What Data Breaches Now Cost And Why
The actual cost of a data breach is all about industry sector and location, location, location. Healthcare and education sectors incur the highest breach costs of all industries, and Germany and the US cost victim organizations more than anywhere else in the world. Such incidents in Brazil and India cost the least, according to the new Ponemon Group 2015 Cost of a Data Breach Study: Global Analysis.
Meanwhile, the average total cost of a data breach worldwide jumped a whopping 23% in 2014 -- to $3.8 million, and the average cost of a stolen record containing sensitive information increased from $145 to $154, an increase of more than 6%. Ponemon attributes those higher numbers in part to the volume of attacks, loss of business or customers, and the amount victim organizations are spending on incident response.
Ponemon also found that the cost of a data breach actually drops when a company's board of directors plays a more prominent role in the wake of a breach or when a company purchases breach insurance. An involved board of directors knocks down the per capita cost of a breach by $5.50, and insurance, by $4.40.
An incident response team cuts the per capita cost by $12.60, while wide use of encryption decreases the cost by $12; training employees, by $8; and business continuity management, $7.10.
"That was a pleasant surprise," says Caleb Barlow, vice president for IBM Security, which commissioned the Ponemon study. "This is as much of a game about being proactive as having good defenses."
On the flip side, the per capita cost of a breach goes up when a third-party organization is part of the breach equation (think Target's HVAC supplier) -- by some $16. Several other factors also contribute to higher cost of a breach, including lost or stolen devices ($9); a "rush" to notification of a breach ($8.90); and hiring consultants to assist in the response process ($4.50).
Canada and Germany are the least likely countries for companies to suffer breaches, while Brazil and France are the most targeted nations of breaches with at least 10,000 data records stolen, according to data gathered for the report from 350 companies around the world.
"Germany is always an outlier in efficiency, strong governmance, and certifying … standards," says Larry Ponemon, chairman and founder of The Ponemon Institute. "They are also more likely to invest in encryption," for example, he says.
Canada's compliance orientation and strong data privacy protection is likely a factor in its fewer breaches, he says.
Industry-wise, a stolen healthcare record costs an organization some $363 per record and a stolen education sector record, up to $300 record. For retail, it's $165 per record--up from $105 in 2014 mainly due to the rash of breaches in that industry. Transportation ($121) and the public sector ($68) incur the lowest cost per stolen record.
Barlow says the dramatic difference in costs of healthcare records in healthcare versus other industries reflects the long shelf life of the data in those records such as social security numbers, and other personal information. "The long-term implications are significant," Barlow says. "It could be a problem 15 years down the road," for example, he says.
"This really underscores how you need to separate identity and access: SSNs are about identity and shouldn't be used for access. The problem is they're being used for both," Barlow says.
In the US, the cost per stolen record is $217 and in Germany, $211. The total cost of a data breach is an average of $6.5 million in the US and $4.9 million in Germany. Brazil and India were on the other end of the spectrum, with the average cost per record at $78 in Brazil and $56 in India. The average cost of a breach to an organization in Brazil was $1.8 million and in India, $1.5 million.
Why the much lower numbers in Brazil and India? "A lot of the costs are indirectly or directly related to labor costs: in India and Brazil, there are lower costs for labor, such as assembling a forensic team" as well as associated economic factors, says Larry Ponemon.
Meanwhile, the report says there are three main drivers for the continued rise in the cost of a breach: the number of attacks continue to increase, with the associated costs to clean up; the financial fallout of lost customers is adding to the breach cost; and victim organizations are spending more on forensic investigations, assessments, and incident response team management.
Cybercrime and malicious insider attacks are the most costly, the report found, at a price of $170 per stolen record versus $142 for system glitches and $137 for human error. It takes an average of 256 days to spot a data breach caused by a malicious attack, and 158 days to catch one caused by human error, the report found. "We kind of already know that about 80% of all attacks come from organized crime," IBM's Barlow says. "They're probably better-funded that your own IT security team."
The full report is available here for download.
Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full BioComment |
Print |
More Insights
Comments
Newest First | Oldest First | Threaded View
Re: Organized Crime
It's easy to hide behind layers of phony IPs, etc., but the main problem are nations in E. Europe that wink-wink cybercriminal behavior and don't extradite them to nations that investigate the activity.
Re: Organized Crime
Thank you. In that case, I thought that EU had very stringent infosec rules and protocols. Are they enforced by those nations or why are they so prevalent on a group scale? Is it anonymity by the organization or apathy by the state in which they reside?
Re: Organized Crime
Hey @RyanSepe. The organized crime hackers the report refers to are mainly Eastern Europen organizations who use cybercrime as a way to profit. Nation-states are still a small % overall of attacks, as are hacktivists like Lizard Squad.
Re: Board
Very interesting having the CISO not report to the CIO. It seems that from a compartmentalization standpoint it would make the most sense but I have seen first hand the budgetary concerns when the CISO does report to the CIO. It's never that the security initiatives are not important, it just seems, and in some cases it may be so(infrastructure), that other technology endeavors take precedence.
Board
The role of the board of directors reducing the cost of a data breach is not particularly surprising. One of the things discussed at the recent MIT Sloan CIO Symposium was the conflict of interest that CIOs have, fundamentally, with the CISO's office and ensuring good cybersecurity. Mixing security with operations can be dangerous because the goals can often be conflicting or mutually exclusive -- particularly when budgetary and political issues are at play.
More than one of the cybersecurity experts there recommended that the CISO not answer to th CIO, and instead answer to a non-tech role, such as the board of directors (if not the CFO or CEO).
More than one of the cybersecurity experts there recommended that the CISO not answer to th CIO, and instead answer to a non-tech role, such as the board of directors (if not the CFO or CEO).
Re: Organized Crime
@Ryan: This is exactly what I was thinking.
At what point do organized crime from abroad (or even, in some cases, domestically) and cyber-terrorism overlap?
At what point do organized crime from abroad (or even, in some cases, domestically) and cyber-terrorism overlap?
Organized Crime
By organized crime, are breaches typically most seen driven by Nation-States or malicious groups that governing themselves (Ex: Lizard Squad)?
Also, what are some measures that could reduce the cost and detection timing of a breach? I would think that the organizations in the report vary in there security architectures making some more efficient to detect and others less so. As well as the cost to mitigate the breach. What are the contributing factors?
Also, what are some measures that could reduce the cost and detection timing of a breach? I would think that the organizations in the report vary in there security architectures making some more efficient to detect and others less so. As well as the cost to mitigate the breach. What are the contributing factors?
White Papers
Video
1 Comments
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database CVE-2018-10839
PUBLISHED: 2018-10-16
PUBLISHED: 2018-10-16
PUBLISHED: 2018-10-16
PUBLISHED: 2018-10-16
PUBLISHED: 2018-10-16
From DHS/US-CERT's National Vulnerability Database CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.
- Terms of Service
- Privacy Statement
- Legal Entities
- Copyright © 2018 UBM, All rights reserved
Tweet This