tashka2000 - Fotolia

Lower average cost of Australian data breaches is not a sign of comfort

The average cost of a data breach to Australian organisations dropped in 2015, according to research

The cost of an Australian enterprise data breach has dropped over the past year – but it is not a signal that the nation is off the cyber security hook.

According to the latest Ponemon Institute survey, commissioned by IBM, there has been a 6.6% drop in the cost of the average data breach in Australia (down to $US2.44m).  The average cost per lost or stolen record also fell.

This is in stark contrast with the situation globally, where the costs of a data breach continue to rise, reaching $US4m – up from $US3.79m a year ago. Australia is the only country where the total cost of a data breach fell.

The global report also found that Australia and Germany were the two countries among the 12 surveyed that were least likely to face a “material data breach” involving 10,000 or more records.

However, Glen Gooding, IBM security business unit executive ANZ, acknowledged that there was a relatively small sample of Australian businesses included in the global survey, and that it should not be taken as a signal of a “steady state decline” in terms of cyber breach impact in Australia.

Gooding said he had spoken to the Ponemon Institute about the local phenomenon and believed there were three factors at play.

First, Australian companies have gotten better at detecting and responding to incidents; second, local companies are spending less on consultants and legal experts; and, finally, Australian companies are doing a better job at keeping customers after a breach. 

This backs up the findings of the recent Deloitte Australian Privacy Index, which revealed that 71% of individuals did not trust an organisation any less after they were notified of a data breach.

Rather than the actual number of breaches going down in Australia, there has been a slight improvement in how they are handled.

The 2015 Australian Cyber Security Survey of major Australian businesses, released by the Australian Cyber Security Centre in association with Cert Australia, noted that 50% of respondents had experienced one cyber security event in the previous year. Cert responded to 11,733 incidents affecting businesses.

Read more about cyber security in Australia

Australia’s proposed mandated data breach legislation is in limbo pending the outcome of the July election, but if passed the legislation will help shed further light on the extent of the problem.

According to Corrs Chambers Westgarth partner Helen Clarke and special counsel Sophie Bradshaw, if the legislation is passed companies will have to disclose breaches involving personal information, credit reporting or credit eligibility information.

Notification will also be required where the breach involves tax file information, or if it gives rise to “a real risk of serious harm” to an individual.

Gooding at IBM warned that the increasing use of cloud computing services – especially those brought into the organisation through shadow IT spending, outside of the CIO’s oversight – could render a business more vulnerable in the future.

“Complexity is the enemy of good security,” he said, and the challenge for the CIO or CISO with cloud computing is “how well they can control third-party suppliers.”

Security in the cloud

The 2015 Australian Cyber Security Survey found 82% of respondents used or planned to use cloud-based services. Among those not planning to use cloud-based services, security concerns were nominated as a barrier to adoption.

Gooding said it is important as part of a security audit that enterprises gained a clear view of what was running in the cloud, especially when there is a lot of shadow IT in use. “They confidently come back with their spreadsheets, but when we run a discovery audit there can be three or four times what they thought.”

“There’s been no due diligence. They’ve grabbed a service, but not considered the security implications of using a cloud payments gateway service that has not been validated by the security team,” he said, adding that this leaves an enterprise more exposed than it realised.

Read more on Data breach incident management and recovery

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Any data breach should be treated with the same level of importance. Just because they got in and did not cripple you does not mean they won't another time. It may have just been someone playing around and looking for holes in your security. If the wrong person finds the same hole it may be disastrous.
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close