. As of this year, on average, a breach costs an enterprise $1.09m and a small to medium-sized business (SMB) $101k, compared to $1.41m and $108k respectively in 2019.

In addition, with the right approach and technologies in place, organizations can adopt plans to further minimize the potential cost of a cyberattack. How enterprises and SMBs manage the aftermath of a breach goes a long way to determining the true, long-term cost. For example, being proactive and transparent, as well as quick to react, can help to reduce monetary losses.

This is just one of the many findings documented in this part of the IT Security Economics 2020 report. The sections that follow will analyse new survey findings that reveal how businesses can minimize the costs of a data breach and the ways others can learn from this. Quite often, different actions, or sometimes inaction, can make data breaches much more expensive than they otherwise could have been. This report explains why that is the case.

Methodology

The Kaspersky Global Corporate IT Security Risks Survey (ITSRS) interviewed a total of 5,266 IT business decision-makers across 31 countries in June 2020. Respondents were asked about the state of IT security within their organizations, the types of threats they face and the costs they have to deal with when recovering from attacks.

Throughout the report, businesses are referred to as either SMBs (small and medium sized businesses with 50 to 999 employees), or enterprises (businesses with over 1,000 employees). Not all survey results are included in this report.

Please note that while every effort has been made to make the results comparable year-on-year, the research has undergone some revisions in 2020 meaning that not all results are directly comparable. The target audience has remained the same, but screening questions have been revised to more reliably identify people with the most relevant experience and insights. This has significantly increased the proportion of respondents in IT and IT security specialist roles from 33% in 2019 to 62% in 2020.

In addition, while the scope of the study has remained global, fewer countries were included in 2019 (most notably China was absent). The 2020 research features a broader country base (as per 2018 and 2017), and also adds Poland and Kazakhstan to the list.

Key findings

The survey revealed several factors that can help businesses reduce the cost of data breaches:

  • Quick detection: Financial losses were 32% lower in enterprises that could detect a breach almost instantly, compared to those that did so in a week or longer
    • SMBs also benefit from earlier breach detection, with losses on average being 17% lower
  • Proactive disclosure: On average, enterprises that voluntarily inform their audiences about a breach suffer less financial damage (28%) than in situations where customers and other stakeholders see the news via media leaks
    • SMBs see an even greater impact when proactively disclosing their breaches (40%)
  • Timely updates: The cost of a data breach rises by 47% to an estimated $1.225m in enterprises that still deploy outdated technology, compared to $836k where all software and hardware are up-to-date
    • The cost also rises by 54% in SMBs, from $74k in companies with no outdated hardware or software to $114k where technology has not been updated
  • Data collection: Enterprises that collect customer data lose 62% more ($1.3m) than peers who don’t ($807k)
    • SMBs that collect customer data, on average, lose 37% more ($117k) than counterparts that do not ($85k)

Letting the cat out of the bag

Organizations that suffer a data breach cannot be complacent with how they manage the aftermath. As is the case with many corporate problems, there are both financial and reputational damages to consider. There is not only potential for the cyber-attackers to use the information they have stolen for their own gain, but also the possibility that customers will lose trust in the targeted company and decide to take their business elsewhere.

Effective detection

Being able to quickly detect a breach is essential to keeping the situation under control. As revealed in the IT Security Economics 2020 executive summary, the number of organizations that can almost instantly identify a breach is on the rise. The time taken to detect a breach has financial implications, with faster detection rates decreasing the costs.

When data breaches were discovered and how much they cost amongst SMBs and enterprises

When data breaches were discovered and how much they cost amongst SMBs and enterprises

When equating costs with the importance of discovery, this comparison becomes all the more significant. For SMBs, the cost of a data breach when instantly discovered is $98k, a figure which rises $20k to $118k if it takes longer than a week to discover. Similarly, for enterprises, the average cost of a data breach rises by more than $400k depending on whether a breach is discovered almost instantly or beyond seven days.

Transparent disclosure

Identifying a breach early gives businesses a much better chance of avoiding public disclosure. As shown in the chart below, 29% of SMBs that take over a week to discover a breach will see it exposed in the press, compared to nearly half of that (15%) if the breach is detected almost immediately. It is a similar case for enterprises, with these figures standing at 32% and 19% respectively. The pressure on speed when it comes to data breach discovery and reaction, therefore impacts both costs and reputational damage caused by public disclosure.

When data breaches were discovered and disclosed amongst SMBs and enterprises

When data breaches were discovered and disclosed amongst SMBs and enterprises

Nearly half (46%) of businesses that have experienced a data breach went on to proactively, and voluntarily, disclose the incident, whilst around a quarter (24%) had their leak exposed to the media. Meanwhile, three-in-ten (30%) of organizations that had experienced a breach did not disclose it at all. But when a breach occurs, is it more cost effective to be transparent or keep things under wraps?

The survey responses revealed that the overall cost of a breach often depends on how it is disclosed. On average, the minimum monetary losses experienced by organizations that preferred not to divulge an incident publicly are $72k for SMBs and $578k for enterprises. While it may be tempting to try to quietly resolve any issues without the public knowing, it is much more effective if businesses are proactive about disclosing what has occurred. On average, enterprises that voluntarily inform their audiences about a breach suffer less financial damage (28%) than when that same information is revealed to stakeholders via media leaks. That same impact is even greater among SMBs with 40% less financial damage seen when they proactively disclose their breaches.

Average cost of data breaches amongst SMBs and enterprises

Average cost of data breaches amongst SMBs and enterprises

To reduce the chances of their losses increasing, organizations can take control of the situation and make it publicly known that a breach has happened. This enables them to construct and lead any messages related to the incident and swiftly respond to any negative information that could be in the press.

