Many UK firms underestimate cost of data breaches, study finds

Many UK organisations are still failing to understand the implications and costs of data breaches, a study has revealed

Many UK organisations are still failing to understand the implications of data breaches and estimate the costs of recovery accurately, a study has revealed.

Of the UK companies that have not yet suffered a breach, 58% told the Ponemon Institute that they believed brand reputation would be untarnished by a breach and 70% did not think the cost of customer acquisition would increase.

Yet the 54% of the more than 500 respondents whose organisations had experienced at least one data breach in the past year and the 19% that reported four or more breaches, told a different story.

Nearly half of those that suffered a breach said that it damaged their reputation, close to a third were forced to downsize due to a loss of customers, and, on average, the cost of customer acquisition rose by £91,985 after a breach.

“Despite growing awareness of cyber crime in general, it seems that organisations are still oblivious to the full financial and reputational costs that data breaches can bring,” said Dmitry Shesterin, vice-president of product management at security firm Faronics, which commissioned the study.

“As these results indicate, there is a serious discrepancy between what organisations perceive to be the real repercussions of failed security and what they actually are," said Dmitry Shesterin. 

"While it’s no secret that organisations are becoming more concerned about the possibility of a data breach, it seems they are actually not as prepared as they should be,” he added.

According to Shesterin, the fact that some organisations reported multiple data breaches in the past year, indicated that they are either failing to learn from past mistakes or they are simply not taking the necessary steps to protect the data that they have been entrusted with.

Read more about data breaches

  • Arrogant firms hoodwink customers on data breaches
  • How to survive a data breach
  • UK data breaches up tenfold since 2007
  • Businesses to face tougher penalties for data breaches
  • 2012 Information Security Breaches Survey

The study also found that organisations are underestimating the long-term financial costs and time it takes to recover from a breach by up to a half. Those that have not suffered a data breach estimate the cost of just under £95,000 and a recovery period of four months.

However, the research found that, on average, data breaches are costing businesses £138,700 and taking over twice as long (9.3 months) to get back to normal.

Shesterin said there was no room for nonchalance. 

“Organisations need to know exactly what is at stake in order to readdress existing security practices and ensure they are as well protected as they can be,” he said.

The survey found that nearly two-thirds of respondents consider bring-your-own-device (BYOD) to be the most serious threat to security, followed by a lack of data protection across devices (56%), insecure third parties and cloud providers (53%) and the proliferation of unstructured data (44%).

However, only 8% felt it was “very likely” that their organisations would be affected by cyber espionage and just 17% saw advanced persistent threats (APTs) as a potential danger.

“With today’s complex security landscape, any organisation is a potential target,” said Shesterin. “You only need to take a look at the high-profile security incidents, such as those at HSBC, LinkedIn and Yahoo to realise that no one is safe.”

As well as raising awareness of cyber criminal tactics, organisations must consider a more comprehensive approach to security.

“They cannot afford to rely solely on traditional perimeter solutions, such as anti-virus, as today’s threats are just too sophisticated," said Shesterin. 

"Instead, organisations must consider a layered security approach involving application control and system restore methods, which offers a safety net should any malware make its way onto the network,” he said.

Read more on Privacy and data protection

Data Center
Data Management