A recent report released by Kaspersky Lab shows that regardless of company size, data breach costs have risen significantly over the past two years, with the average enterprise data breach costing over $1 million.
The report, “On the Money: Growing IT Security Budgets to Protect Digital Transformation Initiatives”, received 6,614 responses from IT decision-makers in 29 countries.
The average cost to enterprise sized businesses of one incident, from March 2017 to February 2018, was $1.23 million. That figure is 24% higher than losses from 2016–2017, and 38% higher than losses from 2015–2016. The cost to small and medium sized businesses (SMBs) was substantially lower, but still significant, at an average of $120,000 per incident, which is an increase of $32,000 from last year.
According to Kaspersky’s research, the primary cost is in emergency improvements to software and infrastructure. For enterprises, the average cost is $193,000 – 150% of last year’s figure. Reputational damages take second place, with an average cost of $180,000, and security awareness training takes third with an average of $137,000. The case is similar for SMBs, for whom the top three costs are emergency improvements, reputational damages, and outsourcing of tasks like forensics to external consultants in the aftermath of a breach. For SMBs there is less difference between these costs, with each one averaging around $15,000.
Japan’s enterprises suffered the most expensive data breaches (averaging $1.7 million), followed by those in North America ($1.6 million), and APAC with China ($1.5 million). For SMBs, North America saw the highest losses, with an average cost of $149,000. For both enterprises and SMBs, Russia lost the least, with an average cost of $246,000 and $74,000 respectively. The sharpest increases in costs from last year’s figures, however, were in Russian SMBs ($74,000, up from $23,000 last year) and Latin American enterprises ($1.1 million, up from $558,000).
The most expensive incidents were to do with data leaving the premises – incidents affecting third party IT infrastructure hosted were one of the most expensive threats for both enterprises ($1.09 million) and SMBs ($118,000) to recover from, followed by inappropriate sharing of data via mobile devices, and incidents affecting third party cloud services. The highest cost for enterprises was from targeted attacks ($1.11 million), which – predictably – was not as big an issue for SMBs, for whom it cost on average $87,000.
The report also found that – likely because of the rising business costs of inadequate security – businesses are giving information security a larger portion of the IT budget and more attention in the boardroom than in previous years. Cybersecurity spending has increased to 26% of the IT budget, from 23% in 2017. Enterprises reported spending an average of $8.9 million on cybersecurity, with SMBs spending an average of $246,000, compared to $201,000 in 2017. The greatest increase was in very small businesses (VSBs) with fewer than 50 employees, whose average security budget is $3,900, more than 150% of last year’s figure of $2,400.
Companies regardless of size reported that they expected to see their IT security budget grow even more over the next three years, on average by around 15%, though there were regional variations – the highest expected growth (19%) is in the Middle East, Turkey and Africa (META) and the lowest rate is in North America (11%). Taking business size into account, the highest growth (22%) is expected to occur in Latin American VSBs, and the least (7%) is expected in Japanese SMBs.
34% of organisations cited the increasing complexity of their IT infrastructure as a driver of investment in cybersecurity, with the same percentage citing the need to improve levels of specialist security expertise. Unexpectedly, fewer organisations cited increased demand from customers, or from shareholders and investors, than in 2017 (a drop from 24% to 20%, and 15% to 14%, respectively).
Again, there were slight regional variations – for example, the increased complexity of IT infrastructure was the top driver in North America, Latin America and Europe, whereas the need to improve levels of specialist security expertise was the top driver in Japan, APAC with China, META and Russia. In the META region, pressure from senior management came in as the second most important driver, which is encouraging given the much-discussed struggle among information security professionals of obtaining buy-in and budget from C-level executives.