I’d like to start this series by breaking down the latest IBM Data Breach report and hopefully translate it into business language for the small to medium size firm. I wanted to start with this report to shed reality on the potential cost of doing nothing but at the same time, in this series, I want to emphasize the need to have a trusted advisor help you find your balance between protection, productivity and cost.
Right now, we are all dealing with information overload, so I’d like to give you a bite-size view for the drive-by reader like you and me:
- Data breaches are happening now
- The IBM Report factors in South Africa and includes the legal services sector
- A data breach in South Africa costs R3,350.00 per record
- Data breaches originate primarily from malicious or criminal actions.
- According to the FBI, criminal activity has risen four-fold during the COVID-19 pandemic
- Mitigation starts with your trusted IT and Cloud advisor.
Data Breaches Happen – Regularly!
To add an element of just how current and ongoing data breaches are this brief note caught my attention today. I found it in Anchor Capitals “Current Co-ordinates” daily newsletter for June 10, 2020.
The newsletter reported that the South African private hospital network operator, Life Healthcare Group Holdings, announced that it “…has been the victim of targeted criminal attack on its IT systems. The extent to which sensitive data has been compromised is yet to be determined…”
Data breaches happen – regularly!
With that in mind, let’s dissect the IBM data breach report to see the potential cost of such a data breach in the legal sector.
The IBM Report
South Africa was among 16 countries that have been participating in a multi-year study aimed at calculating the cost of a data breach. In all, over 500 companies and 3,000 individuals contributed to the results in the 2019 IBM sponsored report*. Legal and other professional service businesses were included. About 21 South African businesses have participated in the study over the last 4 years.
While the report focused on medium to large businesses of 500 to more than 25,000 employees, we can’t dismiss the fact that no matter the size of a business, a data breach comes with a cost.
What is a Data Breach?
Definitions vary on the theme of “unauthorized access to information”. It can happen intentionally or by mistake. The costliest breaches typically involve private or confidential information such as credit card numbers or personally identifiable information.
Awareness by the Numbers
Let’s drill down into the report to see the potential cost of a data breach for a small business. At the same time, let’s create awareness around the need for IT and Cloud security but without overstating the challenge to avoid creating fear, uncertainty, and doubt (FUD).
R 73.7 million – While the average cost of a single data breach varies by country, the global average stands at around R 73.7 million per breach (as per USD ROE at the time of writing).
25,000 records – The size of a breach also varies with the global average being more than 25,000 records.
230 days – Surprisingly, it takes companies an average of 230 days, or about seven and half months, before they even realize they’ve had a breach.
84 days – After a breach is discovered it can take a further 84 days to contain it and recover services.
3 years – The cost impact carries on for as much as three years with up to 67% of the cost in year one and the remainder of the cost diminishing annually over the next two years.
Those numbers are substantial and perhaps not easily relatable. We want to know what this looks like for the small business. What will a breach cost us in the 5-500 employee category? Let’s add some perspective.
As an IT and Cloud professional who’s practiced for over 25 years, my personal database contains over 2,600 PII records. If there are 10 readers with a similar history, we are looking at more than 25,000 records. This means that 25,000 records are not that much of a stretch and many readers are probably working in a practice that’s been around for more than 10 or 20 years and can easily have 25,000 records all by themselves.
In South Africa – the average data breach size was just over 22,000 records.
Although the global figure for a data breach is around R 73.7 million, the average cost in South Africa was closer to R 57.6 million. Breaking that down further, we see this equates to R 2,910.00 per record. How many records are you responsible for protecting?
Legal and services sector – the average cost per record is about R 3,350.00
In the South African services sector, which includes legal practices, the average cost per record is higher at about R 3,350.00. Can your business afford to write off that much due to a lapse in security?
Where do these breaches originate?
- Malicious or criminal attack (51%),
- System glitches involving both IT and business process failure (25%),
- Negligence on the part of an employee or contractor (24%).
Risk and Mitigation
With our awareness now raised, the point which warrants consideration is this “Is my business really at risk and if so, how do I mitigate that?”
The FBI advises that cyber-crime reports have quadrupled since the COVID-19 pandemic began**. Malicious or criminal actors are exploiting the pandemic by using deliberately vague email subject lines, malicious websites, and fraudulent internet domains. These claim to be COVID-19 related charities, delivery companies, lenders, or protective equipment manufacturers.
Due to there being more remote workers than ever before, our businesses (although always at risk) are now even more so.
How do we mitigate the risk of a data breach under these more difficult conditions? It all starts with a trusted advisor or your managed services provider (MSP). The value of the experience they bring to the table cannot be overstated. In the next article, we can discuss what you might ask them and how they need to spell it out for you.
Kelvin’s experience covers more than two decades in IT infrastructure and Cloud. Through the University of Cape Town he is certified in IT Management and has earned over 30 information technology certifications during his career from Microsoft, Mimecast, IBM, ITIL, EMC, Cisco and others. He handles his customers big IT and Cloud problems one small solution at a time.
LayerOne Cloud (Pty) Ltd
LayerOne is an IT and Cloud consulting services business built on over 25 years of industry education and practice
*IBM Study – “2019 Cost of a Data Breach Report”
**Source: FortiNet, a global security services & products company, 24 April “FortiGuard Threat Intelligence Brief”