The price of security incidents in organizations in 11 countries jumped an average of 12 per cent last year, if a new study is representative.
According to the annual Accenture Cost of Cybercrime survey, the average cost of investigating and remediating breaches of security controls to the 355 organizations surveyed was US$13 million in 2018, compared to US$11.7 million in 2017.
The average company in the survey suffered 145 security breaches (not all of which may have involved data exfiltration) last year, up from 130 in 2017. That’s an 11 per cent increase.
Among the 25 Canadian companies included in the survey, the average cost of security breaches last year was US$9.25 million. (This was the first year Canadian firms were in the survey so there are no previous comparative figures)
Canadian firms questioned suffered an average of 75 cyber attacks (again, defined as a breach of controls) last year– almost 1.5 attacks per week. By comparison, the average of the group studied was 145 breaches.
That gap surprised Ahmed Etman, managing director of Accenture Canada’s security practice, who thought the Canadian average of attacks would be closer to the global average. There could be a number of explanations, he said in an interview. But he doubted one of them was the small number of Canadian companies surveyed.
Findings specific to Canada include:
· In 2018, the cost of business disruption was US$2.96 million, and US$3.8 million in information loss;
·81 per cent of business leaders said new business models introduce technology vulnerabilities faster than they can be secured;
·Malicious insiders and malicious code were the most expensive type of attacks, costing Canadian respondents on average, US$3.3 million, compared to the average of all companies surveyed of US$1.6 million. These attacks also take the longest to resolve – twice as long as ransomware and phishing and social engineering attacks;
· Automation, AI and machine-learning technologies provided the highest cost savings when fully deployed;
Among other findings the report confirmed what Accenture Canada has heard from customers, Etman said: Attackers are increasingly using very targeted spear phishing and social engineering campaigns to go after specific people in organizations.
That suggests, he said, CISOs have to invest more in procedures and technology to protect staff from making mistakes that could result in information loss or destruction.
“Over the past decade we’ve seen a lot of money poured into technology [including buying] new shiny tools without necessarily maturing the security program overall,” Etman said. “Taking an enterprise to a high maturity level takes more than just deploying technology. It takes training people, improving procedures, and testing those procedures to make sure they are effective.
“Many organizations have fallen into the trap of deploying more technology without paying close attention to policies and procedures. So CISOs have to focus more on making risk-based decisions, and driving policies, procedures and standards that would require technology to achieve [better security], but not the other way around.”
Breaking costs down, the study found that among those surveyed the average cost due to malware increased 11 per cent, to more than US$2.6 million per company. The cost due to malicious insiders — defined as employees, temporary staff, contractors and business partners — jumped 15 per cent, to US$1.6 million per organization, on average.
Together these two types of cyber attacks accounted for one-third of the total US$13 million cost to companies. The cost to companies from phishing and from social engineering increased to US$1.4 million per organization, on average.