19 January 2021

Data Breach Costs More, Attacks More Frequent

Data Breach Costs More, Attacks More Frequent

It’s no secret that 2020 saw some of the largest organisations in the world scrambling to secure their data. In the wake of the ongoing Sunspot Malware saga that has seen over 33,000 public and private firms worldwide potentially need to overhaul their IT monitoring environments, it’s clear that professional data protection software alone is not enough to ensure that a business is safe from the increasing rate of attacks.

Backing this finding is the latest statistics released by anti-malware group Malwarebytes. According to their data, the full cost of a potential breach may be larger than initially thought. The increased risk that comes as part of quickly enabling a work-from-home environment with unsecured devices also gives cybercriminals an excellent opportunity to act. Enterprise data from a leading anti-malware firm confirms the need for increased vigilance when protecting sensitive data.

  • Average enterprise cost of a data breach grows to $5.52 million
  • Unsecure WFH environments may increase potential spyware/stalker-ware attacks
  • Identity theft from data breach costs individuals over $10,000 in personal time to resolve
More attacks more often.

Malwarebytes highlight the potential risk of data breaches with the following statistics:

Adware peaked in February, April, and May, with over 18,500 users attacked.

Phishing attacks impersonating government, taxation, and superannuation organisations all increased.

Ransomware attacks on Australian targets increased by 10%.

Spyware attacks grew in 2020 as Australian organisations rushed to enable WFH arrangements, with over 6,200 reported

Malwarebytes highlight insecure work-from-home arrangements as a critical driver of these attacks, along with the use of unsecured personal devices. Understandably, dramatic shifts in any workplace environments can leave systems exposed. While experts do their best to enforce best practice with remote workers, these statistics highlight the cost of potentially missing the mark.

The average enterprise value of a data breach

The average cost of a data breach for an enterprise with 25,000 employees is $5.52 million. The cost is lower for organisations employing less than 500 staff, coming in at an average of $2.64 million. But while the average risk cost may be lower overall, some simple maths shows that the aggregate risk per individual is disproportionately higher for smaller firms.

From this, it’s easy to see how for larger businesses, the economies of scale can hide the full cost of a data breach. When spread across numerous employees and departments, it can feel like the responsibility for avoiding a data breach is easier to shrug off. At the same time, while the overall potential cost of a breach is lower for smaller organisations, the value of best practice at an individual level becomes much higher.

The personal cost of data exposure and identity theft

It’s not just the dollar cost of breaches that should drive individual awareness. Malwarebytes explains that up to 80% of data breaches include the exposure of personally identifiable information held by an organisation. That’s everything from addresses and phone numbers to full names, date of birth, and other information used to identify an individual online.

Up to 80% of data breaches expose personally identifiable information.

The potential damage that can be caused by having these details freely available online is hard to calculate. It depends on what the cybercriminals do with these details. Popular activities include obtaining new credit cards, opening mobile phone accounts, even gaining access to business and personal loans. The amount of potential damage done increases with the amount of time that passes between a breach occurring and the details released no longer becoming viable.

But that’s not the only cost to victims. Author of “Investigating Computer Crime in the 21st Century” Robert Mendell says that the time taken to recover from identity theft has risen from 175 hours to 600. In Australia, the minimum wage is $19.84, making a minimum potential personal cost of $11,904. And that’s an unexpected cost any responsible organisation would want to help their stakeholders avoid.

Taking steps to enforce data protection

Earlier in 2020, the Australian Cyber Security Centre (ACSC) released the Essential 8 Strategies to Mitigate Cyber Security Incidents. While by no means complete, the recommendations go a long way to providing the technical groundwork needed to start managing evolving cyberthreats.

The areas to focus on include:

  • the level of control and restrictions over users’ applications.
  • the power you have over third-party apps and their use.
  • configuring Microsoft Office macro settings to blocking macros from internet sources.
  • disabling potentially malicious and virus-carrying vehicles in web browsers and Microsoft Office deployments.
  • limiting the number of users with administrative privileges and requiring validation for any privileged access.
  • updating all operating systems and patching vulnerabilities within 48 hours of vulnerability discovery.
  • enforcing multi-factor authentication for all privileged and remote-access users.
  • ensuring essential systems and information are backed up daily and stored securely for at least three months.

You can read more about strengthening your cybersecurity in our article on passing the Cybersecurity Essential 8.

Getting data protection right

The Essential 8 offers a good starting point for Australian business looking to protect its staff and stakeholders from online threats. However, the framework is concentrated purely on technical controls and doesn’t cover staff awareness, employee training, and incident response. These strategies are essential when planning for the needs of individual business models. If you need help you on the journey to avoiding data breaches, First Focus can assist. We offer packaged security suites, holistic cybersecurity strategies with advanced threat protection and detection features, as well as tailored security audits.