IBM and Ponemon Institute have today released the annual 'Cost of a Data Breach' report, and its Australian results show that the average cost of a data breach is now AU$2.64 million.
The report analysed 26 Australian companies across 11 industries who have been affected by data breaches. These organisations suffered the loss or theft of protected personal data, and who have notified affected victims and regulators.
The $2.64 million average data breach cost, each lost or stolen information record costs $142. Overall, however, the report states there was a 6.6% decrease in the total cost of a data breach, and a 1.4% decrease in the cost of each lost or stolen information record.
The average number of breached records totalled 19,663, but individual company breaches recorded ranged from 4000 to 68,700 records.
Most of these were caused by malicious or criminal cyber attacks, with 46% stating they had experienced an attack, 27% stating breaches involved a negligent employee or contractor, and 27% stating that system glitches were the cause of breaches.
Malicious attacks are also the most costly for organisations, with the report showing that attacks have the highest per capita cost of $162. System glitches account for $126 per capita costs, and employer/contractor negligence account for $123 per capita cost.
The report says that incident response plans, employee training, CISO appointments and business continuity management reduced the average cost of data breaches.
The report also says that extensive use of encryption technologies reduced the cost of data breaches by $13.50, and involvement in threat sharing reduces costs by $8.50.
Although the report can't generalise sample findings with industry trends, the report says that industries with higher churn rates could benefit from customer retention as well as brand preservation. This may significantly reduce the cost of data breaches.
Finally, the Mean Time to Identify (MTTI) and Mean Time to Contain (MTTC) metrics showed that Australian organisations took more than five months to detect an incident, and another two months to contain it. For MTTIs less than 100 days, the average cost of breach identification totalled $2.05 million. For MTTIs greater than 100 days, this cost dramatically increased to $3.21 million.