The main reason given by organizations for proactively disclosing a breach was internal policies and ethics (58%), while 44% did so to mitigate reputational damage. At least a third (37%) of businesses chose to disclose a breach because they had to follow regulatory requirements.

Additionally, organizations that suffered breaches that may affect their customers’ personal information were more likely to proactively admit that a leak had happened. For example, around two-thirds of businesses have disclosed that customer payment data (66%), customer account numbers (65%) and customers’ personally identifiable information (64%) had been leaked publicly. A similar amount (63%) have admitted to suffering leaks affecting customer or user authentication credentials. In comparison, slightly fewer organizations disclosed that corporate intellectual property (58%) and other sensitive corporate data (56%) had been leaked.

The benefit of up-to-date technology

Outdated technology carries cybersecurity risks for businesses, as proven by several successful attacks over the last few years. The infamous WannaCry ransomware attack in 2017 impacted global enterprises such as FedEx and Telefonica, as well as UK hospitals. It led to Microsoft issuing a rare security patch for its previously outdated XP operation system to ensure organizations still running this old OS were protected.

However, making updates can be an afterthought or too costly without the right resources. It takes a large, concerted effort to change a significant amount of software and/or hardware. However, as this year’s survey shows, organizations should prioritize updates and be prepared to invest because doing so could save them money in the long-term.

This year’s survey found that nearly half (47%) of organizations are using a form of outdated technology. In particular, around a third of SMBs (32%) and enterprises (34%) have unpatched operating systems. Nearly a third of both SMBs (31%) and enterprises (32%) also revealed that they still use outdated software.

Businesses with outdated technology are much more likely to have suffered a data breach (65%) than those that keep theirs updated (29%). This number increases to 77% in businesses that have suffered a breach and still have the C-suite using outdated technology.

Surprisingly, the main reason given for not updating technology is employee convenience. As shown in the chart below, nearly half (48%) of organizations reported to some extent that employees refuse to work with new versions. The same number of companies simply cannot upgrade their devices or operating systems because they use legacy software. Meanwhile, a third (34%) say the company’s outdated technology is used by C-level staff and is excluded from their update plan.

Reasons why business still use out-of-date technology

Reasons why business still use out-of-date technology

This has implications when it comes to the overall cost of a breach, as SMBs with outdated technology, on average, lost an additional $40k with total losses estimated at $114k in comparison to those who have updated all their technologies ($74k). Meanwhile, enterprises suffered $425k in additional losses ($1.225m compared to $836k).

Proceed with caution

As the chart below shows, around half of SMBs (48%) and enterprises (52%) collect customer data. What’s more, a fifth of these businesses (18% and 21% respectively) go on to sell this information to third parties.

The amount of businesses that collect customer data

The amount of businesses that collect customer data

Organizations that follow this practice need to be cautious as they are more likely to suffer greater losses following a data breach. For example, SMBs that do not collect customer data, on average, can lose $85k if they suffer a breach but this figure increases to $117k for counterparts that do. What’s more, losses can increase from $807k to $1.3m in enterprises that collect customer data.

Conclusion

As this report shows, reducing the overall impact and financial damage of a data breach is possible by taking proactive action. Acting now ensures organizations are in a stronger position should a breach happen. One of the first things to do is develop a special crisis management plan for cybersecurity incidents and ensure that it integrates participants from key departments, including IT Security, IT, legal, government relations, investor relations, customer support and corporate communications.

Choosing which systems and channels will be used to share information in advance will guarantee that stakeholders will not be left in the dark if hackers gain access to corporate emails or messenger platforms. Additionally, educating non-IT employees who are involved in incident response on IT security basics helps prepare them before a data breach happens. Another thing to consider is specific training for all of the parties involved – including communication specialists and head of IT security – such as Kaspersky Incident Communications.

If corporate communications teams understand a company’s cybersecurity response plan, they can deliver a clear and informative message to target audiences and the media – giving an organization more control of the outcome of a breach.

As discovered in the survey, and shown through recent real-world examples, outdated technology should be addressed as a cybersecurity risk. It may seem costly and some employees may feel frustrated when working with new interfaces, but investment into making the right updates will help businesses save money. With legacy solutions still in place, organizations are more likely to be exposed to suffering financial damages. Both enterprises and SMBs are urged to follow the advice below in order to help them mitigate cyberattacks and potentially reduce costs if they suffer a data breach:

  • Ensure the organization is using the latest version of its chosen operating systems, with auto-update features enabled to ensure the software is always up to date.
  • Adopt endpoint solutions, like Kaspersky Integrated Endpoint Security. It enables vulnerability assessment and patch management, to reduce the risk of vulnerabilities being exploited by cybercriminals. This can automatically eliminate vulnerabilities in infrastructure software, proactively patch them and download essential software updates. It also provides behavior detection and exploit prevention mechanisms that discover and stop suspicious endpoint activity.

However, if updating to the latest technology or software is not possible then organizations are advised to:

  • Take this attack vector into account in their threat model and address it through smart separation of vulnerable nodes from the rest of the network, along with other measures.
  • For critical IT or operation technology systems, it is important to always be protected regardless of any available software updates. This means they should only enable activity that is predetermined by the purpose of the systems. KasperskyOS supports this concept of cyber-immunity and can be used to build IT systems that are secure by design.

To find out more about the financial impact of cybersecurity and data breaches in modern business, along with the latest IT Security Economics reports, follow #securityeconomics on social media.