Data theft (3/3): the numbers by sector
After reviewing what were the costs of data theft for the global economy in previous articles, we will deepen your comprehension of the damages inflicted by cybercrime by looking at the numbers by sectors in this last article of the series. We will look at the private sector, the public sector and the specific case of the medical sector.
Private sector costs
The costs for big companies
The financial impact of data theft on businesses was examined by Ponemon Institute on behalf of IBM. In the study, 2 200 people in charge of security and compliance in 477 companies around the world were interviewed.
Globally, data theft costed an average of $3.92 million in 2019, an increase of 8.2% compared to 2017. The study found a link between the cost of a data theft and the breach’s detection and response time. In detail, organizations take an average of 197 days to identify the threat and 69 days to respond to the threat. The study points out that by reducing this time to less than 30 days, a business can save $1 million. The main causes of data theft are cyber-attacks (48%), system issues (28%) and human errors (25%).
In France, 31 companies participated in the study. The average cost of data theft is $4.27 million (€3.54 million), an increase of 8.2% over the previous year. France is fourth in the number of data theft incidents with more than 25,000 data on average. France is only surpassed by the Middle East, India and the United States.
In terms of detection and response time, France has succeeded in reducing them both over one year: from 214 to 210 days to detection a data breach and from 78 to 75 days to contain it. These tasks costed French companies an average of $1.45 million. The study also noted that the cost of notification is relatively low in France ($80,000 dollars on average), but it should explode in the coming years due to the GDPR.
The study also focused on the impact of mega data thefts, those exceeding 50 million stolen data. The average cost for this type of attack can go up to $350 million.
The cost for small and medium-sized businesses
But, proportionately, the burden of cyber-attacks hit harder on small businesses. Indeed, cyberattacks affect them at least 10 times harder than big companies and it can turn out to be an insurmountable difficulty to the point of forcing them to cease their activity. Small businesses’ greater vulnerability to attacks results from lesser means to deal with attacks and less efficient or non-existent ICT security systems.
For medium-sized businesses, the average cost of a data theft is $2.65 million or $3,533 per employee.
For small to medium-sized businesses, the average cost is around $25,000. In addition to the financial cost, businesses can also suffer from a negative impact on their online reputation with a high risk of loss of trust. Insufficient online security is also interfering with the acquisition of new customers. As small businesses have less funds, the financial cost of data theft on small to medium-sized businesses’ balance sheet can be too heavy to bear for structures with a tight cash flow.
We’ve talked about the financial losses, but data theft’s cost can also be measured in time loss for businesses of any size. It takes an average of 280 days for a business to recover from a data theft according to IBM. Time it cannot devote to its activity and therefore as much money lost. While big companies can often find the means to meet such expenditure of time and money, this is not always the case with small businesses.
Public sector costs
According to IBM’s Cost of a Data Breach Report 2020, each cyberattack on the public sector cost an average of $ 1.6 million. Of the sixteen other sectors included in the report, the public sector has the lowest data theft’s cost. However, we need to take into account that the report does not include in public sector neither the healthcare sector (which tops the list of the higher costs with an average cost of $ 8.6 million) nor that of the transport sector for example (which has an average cost of $ 2.9 million, making it the 15th sector in regards to costs). Also, the report takes into account the cost of losing customers, which may reduce the estimated cost to the public sector since it is a lesser concern for it.
The report also mentions that the public sector takes much longer to identify and contain data theft than other sectors. All sectors combined, the world average is 177 days to identify an intrusion against 231 days for the public sector. Furthermore, once the intrusion is detected, the global average time to contain it is 73 days compared to 93 days in the public sector. As we discussed earlier, the longer it takes to find and fix a data breach, the higher the costs.
The cost to the healthcare sector
As previously mentioned, the healthcare sector leads in terms of the average cost of a cyberattack with $ 8.6 million, which is largely due to the extreme importance of the sector for human societies.
Healthcare facilities are also unsurprisingly those with the highest cost associated with data theft with $ 408 per information stolen.
ZDNet reveals that this data is particularly lucrative for cybercriminals. On the dark web, it is possible to obtain “fake prescriptions, labels, sales receipts and stolen healthcare cards for 10 to 120 dollars per recording”. And “for $ 3.25 or less, Carbon Black researchers had access to databases stolen from healthcare insurance, which could be used to make illegitimate claims at the victim’s expense”.
A cyberattack in the healthcare industry does not only have a huge financial cost, it has an enormous impact on many other levels.
Indeed, this type of cyberattack can have a direct impact on the physical security of citizens and it recently claimed its first human life. German authorities reported in September 2020 that a ransomware attack caused failure of the ICT systems at a major hospital in Düsseldorf causing the transfer to another hospital of a woman who needed urgent admission and her subsequent death.
The postponement of certain interventions for lack of a quick return to normal, the wasted time linked to manual records keeping then that necessary to digitize everything once the system has been restored, the cost in some cases of system restoration, the issues emerging from the management of a fully computerized drug inventory are all additional problems, very difficult to quantify, which are added to the financial costs of this type of cyberattack.
Additionally, once the hospital has been ransomed and the data stolen, cybercriminals can still hack the restored ICT systems or use the data collected for years to come.
However, to date most hospitals are not considered by the French National Information Systems Security Agency (ANSSI) as Operators of Vital Importance (OIV) or even as Operators of Essential Services (OSE), and thus subject to strict ICT security obligations. Indeed, only CHU and the largest hospitals are considered as such although this situation might soon change.
After realizing the staggering cost that data theft represents for all sectors of the economy, the search for a solution to all these problems arises. This is what XSL Labs’ solution aims to do by offering a fully decentralized identifier, Secure Digital Identity (SDI), thus avoiding the archaic storage of data on huge centralized databases at the mercy of hackers, who in a single attack can steal hundreds of thousands, even millions of data to then resell them or ransom institutions that are forced to give in to regain access to their database. XSL Labs thus hopes to serve the sectors of the economy most vulnerable to this type of cyberattack and contribute to a more secure Internet, an Internet of Trust.