Results from Ponemon's 2016 Cost of Data Breach Study show that the price of these incidents continues to rise and that it has now breached the $4 Million mark. Another paper published by Deloitte even talks about hidden costs that far exceed what most businesses normally take into account. While these reports paint an alarming picture on the state of data security, we managed to extract from these papers key factors that can help businesses mitigate the risks.
Some Takeaways from the 2016 Cost of Data Breach Report
The Cost of Data Breach Study* is an annual report published by Ponemon Institute, a research organization focusing on trends in privacy, data protection and information security policy. In this year's report, Ponemon gathered data from 383 different companies in the following countries:
- United States,
- United Kingdom,
- the Arabian region (United Arab Emirates and Saudi Arabia),
- Canada and,
- South Africa
According to the latest study, the total organizational cost of a data breach has now reached a grand average of 4 Million USD globally. Last year, in the 2015 report, that value was $3.8M. The year prior to that, it was at $3.5M. That's a 14% increase in just 2 years. The cost understandably varies from country to country. In the US, a data breach can cost over $7M.
[ In the US, a data breach can cost over $7M ]
While not all companies can experience a data breach and not everyone's going to lose that much if they do (the cost is proportional to the number of records lost), it should be worth noting that, if you do suffer from a breach, it's certainly not going to be cheap.
Another thing that jumps out at you in this report is the leading root cause of these data breaches. Ponemon has classified the root causes into three groups:
- malicious or criminal attacks,
- system glitches, and
- human error
As it turns out, an overwhelming 50% of all data breaches are caused by malicious or criminal attacks. If that's the case, you should be worried if you get hit by a data breach. That means your data will likely have fallen into the hands of people who only have bad intentions.
[ 50% of data breaches due to malicious attacks ]
There's a big difference between data that simply gets lost and data that's deliberately stolen. For example, if you misplaced a laptop containing hundreds of thousands of customer personal information and someone accidentally found it, it's possible that the person will only be interested in the laptop.
But if the laptop was deliberately stolen for the purpose of acquiring the stored data, there's almost a hundred percent chance the crooks are going to use the data for fraudulent activities, identitiy theft, blackmail, or other sinister acts that can harm your company or (in cases involving personally identifiable information) the people whose identities have been compromised.
The threat of a malicious attack is one important thing to consider when you do risk analysis for your business. The threat exists and its likelihood of occurrence is high.
Cost can actually be higher
In calculating for the organizational cost of a data breach, the folks at Ponemon took into account several possible expenses, including expenses the organization may have incurred in:
- installing detection/discovery solutions
- escalating the incident to technical personnel
- acquiring the services of forensic and legal experts
- outsourcing hotline support
- providing free credit monitoring and identity protection
- issuing replacement credit cards
- allowing discounts for future products and services to affected customers
- breach notification (this can involve posting notices on a web site and major print/broadcast media as well as sending out high volume emails, snail mails, and phone calls)
- abnormal customer churn (a.k.a. loss of customers that may be attributed to the breach)
- diminished customer acquisition rates
- regulatory fines
- and others
Still, in spite of this expansive list of both direct and indirect expenses, it turns out that there are still other costs that the report failed to include.
These unaccounted costs were recently featured in a paper put together by Deloitte. The paper, entitled Beneath the surface of a cyberattack - A deeper look at business impacts**, includes several intangible and long term costs. It also highlights data breach incidents that don't necessarily include customer or employee records (one of the main attributes of the Ponemon report), like those involving intellectual property.
In one of the sample scenarios given in the paper, Deloitte explained how a US health insurer could suffer losses considered "beneath the surface", i.e. involving costs that aren't normally taken into account. Some of these losses were due to:
- Disruption in business operations when the company shut down a vital component of their IT system to prevent further data leakage;
- Decrease in revenue as a result of member churn, reduced member acquisition, and loss of value of customer relationships;
- Reduction of annual premium increase in order to prevent additional member churn;
- Devaluation of their trade name; and
- Increased cost to raise debt.
Managing the risks
These papers give us a good view of the current threat landscape, which in turn helps us develop a more effective information risk management program. Knowing which threats have a high likelihood of impacting your business will enable you to allocate resources for risk mitigation where they're most needed.
For example, knowing that criminal attacks are the leading causes of data breaches, it would be prudent to put more emphases in information security countermeasures that address cyber attacks like APTs (advanced persistent threats), man-in-the-middle, malware, DDoS, brute force, social engineering, phishing, and the like.
Fortunately, the Ponemon report itself offers some guidance on where risk mitigation efforts might best be spent. The report reveals certain factors that can somehow reduce the cost of a data breach. Here are the top three:
- Presence of an incident response team
- Extensive use of encryption
- Employee training
You can check out the complete list in the report. In the meantime, allow us to explain how these three factors are going to help you reduce cost.
Presence of an incident response team - The impact of a breach can be reduced if you can immediately act as soon as a security incident is discovered. First of all, you might still be able to contain the problem; identify and plug vulnerabilities that were already or may still be exploited; and scan your system for any remaining malware. Secondly, you can quickly start data recovery and business continuity efforts, which can minimize impact to other parts of your business.
Extensive use of encryption - Strong encryption can render a data breach pretty much harmless. Even if cyber criminals are able to steal your data, they won't be able to use it. Encryption is so effective in this regard that several laws and regulations offer it as safe harbor, especially in breach notification requirements.
Employee training - One key ingredient in most cyber attacks is social engineering. Because social engineering is targeted at your emplyees (often considered the weakest link in information security), the best way to counter it is to make sure your employees are well informed and trained. Simple but nevertheless critical practices like never sharing passwords, being alert when receiving email attachments, being quick at reporting suspicious activity and never installing rogue software, can substantially reduce the chance of a breach.
References*2016 Ponemon Cost of data breach study Cost of data breach study
**Deloitte paper "Beneath the surface of a cyberattack - A deeper look at business impacts"