Data breaches aren't cheap - study


**media**

A single data breach costs P37.5 million for enterprises and P3.9 million for small and medium-sized businesses (SMBs) in the Philippines and the rest of Southeast Asia (SEA), according to the latest findings of global cybersecurity firm Kaspersky.

Unfortunately, with new threats emerging during the pandemic and the extended period of remote work, businesses have to tackle both internal financial risks and external cyber threats.

The Kaspersky study covered a total of 4,303 interviews from businesses with more than 50 employees were conducted across 31 SEA countries in May-June, 2021.

Respondents were asked about the state of IT security within their organizations, the types of threats they face, and the costs they have to deal with when recovering from attacks.

Throughout the report, businesses were referred to as either SMBs (businesses with 50 to 999 employees) or enterprises (businesses with over 1,000 employees).

The Kaspersky research, discovered only a small 4 percent increase in the financial impact of data breaches for SMBs, P5.5 million or $105k at $1: P52.4, in 2021, compared to P5.3 million or $101k in 2020.

There was a notable 15 percent decrease for enterprises which fell to P48.6 million or $927k from P57 million or $1.09 million in 2020, below the previous lowest figure from 2017 at P52 million or $992k.

In SEA, the average cost of a data breach against an enterprise increased slightly at P37.5 million or $716k from P37.2 million or $710k USD in 2020.

There is, however, a huge drop when it comes to the financial impact against SMBs. From P4.82 million or $92k two years ago, it is only at P3.8 million or $74k in 2021.

“The significant drop in the cost of data breaches against SMBs here is due to the fact that some of these businesses had to close shops during the height of this health emergency," says Kaspersky's General Manager for Southeast Asia Yeo Siang Tiong.

"It took a while before they were able to re-open and start their recovery. The financial impact of data breaches against enterprises has not skyrocketed as we continuously see improvements on businesses’ detection capabilities,” he noted.

During their customer interactions and also due to the increased media coverages about cyberattacks, more companies are now aware of the price they may pay if they let their guards down.

"However, once an attack is exposed to the press, the aftermath significantly increases. Reputational impact comes into play and this proves to be more damaging than the upfront monetary aftermath,” added Yeo.

The average breakdown of the additional cost of a data breach against an enterprise in the region showed that the bulk of the money goes to improving software and infrastructure ($98K), extra PR to repair brand damage ($93k), training existing staff ($90k), employing external professionals ($88k) and damage to credit rating or insurance premiums ($84k).

Another research from Kaspersky proved the reputational damage a single data breach can cost a company.

The firm’s research “Mapping a secure path for the future of digital payments in APAC” found out that almost half (42 percent) of users in SEA will not purchase from an e-commerce provider or any seller which was subjected to a data breach or any form of cyberattack.

A company’s history with data leaks also plays a role when users are choosing their mobile wallet. Almost two in five noted that they will opt for a digital payment provider that was not involved in any kind of data breaches or attacks before.

With the financial and reputational aftermath of a data breach, both enterprises and SMBs are urged to follow the advice below in order to help them mitigate cyberattacks and potentially reduce costs if they suffer a data breach:

Ensure the organization is using the latest version of its chosen operating systems, with auto-update features enabled to ensure the software is always up to date.

Adopt endpoint solutions that enables vulnerability assessment and patch management, to reduce the risk of vulnerabilities being exploited by cybercriminals.

This can automatically eliminate vulnerabilities in infrastructure software, proactively patch them and download essential software updates.

It also provides behavior detection and exploit prevention mechanisms that discover and stop suspicious endpoint activity.

Educate employees on the importance of regularly updating technology and software.

Develop a special crisis management plan for cybersecurity incidents and ensure that it integrates participants from key departments, including IT Security, IT, legal, government relations, investor relations, customer support and corporate communications.

Consider specific training for all of the parties involved – including communication specialists and head of IT security.