The cost of security breaches: the hardest-hit sectors and those that fare better

Let’s start with a figure to give you an idea of the extent of security breaches: in 2021, 54% of French companies reported they were the target of cyber attacks between one and three times^[1]. This figure is all the more alarming when we consider that, since the health crisis, close to 58% of companies reported that remote working has made them more vulnerable to cyber attacks^[2].

While hackers are not only becoming much more creative to devise increasingly complex attacks for monetary or political reasons, they are also targeting a broad spectrum of companies. One observation: whether it’s multinational banking groups or small construction companies, no one is safe.

However, not all sectors are impacted in the same way. The overall trend is clearly gathering pace, but certain sectors fare better than others. Unsurprisingly, professionals observe that many hackers appear to be targeting specific sectors depending on how vulnerable they are.

The hardest-hit sectors

The health sector remains at the top of the league table

Among the most sensitive, medical data is very high on the list. As a result, in its Cost of a Data Breach Report 2021, IBM indicated that the health sector was the hardest hit by security breaches. With an average cost of USD $9.23 million per incident, it maintains its unenviable position as leader for the tenth year in a row. A recent example illustrates the extent of the problem for this sector. In 2020, the medical centre of the University of Vermont (UVM) was the target of a large-scale attack. Over several days, staff were unable to access patient appointment data. Although the centre never paid a ransom, the cost of the attack was estimated at USD $50 million^[3].

The financial sector, a prime target

In second place, we find the financial sector for which the average cost amounted to USD $5.72 million in 2021. In the financial sector, due to widespread digitalisation, there is a plethora of sensitive data, making it a prime target for cyber attacks. Security managers at Mastercard declared to the New York Times that they were faced with more than “460,000 attempted breaches per day, i.e. 70% more than just one year ago”^[4].

These impressive numbers explain the substantial investments carried out in this sector. On average, financial institutions allocate 0.3% of their revenue and 10% of their IT budgets to cybersecurity, according to data from consulting firm, Deloitte^[5].

Pharmaceutical and Technology sectors still exposed

In this same report, the pharmaceutical industry and technology sector are in third and fourth place with the average cost of data breaches at USD $5.04 million and USD $4.88 million respectively. Overall, industrial sectors that are subject to the strictest regulations are generally by far those that hold up the best to cyber attacks despite the ever-increasing number of these attacks.

The sectors that fare best

The public sector is the star performer

The public sector, and notably businesses with direct links to strategic State business —Defence, Transport, etc. — rank much “better” on the league table, with the average cost of security breaches reaching a “mere” USD $1.93 million. This can be attributed to the fact that these organisations are considered political rather than financial targets.

OVI and OES benefit from being at a mature stage

It could be assumed that a vast majority of private companies with the status of OES (Operator of Essential Services) or OVI (Operator of Vital Importance) benefit from being at a mature stage in terms of cybersecurity. Indeed, these operators constantly face all types of cyber threats.

Among the fifteen or so sectors covered by the OES status, we find players in the insurance and energy sectors. Owing to the negative impact that interruptions of their services could cause at the national level in France, some of these operators must now comply with network and information system security obligations. This strict approach to cybersecurity is the reason why the energy sector went from the second most expensive sector in terms of the average cost of cyber attacks, to fifth place, from USD $6.39 million in 2020 to USD $4.65 million in 2021 (a decrease of 27.2%). In France, the ANSSI is responsible for managing system cybersecurity and supports OIVs in implementing the new measures.

Hospitality and media industries relatively untouched, but incidence also increasing

Still in the same IBM report, the laggard industries who manage to limit the average cost of cyber threats are the ospitality and media industries with respectively USD $3.03 million and USD $3.17 million. However, this number should be taken into perspective: the underlying trend in both these sectors is upward.

As a result, although certain sectors hold up better than others thanks to their greater maturity in managing cybersecurity or their ability to invest in this area, the vast majority of sectors have to deal with an increasing number of attacks and the increasing average cost of managing such security breaches, regardless of company size or geographical location. Now more than ever, it appears essential to launch major campaigns to raise awareness about best practices, to continue to invest in cybersecurity to prevent rather than remedy, and, lastly to more regularly carry out actions to identify vulnerabilities and risks.

^[1] https://www.usine-digitale.fr/article/etude-ou-en-sont-les-entreprises-francaises-en-matiere-de-cybersecurite.N1774277

^[2] https://www.hiscox.fr/courtage/blog/rapport-hiscox-2021-sur-la-gestion-des-cyber-risques

^[3] https://www.aamc.org/news-insights/growing-threat-ransomware-attacks-hospitals

^[4] https://www.nytimes.com/2019/07/30/business/bank-hacks-capital-one.html

^[5] https://www2.deloitte.com/us/en/insights/industry/financial-services/cybersecurity-maturity-financial-institutions-cyber-risk.html