The financial fallout from a data breach exceeds the cost of implementing cybersecurity measures for organizations storing just 6000 records or more, according to new research from NCC Group seen exclusively by Infosecurity.
The cybersecurity consultancy made its calculations based on SANS Institute figures from its Budgeting Critical Security Controls document — which include the cost of operational security, IT staff and external consultancy fees for a year — plus Ponemon Institute figures which claim average UK breach costs are £120 per record.
The data from The economics of defensive security report would seem to indicate that for firms handling an extremely low number of records, it’s theoretically cheaper to ignore security. However, with the amount of data held by organizations rising all the time, the stats more realistically highlight the need for firms of all sizes to prioritize cybersecurity investment, according to NCC Group managing security consultant, Nick Dunn.
“This proactivity is intended to minimize impact when events occur by ensuring that tried-and-tested plans and procedures are in place. By implementing resilient security via defense-in-depth, carrying out thorough and regular assessments of both cyber and physical security measures, and also ensuring that logging and monitoring are comprehensive and mature, an organization can ensure that defenses are up to scratch,” he told Infosecurity.
“It is also an imperative to have a comprehensive, tested, cyber-incident response plan in place to minimize the impact of a breach. This is particularly important in light of GDPR coming into force later this month, when disclosure needs to be taken into account as part of the remediation process.”
With the GDPR on the way from May, financial liabilities from breaches may end up being even higher if regulators decide to issue major fines.
The larger the firm, the bigger its breach losses: organizations with a turnover of £5-£9.9m suffered losses on average of £1.5m while for those with revenue of £50m the costs hit £10m, according to NCC Group.
The research also revealed that the likelihood and cost of a data breach varied significantly between sectors: 61% of local government, 10% of central government bodies and 18% of utilities firms reported a breach between Q1 2016 and Q1 2017. However, it was the healthcare sector that faces the highest breach cost per record, at £267 on average.
The government announced a £150m cash injection for the NHS on Monday designed to help improve its cyber-resilience and incident response following major outages resulting from last May’s WannaCry ransomware attacks.