Why enterprises in India need to develop a proactive data security strategy

'Post-breach response' costs surpassed three other costs related to a data breach in Indian enterprises, according to the Ponemon Institute's Cost of a Data Breach Report, 2022.

The report, commissioned by IBM Security, identified four costs of an average data breach, namely lost business, detection and escalation, notification, and post-breach response.

Globally, 'detection and escalation' surpassed 'lost business' in 2022 as the largest cost of a data breach.

"Detection and escalation costs include activities that enable a company to reasonably detect a breach. These include forensic and investigative activities, assessment and audit services, crisis management, and communications to executives and boards," stated the Cost of a Data Breach Report, 2022.

This cost-category increased from a global average of $1.24 million in 2021 to $1.44 million in 2022, an increase of 16 percent.

In comparison, 'lost business' costs include activities that attempt to minimise the loss of customers, business disruption and revenue losses. "These costs include business disruption and revenue losses from system downtime; cost of lost customers and acquiring new customers, and reputation losses and diminished goodwill," the Ponemon report said.

For the first time in six years, lost business — at $1.42 million in 2022 — wasn’t the largest share of data breach costs globally. It decreased 10.7 percent from $1.59 million in 2021.

However, In India, 'post-breach response' had the largest share of the average cost of a data breach for the sixth year in a row. It increased by 5.65 percent from $843,670 (Rs 6.72 crore) in 2021 to $891,378 (Rs 7.1 crore) in 2022.

Broadly, the average cost of a breach in India went up from $2.21 million (Rs 17.6 crore) in 2021 to $2.32 million (Rs 18.48 crore) this year, according to the report.

"Businesses cannot evade cyberattacks," said Viswanath Ramaswamy, VP - Technology Sales, IBM India and South Asia. "As the industry moves forward, keeping security capabilities flexible to match attacker agility will be the biggest challenge."

Ramaswamy said investments in zero-trust deployments, proactive security practices, and AI-based security platforms are essential for enterprises in India to stay on top of growing cybersecurity challenges.

The sectors with the highest average per-record costs related to data breaches in India were industrial (chemical processing, engineering, and manufacturing companies), professional services (legal, accounting and consulting firms), and technology (hardware and software companies).

Planned vigilance

The Ponemon research is a study based on interviews with 550 organisations in 17 countries between March 2021 and March 2022. It included 49 companies from India, constituting 9 percent of the report sample, which have been studied over 11 years.

One of the correlations established in the report is between cost of a data breach, and security AI and automation. For example, organisations with fully-deployed security AI and automation had an average total cost of a data breach of $3.15 million, compared to $6.2 million for organisations without security AI and automation.

But the efficiencies in time are more critical for chief risk officers than the cost savings.

The Ponemon research defines a 'data breach lifecycle', as the time between the first detection of the breach and its containment. The time to identify a breach describes the time it takes to detect that an incident has occurred. The time to contain a breach refers to the time it takes an organisation to resolve a situation when it’s been detected and ultimately restore service.

• Organisations with fully-deployed security AI and automation had a mean time of 181 days to identify a data breach, and a mean time of 68 days to contain the data breach. The total is the data breach lifecycle of 249 days.

• In contrast, organisations that hadn't deployed security AI and automation clocked a mean time of 235 days to identify a data breach, and a mean time of 88 days to contain the breach. The data breach lifecycle is 323 days.

• Organisations that partially deployed security AI and automation had a mean time of 223 days to identify a data breach, and a mean time of 76 days to contain the breach.

"Companies with fully deployed security AI and automation experienced on average a 74-day shorter time to identify and contain the breach, known as the breach lifecycle, than those without security AI and automation — 249 days versus 323 days," the report stated.

What's more: at least 60 percent of the 550 organisations surveyed raised their product- or services-prices due to data breaches, when the cost of goods is soaring worldwide amid inflation and supply chain issues.

For enterprises in India, there is more value to derive by having a proactive data security, and risk management strategy.