Cost of data breaches higher in UAE and KSA than rest of world

IBM and Ponemon survey shows regional data breaches cost more and take longer to fix

Data security programs are imperative not just to managing the risk of a breach, but also reducing the cost, says Aboualy.
Data security programs are imperative not just to managing the risk of a breach, but also reducing the cost, says Aboualy.

The average cost of a data breach for organisations in Saudi Arabia and the UAE has increased significantly, according to the latest Ponemon Institute study.

Organisations in the region also took longer to find and act on data breaches and had a higher cost than the global average, according to the study which was sponsored by IBM Security. Overall, the study found that the average total cost of a data breach in KSA and UAE combined is $5.31 million, a 7.1% increase since 2017. The global average was only $3.86 million, putting the Middle East second only to the US, with an average of $7.91 million, in terms of cost of breaches.

The worldwide study found that the average cost of breaches has increased in all territories surveyed. This year's survey canvassed 477 organisations in 15 countries.


In Saudi and the UAE, the study found that breaches cost companies $163 per lost or stolen record on average, compared to $148 globally. The average time to identify a data breach in the region was 260 days, and the average time to contain a data breach once identified was 91 days, compared to a global average of 197 and 69 days respectively.

The root cause for 61% of breaches in KSA and UAE is malicious or criminal attacks, followed by system glitches at 21% and human error at 18%.

Dr. Tamer Aboualy, CTO of Security Services, IBM Middle East & Africa, said that the overall cost of a data breach is affected by factors including the size of the breach, the time taken to identify and contain, effective management and escalation, and effective management post breach, and unexpected loss of customers.

"The larger the size of the breach and number of records lost, means the cost will be more. The longer it takes to discover a breach also means the cost and damage will increase," Aboualy said.

"In the UAE and Saudi Arabia, these factors listed above were higher and thus contributed to higher costs. Particularly the high amount of records lost/stolen, and higher than average time to identify/contain, also contributed to higher costs. Furthermore, the root cause classification contributed to higher costs.

"This is why data security programs are imperative, such as data taxonomies, knowing where your critical data is, and how it is protected. This is critical to having visibility into the sensitive and confidential information that is vulnerable to a breach and managing risk. Other factors such as effective management escalation and post data breach activities also contribute to cost."

The study identified that organisations that took steps to preserve customer trust before a breach suffered less loss of customers if they had an incident, although more organizations worldwide lost customers as a result of their data breaches this year than before. Organisations that offer data breach victims identity protection in the aftermath are also more successful in reducing churn.

Other factors that can mitigate the damage are time to contain the breach - Companies that contained a breach in less than 30 days saved over $1 million compared to those that took more than 30 days ($3.09 million vs. $4.25 million average total).

Data classification programs to identify the most sensitive data, and reducing the volume of such data that is vulnerable to breaches also limited costs, as did effective management of detection and escalation costs through better GRC programs and better management of the costs post-data breach through factors such as business continuity management and insurance protection.

"The 2018 report reveals that the major cause of a data breach is malicious or criminal attacks for organizations in KSA and UAE. The potential damage from cyberattacks extends beyond the obvious issue of businesses and consumers losing money. It can dramatically impact a company's reputation, damaging the trust and loyalty of its customers, business partners, investors, and others," Aboualy said.

"The goal of our research is to demonstrate the value of good data protection practices, and the factors that make a tangible difference in what a company pays to resolve a data breach," said Dr. Larry Ponemon, chairman and founder of Ponemon Institute. "While data breach costs have been rising steadily over the history of the study, we see positive signs of cost savings through the use of newer technologies as well as proper planning for incident response, which can significantly reduce these costs."

Most Popular