The average cost of enterprise data breaches has risen to $1.41 million in 2018, up from $1.23 million in 2017, according to new research from Kaspersky. It’s estimated that there have already been 4,000 data breaches in the first half of 2019, affecting four billion users’ data.

But companies with internal cybersecurity (security operation center or SOC) experienced only half the financial loss, compared to those without protection from cyber attacks. Cyber attacks are both anticipated and rampant, and IT security budgets now average $18.9 million, up from 2018’s $8.9 million. Worldwide IT spending is projected to total $3.74 trillion for 2019.

While the cost of data breaches has increased annually, Kaspersky’s survey, “IT security economics in 2019: how businesses are losing money and saving costs amid cyberattacks,” which conducted 4,958 interviews in 23 countries, found enterprises in 2019 that have a SOC, estimated cyber-attack financial damage at $675,000, less than half the average impact of the $1.41 million 2018 cost.

The key to preventing financial loss for enterprise is internal security, responsible for the ongoing monitoring of breaches, and incident response, as the survey revealed 34% of companies of all sizes with a dedicated Data Protection Officer (DPO) reported cyber incidents at their organization did not result in monetary loss. Larger companies (500+ employees), subjected to largest losses, based on a greater impact, with an in-house security operation center are financially impacted by a data breach at an estimated $106,000, compared to $129,000 for those without a DPO.

However, the report also revealed that companies which outsourced SOC did not reduce financial loss as a result of data breaches. The survey showed that outsourcing security to a Managed Service Provider (MSP) may actually increase financial impact; 23% of companies that use an MSP experienced a financial impact of $100,000 to $249,000, while only 19% of businesses with an in-house IT team reported the same level of damage.

Damage from a cyber attack can be ameliorated by establishing a DPO position within the company; a DPO is responsible for building and implementing data protection strategy within a company, as well as managing compliance issues. The report revealed that more than one-third of organizations (34%) with a DPO that suffered a data breach, did not incur any financial loss, compared to only one-fifth (20%) of businesses overall.

“Establishing an internal SOC involves purchasing the necessary tools, building processes and recruiting analysts, which can be a challenge for any business,” said Veniamin Levtsov, vice president of corporate business at Kaspersky. “Likewise, finding a DPO who can combine IT security and legal knowledge is not an easy task. These require time and budgets, and security leaders often find it difficult to justify such initiatives. But as we can see, these are worthwhile investments. Of course, just having a dedicated employee or even special subdivision does not guarantee that a company will not suffer a data breach. However, it does ensure that the business is prepared for these incidents, allowing them to recover from an attack more quickly and efficiently.”

Kaspersky’s report found:

  • More than 38% of businesses feel they lack sufficient insight on the threats facing their business.

  • Inappropriate IT use leads to the most frequent form of business data breach.

  • The impact of an average financial impact of a cyber breach for businesses are (from most to least impactful) damage to credit rating/insurance, need to hire external professionals, lost business, need extra PR to repair brand damage, addition to internal staff wages, compensation, as well as penalties and fines.

  • Growing in confidence: more than four in 10 (41%) organizations in North America are completely confident that their network hasn’t been hacked, despite more than half (57%) feeling they lack sufficient insight on the threats facing their business.

• Businesses are overlooking danger: only one-in-ten(12%)enterprises are concerned about malware infection, despite it being the costliest security incident for them at $2.73 million.

• People power: 61% of both enterprises, and small and medium sized businesses, with 50 to 999 employees (SMB) in North America are looking to increase their investment in specialist IT staff this year.

• Forewarned but not forearmed: policies regulating third-party access aren’t increasing enterprise protection, but simply three times the potential for compensation.

• Play to your strengths: having an internal Security Operation Center nearly halves the financial impact of enterprise data breaches from $1.4 million to only $675,000

• ADPO can save you money: more than a third (34%) of companies with a data protection officer didn’t lose money when they suffered a data breach.

The ninth annual Kaspersky Global Corporate IT Security Risks Survey (ITSRS) is a global survey of IT business decision makers. Respondents were asked about the state of IT security within their organizations, the types of threats they face and the costs they have to deal with when recovering from attacks. The regions covered consist ofLATAM (Latin America), Europe, North America, APAC (Asia-Pacific withChina), Japan, Russia and META (Middle East, Turkey and Africa).

Image: Getty Images/iStockphoto