The Cost of an SAP Cybersecurity Data Breach in 2020

Oct 7, '20 by Joerg Schneider-Simon

If you’re wondering about the cost of an SAP cybersecurity data breach, there’s a short answer and a long answer.

The short answer is simple, and comes from SAP itself: The average cost of SAP security breaches is $5 million. But, adds SAP, the risks are growing.

And that brings us to the long answer.

Personal cybersecurity breaches are stressful and even damaging, especially if they result in identity theft or ransomware. But SAP cybersecurity data breaches are in a league of their own—a league where hackers are paid professionals who dedicate their waking hours to penetrating SAP systems and networks, all in the hopes of an immense payoff.

And the penalties for the companies running the SAP systems are dire.

The rising cost of SAP cybersecurity data breaches

The annual cost of cybercrime has risen by 72% over the past five years, from $11.7 million to $13 million.

According to the 9th Annual Cost of Cybercrime Study, conducted by Accenture Security and the Ponemon Institute, security breaches have risen by 67% in the last five years. The annual cost of cybercrime has risen by 72% during the same period, from $11.7 million to $13.0 million.

Just to be clear, when this study talks about cyberattacks, they are talking about security breaches that result in the infiltration of a company’s core networks or enterprise systems. They are not talking about attempts (such as attacks that fail to penetrate a company’s firewall defenses).

The cost of SAP cybersecurity breaches varies by industry

The cost of a cybersecurity data breach depends on the industry you are in, according the Cost of Cybercrime Study. The study’s detailed analysis shows that banking and utilities continue to have the highest cost of cybercrime, with an increase of 11% and 16% respectively.

The average annual cost of cybercrime in banking is $18.37 million. In utilities, the average annual cost is $17.84 million.

At the other end of the spectrum you find the travel industry and the public sector. These are the industries who pay the lowest cost for cybercrime. The average annual cost of cybercrime in the travel industry is $8.15 million. For public sector organizations, the average annual cost is $7.91 million.

We can confidently say that organizations who operate in the industries covered by this study, and who use SAP systems, will see results that match those of the researchers.

The average annual cost of cybercrime by industry

Source: Ninth Annual Cost of Cybercrime Study. Accenture Security and the Ponemon Institute, 2019.

The cost of SAP security attacks varies by attack vector

Not all cybersecurity attacks are created equal. Some cost more to remediate than others. According to the researchers’ analysis of almost 1,000 cyberattacks, malware remains the most frequent attack overall—and in many countries, it’s the most expensive attack to resolve.

“The number of organizations experiencing ransomware attacks increased by 15 percent over one year and have more than tripled in frequency over two years. Phishing and social engineering attacks are now experienced by 85 percent of organizations, an increase of 16 percent over one year—which is a concern when people continue to be a weak link in cybersecurity defense.”

– 9th Annual Cost of Cybercrime Study

Malware and web-based attacks continue to be the most expensive types of attack for organizations. The cost of malware attacks has increased by 11% over the year. The cost of malicious insider attacks has increased by 15%.

Top-Five Most Costly Types of Cyberattack

Type of Attack Average annual cost of an attack
Malware $2.6 million
Web-based attack $2.2 million
Denial of service $1.7 million
Malicious intruder $1.6 million
Phishing and social engineering $1.4 million

Source: Ninth Annual Cost of Cybercrime Study. Accenture Security and the Ponemon Institute, 2019.

Where you operate affects the cost of SAP data breaches

The average annual cost of cybercrime varies widely by country. Organizations in the United States pay the highest annual price for cybercrime attacks, at $27.37 million. They are followed by Japan ($13.57 million), Germany ($13.2 million) and the United Kingdom ($11.46 million).

Not surprisingly, the country experiencing the greatest increase in the cost of cybercrime is the United States. The average annual cost of cybercrime in that country rose by 29% over the previous year.

The average annual cost of cybercrime by country

Source: Ninth Annual Cost of Cybercrime Study. Accenture Security and the Ponemon Institute, 2019.

SAP cybersecurity breaches carry other costs

The cost of an attack on your SAP systems goes beyond dollars, of course. New regulations, such as the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the United States, aim to hold organizations and their executives increasingly accountable for the protection of information assets. Data breaches mean regulatory penalties and even lawsuits from consumers whose non-encrypted or non-redacted personal information is breached.

Then there’s the cost of business disruption during and following a cyberattack. These costs include decreased employee productivity and business process failures, and depending on the industry, can easily total up to drops of millions of dollars (or more) in operating profits.

Your brand value will also take a hit after your data breach is made public. Data breaches impact global brands as well as mid- and small-size organizations. Breaches attract media attention, and that typically means unwanted public exposure, especially whenever customer personal data is stolen and disclosed.

Another cost you may pay for an SAP cybersecurity data breach is a diminished value of your company. Data breaches usually harm stock performance, and that quickly translates into a lower offer price from potential buyers.

A 2016 Deloitte report identified seven “hidden” costs of cybersecurity breaches, which can easily add up to hefty sums:

  • Insurance premium increases
  • Increased cost to raise debt
  • Impact of operational disruption or destruction
  • Lost value of customer relationships
  • Value of lost contract revenue
  • Devaluation of trade name
  • Loss of intellectual property

An Ounce of Prevention

The good news in all of this is that the annual cost of preventing an SAP cybersecurity breach is far lower than the cost of a breach.

According to the 15th annual Cost of a Data Breach Report, conducted by the Ponemon Institute and published by IBM Security, security automation and incident response readiness are effective at mitigating costs.

Organizations can significantly limit the financial damage of a data breach by using automation to detect a breach as quickly as possible, and then containing the breach rapidly with a prepared incident response team. The average cost of a breach at organizations with fully deployed security automation was $2.45 million, compared with $6.03 million at organizations with no security automation—a difference of $3.58 million.

By keeping SAP cybersecurity squarely on the radar and deploying effective prevention strategies, companies can greatly diminish the chances that the costs associated with a cyberattack will ever show up on their balance sheets.

Does your organization use SAP FIORI?

There are some cybersecurity risks inherent to SAP FIORI. If you want to take the right steps to protect your business and its sensitive data, read our Guide to SAP FIORI Cybersecurity.

New Call-to-action