• Timely software updates can cut business data breach costs in half. 
• Outdated technology needs to be addressed as a cybersecurity risk.

Enterprises with outdated technology can lose 16 per cent more money in the Middle East, Africa and Turkey region when they suffer a data breach compared to those who update everything on time. 

For small and medium-sized businesses, according to Kaspersky report, the difference is even starker – up to 54 per cent.

The problem of obsolete and unpatched software is quite common and important for businesses to address, since nearly half of organisations (55 per cent) use at least some form of out-of-date technology in their infrastructure.

Sergey Martsynkyan, Head of B2B Product Marketing at Kaspersky, said that any additional costs for business are of course critical, especially now.

“The global economic situation is unstable because of the pandemic and investments in IT and IT security are predicted to decrease. Even if it is impossible to get rid of it overnight, there are still some measures to mitigate the risk. Companies can not only save money but also avoid other potential consequences – which is crucial for any business,” he said.

Outdated technology carries cybersecurity risks for businesses, as proven by several successful attacks over the last few years. The infamous WannaCry ransomware attack in 2017 impacted global enterprises such as FedEx and Telefonica, as well as UK hospitals. It led to Microsoft issuing a rare security patch for its previous outdated XP operating system to ensure organisations still running this old OS were protected.

Kaspersky’s survey shows that organisations should prioritise renewing software and be prepared to invest because doing so could save them money in the long-term.

“While vulnerabilities are inevitable in any software, regular patching and updates can minimise the risk of exploitation. That’s why users are always advised to install the latest software versions as soon as they are available, even if these updates can sometimes be difficult or a time-consuming task for organisations,” the report said.

Breach costs in 2020

If a data breach happens, enterprises with any form of outdated technology, including unpatched operating systems, old software and unsupported mobile devices, can suffer an additional $158,000 in financial damage, taking losses to a total of $1.15 million, which is 16 per cent more than the cost for companies with completely updated technologies ($994,000).

As for small and medium-sized businesses, they can lose an additional $33,000. The total cost rises to $122,000 – 36 per cent more compared to $89,000 for businesses with all required updates installed.

As of 2020, on average, a breach costs an enterprise $1.09 million and a small to medium-sized business (SMB) $101,000, compared to $1.41 million and $108,000 respectively in 2019.

The survey revealed that financial losses were 32 per cent lower in enterprises that could detect a breach almost instantly, compared to those that did so in a week or longer and, at the same time, SMBs also benefit from earlier breach detection, with losses on average being 17 per cent lower.

Identifying a breach early gives businesses a much better chance of avoiding public disclosure. 29 per cent of SMBs that take over a week to discover a breach will see it exposed in the press, compared to nearly half of that (15 per cent) if the breach is detected almost immediately.

It is a similar case for enterprises, with these figures standing at 32 per cent and 19 per cent respectively.

Right resources needed

“The pressure on speed, when it comes to data breach discovery and reaction, therefore impacts both costs and reputational damage caused by public disclosure. To reduce the chances of their losses increasing, organisations can take control of the situation and make it publicly known that a breach has happened. This enables them to construct and lead any messages related to the incident and swiftly respond to any negative information that could be in the press,” the report said.

However, making updates can be an afterthought or too costly without the right resources. It takes a large, concerted effort to change a significant amount of software and/or hardware. Organisations should prioritise updates and be prepared to invest because doing so could save them money in the long-term.

Businesses with outdated technology are much more likely to have suffered a data breach (65 per cent) than those that keep theirs updated (29 per cent). This number increases to 77 per cent in businesses that have suffered a breach and still have the C-suite using outdated technology.

Surprisingly, the main reason given for not updating technology is employee convenience.

As shown in the chart below, nearly half (48 per cent) of organisations reported to some extent that employees refuse to work with new versions.

The same number of companies simply cannot upgrade their devices or operating systems because they use legacy software.

Meanwhile, a third (34 per cent) say the company’s outdated technology is used by C-level staff and is excluded from their update plan.

Both enterprises and SMBs urged to mitigate cyberattacks and potentially reduce costs if they suffer a data breach.

Key steps to follow:

• Ensure the organisation is using the latest version of its chosen operating systems and applications, with auto-update features enabled so that the software is always up to date. 
• If it is not possible to update software then organizations are advised to address this attack vector through the smart separation of vulnerable nodes from the rest of the network, along with other measures. 
• Enable the vulnerability assessment and patch management feature in an endpoint protection solution. This can automatically eliminate vulnerabilities in infrastructure software, proactively patch them and download essential software updates. 
• It is important to boost security awareness and practical cybersecurity skills for IT managers, as they are at the frontline of IT infrastructure updates. Dedicated security for IT online training course can help. 
• For critical IT or operational technology systems, it is important to always be protected regardless of any available software updates. This means they should only enable activity that is predetermined by the purpose of the systems. 

Related posts:

• Six trends shaping the cybersecurity outlook for 2021
• Different approach to cybersecurity is needed as the current approach is unsustainable
• Nation-state actors to increase use of ransomware as a ‘weapon of choice’