Data breaches also take around 200 days to resolve. (Photo by Loic VENANCE / AFP)

Data breaches also take around 200 days to resolve. (Photo by Loic VENANCE / AFP)

Data breaches cost SEA companies US$2.6 million per incident

Data breaches are no joke, as any company that’s had one can attest. 

Lost man-hours, credential and confidential information exposures, and reduced customer confidence & trust will require massive remedial measures, which can quickly bring companies down.

The internet was not designed to prioritize security, especially for businesses. As workforces shift to remote working arrangements, cloud usage has increased. Whilst these are largely positive changes, it doesn’t come without its risks.  

In fact, a global study by IBM identified that these two factors had a significant impact on data breach response

And the remedial costs associated with these data breaches? They’re to the tune of a massive US$4.96 million per incident. 

What are data breaches?

A data breach is defined as an event in which an individual’s name and a medical record and/or a financial record or debit card are potentially put at risk — either in electronic or paper format. 

The IBM research assessed data breach costs based on four factors:

  • Detection and escalation: Activities that enable a company to reasonably detect the breach. 
  • Lost business: Activities that attempt to minimize the loss of customers, business disruption, and revenue losses.
  • Notification: Activities that enable the company to notify data subjects, data protection regulators, and other third parties.
  • Post-breach response: Activities to help victims of a breach communicate with the company and redress activities to victims and regulators.

A report by Check Point Technologies showed that in the Asia Pacific region, there was a 168% increase in cyberattacks between May of 2020 and May 2021 alone — right around the time the world scrambled to shift to remote working. 

The lowdown on the costs of data breaches

According to the IBM paper, data breaches that occurred during cloud migration projects generally cost higher than at other times.

Cloud-based IT architectures with Edge capabilities may be more vulnerable to attacks from hackers, especially since IoT devices, often with low security, are increasingly used.

However, companies that were in the “mature stage” of their cloud modernization strategy were able to more quickly respond. Those that implemented a hybrid instead of a private cloud approach incurred lower overall costs.

Overall, the report made the following conclusions:

  • There is a 10% YOY increase globally in the average cost of a breach
  • Southeast Asia was the only region that did not see increased costs from data breaches (remained at US$2.6 million)
  • Remote work breaches cost companies US$1.07 million more
  • Costs varied widely across industries, with the healthcare industry seeing the highest
  • Compromised business emails costed the highest (US$5.04 million)
  • Data breach lifecycle took an average of 200 days to identify and resolve, costing an average of US$4.87 million

Zero-trust pivotal to mitigating costs of data breaches

The adoption of AI (artificial intelligence), security analytics, and encryption, together with a zero-trust approach, were the top three mitigating factors shown to reduce the cost of a breach.

This saves companies between US$1.25 million and US$1.49 million, compared to those who did not have significant usage of these strategies. 

Industry experts have been recommending a zero-trust approach for cybersecurity for quite some time. 

A zero-trust security architecture assumes that authenticated identities or the network itself may already be compromised — even if they aren’t.

This approach treats every user, device, and interaction as a potential threat. As such, every single connection or condition will be continuously validated to ensure that it is legitimate. 

The findings in this report support industry-wide sentiments on zero-trust:

  • Organizations without zero-trust deployed spent an average of US$5.04 million
  • Organizations with zero-trust deployed spent US$3.28 million (42% difference)
  • The top cost mitigating factor is the use of strong encryption (part of zero-trust)

Worryingly, almost half of respondents have no plans to deploy zero-trust — with only 20% saying they have fully deployed it, and 15% partially deployed. 

Aside from a zero-trust cybersecurity approach, it found that organizations with high levels of security AI and automation saved the most in costs — 56% more, to be exact.

Furthermore, these organizations were able to detect and contain a breach must more quickly than those without. 

How to better augment your cybersecurity strategy

Low consumer awareness of cybersecurity and data privacy means that businesses will have to reconsider their cybersecurity strategies, including assessing their cybersecurity risk profiles. 

“Higher data breach costs are yet another added expense for businesses in the wake of rapid technology shifts during the pandemic,” shared Chris McCurdy, Vice President and General Manager, IBM Security. 

Nevertheless, modern security tactics such as AI, automation, and zero-trust show great promise in helping to mitigate associated costs in the future.

So just how can companies approach this? IBM suggests these:

  • Invest in security orchestration, automation, and response (SOAR) to improve detection and response times. 
  • Stress-test incident response plan to increase cyber resilience.
  • Adopt a zero-trust security model to help prevent unauthorized access to sensitive data.
  • Use cybersecurity tools that help protect and monitor endpoints and remote employees.
  • Invest in governance, risk management, and compliance programs.  
  • Protect sensitive data in cloud environments through policy and strong encryption.
  • Embrace an open security architecture and minimize the complexity of IT and security environments.

Compounding the issue of low consumer cybersecurity awareness is a critical skills shortage gap in APAC.

While larger enterprises can afford to have multiple layers of cybersecurity protection, small and medium enterprises (SME) may not be so lucky.

However, cybersecurity is still a high-priority area for any digitalized business, small or large.

As such, SMEs can consider outsourcing their cybersecurity with managed security services (MSS), with a focus on employing zero-trust cybersecurity practices.