Work-from-home arrangements during the COVID-19 pandemic made companies more vulnerable to cyber attacks, with data breaches involving remote workers costing $1m more on average than those that didn’t, according to a new analysis that also found Australian companies are taking over 10 months to find and fix data breaches.

The average Australian data breach cost $3.7m (US$2.82m), the IBM-Ponemon Institute Cost of a Data Breach Report 2021 found – up 31 per cent from $2.8m (US$2.15m) the previous year.

While that was less than the global average of $5.5m (US$4.24m) and a fraction of the cost to companies in places like the US (US$9.05m), Middle East (US$6.93m) and UK (US$4.67m), it still represented significant losses for Australian companies – especially those that hadn’t improved their operations during the COVID-19 pandemic.

The analysis of 537 data breaches (including 25 Australian incidents) found that Australian companies took 311 days on average to detect and contain data breaches – up more than a week over the previous year and continuing a five-year trend towards ever-slower detection.

Responding to a breach cost 20 per cent more than the previous year, with an average of 23,800 records stolen per Australian breach – costing $169 per record on average.

These practices reduced financial losses

The analysis also identified a range of factors that helped companies respond more quickly to data breaches and limit their losses from those breaches.

One was to avoid overcommitting to cloud platforms – a step that added $266,400 to the cost of an Australian data breach.

Because of still-evolving security models within cloud services, companies primarily running on public cloud services took 80 days longer, on average, to find and contain a data breach than those that had kept some of their systems in-house.

That finding likely reflected what Gartner recently flagged as a 38 per cent increase in cloud security spending this year.

Australian companies will spend $5.1b on information security and risk management this year alone, according to Gartner – and, as the IBM figures confirmed, many of the investments will pay off by reducing companies’ financial exposure to data breaches.

“There’s a combination of actions and activities that organisations need to apply,” IBM cyber security chief technical officer for ANZ Chris Hockings told Information Age, “which when added together have a significant impact by dropping the cost of a breach.”

Those who had created an incident response team, and were regularly testing their cyber incident response plans, claimed savings of nearly $1m per incident.

Other security practices – including adoption of AI-based security, penetration testing, cyber insurance, board-level oversight, encryption and other elements – also reduced data breach losses.

The figures also confirmed the financial value of a zero-trust security approach – an emerging strategy that forces anything connected to the network to confirm its identity for as long as it remains connected – which cut the cost of data breaches by $1.54m.

After years as a niche technology, the pandemic’s disruption has made zero trust network architecture (ZTNA) a mainstream security strategy.

ZTNA significantly improves home-working security, where employees are no longer protected by being physically inside a company network.

As COVID-19’s disruption pushes companies to get serious about ZTNA, Hockings said, the key to driving down costs is to “start at the most obvious place” and use open standards to push zero trust throughout the organisation.

“Zero trust is a maturity journey,” he explained, noting that “open standards have a profound impact on the way that complexity is handled inside of organisations.”

“Open standards drive interoperability,” he added, “and once we get interoperability we have the ability to build complex scenarios more easily.

“That is the hurdle that is going to make a significant impact in the way security is handled over the next few years. But it’s going to be a long journey to get to that.”