Attacks/Breaches
5/27/2015
07:20 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

What Data Breaches Now Cost And Why

New Ponemon report says the cost of a data breach has increased by 23% and healthcare and education breaches are the most pricey.

The actual cost of a data breach is all about industry sector and location, location, location. Healthcare and education sectors incur the highest breach costs of all industries, and Germany and the US cost victim organizations more than anywhere else in the world. Such incidents in Brazil and India cost the least, according to the new Ponemon Group 2015 Cost of a Data Breach Study: Global Analysis.

Meanwhile, the average total cost of a data breach worldwide jumped a whopping 23% in 2014 -- to $3.8 million, and the average cost of a stolen record containing sensitive information increased from $145 to $154, an increase of more than 6%. Ponemon attributes those higher numbers in part to the volume of attacks, loss of business or customers, and the amount victim organizations are spending on incident response.

Ponemon also found that the cost of a data breach actually drops when a company's board of directors plays a more prominent role in the wake of a breach or when a company purchases breach insurance. An involved board of directors knocks down the per capita cost of a breach by $5.50, and insurance, by $4.40.

An incident response team cuts the per capita cost by $12.60, while wide use of encryption decreases the cost by $12; training employees, by $8; and business continuity management, $7.10.

"That was a pleasant surprise," says Caleb Barlow, vice president for IBM Security, which commissioned the Ponemon study. "This is as much of a game about being proactive as having good defenses."

On the flip side, the per capita cost of a breach goes up when a third-party organization is part of the breach equation (think Target's HVAC supplier) -- by some $16. Several other factors also contribute to higher cost of a breach, including lost or stolen devices ($9); a "rush" to notification of a breach ($8.90); and hiring consultants to assist in the response process ($4.50).

Canada and Germany are the least likely countries for companies to suffer breaches, while Brazil and France are the most targeted nations of breaches with at least 10,000 data records stolen, according to data gathered for the report from 350 companies around the world.

"Germany is always an outlier in efficiency, strong governmance, and certifying … standards," says Larry Ponemon, chairman and founder of The Ponemon Institute. "They are also more likely to invest in encryption," for example, he says.

Canada's compliance orientation and strong data privacy protection is likely a factor in its fewer breaches, he says.

Industry-wise, a stolen healthcare record costs an organization some $363 per record and a stolen education sector record, up to $300 record. For retail, it's $165 per record--up from $105 in 2014 mainly due to the rash of breaches in that industry. Transportation ($121) and the public sector ($68) incur the lowest cost per stolen record.

Barlow says the dramatic difference in costs of healthcare records in healthcare versus other industries reflects the long shelf life of the data in those records such as social security numbers, and other personal information. "The long-term implications are significant," Barlow says. "It could be a problem 15 years down the road," for example, he says.

"This really underscores how you need to separate identity and access: SSNs are about identity and shouldn't be used for access. The problem is they're being used for both," Barlow says.

In the US, the cost per stolen record is $217 and in Germany, $211. The total cost of a data breach is an average of $6.5 million in the US and $4.9 million in Germany. Brazil and India were on the other end of the spectrum, with the average cost per record at $78 in Brazil and $56 in India. The average cost of a breach to an organization in Brazil was $1.8 million and in India, $1.5 million.

Why the much lower numbers in Brazil and India? "A lot of the costs are indirectly or directly related to labor costs: in India and Brazil, there are lower costs for labor, such as assembling a forensic team" as well as associated economic factors, says Larry Ponemon.

Meanwhile, the report says there are three main drivers for the continued rise in the cost of a breach: the number of attacks continue to increase, with the associated costs to clean up; the financial fallout of lost customers is adding to the breach cost; and victim organizations are spending more on forensic investigations, assessments, and incident response team management.

Cybercrime and malicious insider attacks are the most costly, the report found, at a price of $170 per stolen record versus $142 for system glitches and $137 for human error. It takes an average of 256 days to spot a data breach caused by a malicious attack, and 158 days to catch one caused by human error, the report found. "We kind of already know that about 80% of all attacks come from organized crime," IBM's Barlow says. "They're probably better-funded that your own IT security team."

The full report is available here for download.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
6/1/2015 | 10:29:06 AM
Re: Organized Crime
It's easy to hide behind layers of phony IPs, etc., but the main problem are nations in E. Europe that wink-wink cybercriminal behavior and don't extradite them to nations that investigate the activity.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/1/2015 | 10:26:59 AM
Re: Organized Crime
Thank you. In that case, I thought that EU had very stringent infosec rules and protocols. Are they enforced by those nations or why are they so prevalent on a group scale? Is it anonymity by the organization or apathy by the state in which they reside?
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
6/1/2015 | 10:22:47 AM
Re: Organized Crime
Hey @RyanSepe. The organized crime hackers the report refers to are mainly Eastern Europen organizations who use cybercrime as a way to profit. Nation-states are still a small % overall of attacks, as are hacktivists like Lizard Squad. 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/31/2015 | 11:33:47 PM
Re: Board
Very interesting having the CISO not report to the CIO. It seems that from a compartmentalization standpoint it would make the most sense but I have seen first hand the budgetary concerns when the CISO does report to the CIO. It's never that the security initiatives are not important, it just seems, and in some cases it may be so(infrastructure), that other technology endeavors take precedence.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/30/2015 | 11:34:40 PM
Board
The role of the board of directors reducing the cost of a data breach is not particularly surprising.  One of the things discussed at the recent MIT Sloan CIO Symposium was the conflict of interest that CIOs have, fundamentally, with the CISO's office and ensuring good cybersecurity.  Mixing security with operations can be dangerous because the goals can often be conflicting or mutually exclusive -- particularly when budgetary and political issues are at play.

More than one of the cybersecurity experts there recommended that the CISO not answer to th CIO, and instead answer to a non-tech role, such as the board of directors (if not the CFO or CEO).
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/30/2015 | 11:32:23 PM
Re: Organized Crime
@Ryan: This is exactly what I was thinking.

At what point do organized crime from abroad (or even, in some cases, domestically) and cyber-terrorism overlap?
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/27/2015 | 1:23:16 PM
Organized Crime
By organized crime, are breaches typically most seen driven by Nation-States or malicious groups that governing themselves (Ex: Lizard Squad)?

 

Also, what are some measures that could reduce the cost and detection timing of a breach? I would think that the organizations in the report vary in there security architectures making some more efficient to detect and others less so. As well as the cost to mitigate the breach. What are the contributing factors?

 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
DNS Threats: What Every Enterprise Should Know
Domain Name System exploits could put your data at risk. Here's some advice on how to avoid them.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Tim Wilson speaks to two experts on vulnerability research – independent consultant Jeremiah Grossman and Black Duck Software’s Mike Pittenger – about the latest wave of vulnerabilities being exploited by online attackers