Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/27/2015
07:20 AM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

What Data Breaches Now Cost And Why

New Ponemon report says the cost of a data breach has increased by 23% and healthcare and education breaches are the most pricey.

The actual cost of a data breach is all about industry sector and location, location, location. Healthcare and education sectors incur the highest breach costs of all industries, and Germany and the US cost victim organizations more than anywhere else in the world. Such incidents in Brazil and India cost the least, according to the new Ponemon Group 2015 Cost of a Data Breach Study: Global Analysis.

Meanwhile, the average total cost of a data breach worldwide jumped a whopping 23% in 2014 -- to $3.8 million, and the average cost of a stolen record containing sensitive information increased from $145 to $154, an increase of more than 6%. Ponemon attributes those higher numbers in part to the volume of attacks, loss of business or customers, and the amount victim organizations are spending on incident response.

Ponemon also found that the cost of a data breach actually drops when a company's board of directors plays a more prominent role in the wake of a breach or when a company purchases breach insurance. An involved board of directors knocks down the per capita cost of a breach by $5.50, and insurance, by $4.40.

An incident response team cuts the per capita cost by $12.60, while wide use of encryption decreases the cost by $12; training employees, by $8; and business continuity management, $7.10.

"That was a pleasant surprise," says Caleb Barlow, vice president for IBM Security, which commissioned the Ponemon study. "This is as much of a game about being proactive as having good defenses."

On the flip side, the per capita cost of a breach goes up when a third-party organization is part of the breach equation (think Target's HVAC supplier) -- by some $16. Several other factors also contribute to higher cost of a breach, including lost or stolen devices ($9); a "rush" to notification of a breach ($8.90); and hiring consultants to assist in the response process ($4.50).

Canada and Germany are the least likely countries for companies to suffer breaches, while Brazil and France are the most targeted nations of breaches with at least 10,000 data records stolen, according to data gathered for the report from 350 companies around the world.

"Germany is always an outlier in efficiency, strong governmance, and certifying … standards," says Larry Ponemon, chairman and founder of The Ponemon Institute. "They are also more likely to invest in encryption," for example, he says.

Canada's compliance orientation and strong data privacy protection is likely a factor in its fewer breaches, he says.

Industry-wise, a stolen healthcare record costs an organization some $363 per record and a stolen education sector record, up to $300 record. For retail, it's $165 per record--up from $105 in 2014 mainly due to the rash of breaches in that industry. Transportation ($121) and the public sector ($68) incur the lowest cost per stolen record.

Barlow says the dramatic difference in costs of healthcare records in healthcare versus other industries reflects the long shelf life of the data in those records such as social security numbers, and other personal information. "The long-term implications are significant," Barlow says. "It could be a problem 15 years down the road," for example, he says.

"This really underscores how you need to separate identity and access: SSNs are about identity and shouldn't be used for access. The problem is they're being used for both," Barlow says.

In the US, the cost per stolen record is $217 and in Germany, $211. The total cost of a data breach is an average of $6.5 million in the US and $4.9 million in Germany. Brazil and India were on the other end of the spectrum, with the average cost per record at $78 in Brazil and $56 in India. The average cost of a breach to an organization in Brazil was $1.8 million and in India, $1.5 million.

Why the much lower numbers in Brazil and India? "A lot of the costs are indirectly or directly related to labor costs: in India and Brazil, there are lower costs for labor, such as assembling a forensic team" as well as associated economic factors, says Larry Ponemon.

Meanwhile, the report says there are three main drivers for the continued rise in the cost of a breach: the number of attacks continue to increase, with the associated costs to clean up; the financial fallout of lost customers is adding to the breach cost; and victim organizations are spending more on forensic investigations, assessments, and incident response team management.

Cybercrime and malicious insider attacks are the most costly, the report found, at a price of $170 per stolen record versus $142 for system glitches and $137 for human error. It takes an average of 256 days to spot a data breach caused by a malicious attack, and 158 days to catch one caused by human error, the report found. "We kind of already know that about 80% of all attacks come from organized crime," IBM's Barlow says. "They're probably better-funded that your own IT security team."

The full report is available here for download.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/27/2015 | 1:23:16 PM
Organized Crime
By organized crime, are breaches typically most seen driven by Nation-States or malicious groups that governing themselves (Ex: Lizard Squad)?

 

Also, what are some measures that could reduce the cost and detection timing of a breach? I would think that the organizations in the report vary in there security architectures making some more efficient to detect and others less so. As well as the cost to mitigate the breach. What are the contributing factors?

 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/30/2015 | 11:32:23 PM
Re: Organized Crime
@Ryan: This is exactly what I was thinking.

At what point do organized crime from abroad (or even, in some cases, domestically) and cyber-terrorism overlap?
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/30/2015 | 11:34:40 PM
Board
The role of the board of directors reducing the cost of a data breach is not particularly surprising.  One of the things discussed at the recent MIT Sloan CIO Symposium was the conflict of interest that CIOs have, fundamentally, with the CISO's office and ensuring good cybersecurity.  Mixing security with operations can be dangerous because the goals can often be conflicting or mutually exclusive -- particularly when budgetary and political issues are at play.

More than one of the cybersecurity experts there recommended that the CISO not answer to th CIO, and instead answer to a non-tech role, such as the board of directors (if not the CFO or CEO).
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/31/2015 | 11:33:47 PM
Re: Board
Very interesting having the CISO not report to the CIO. It seems that from a compartmentalization standpoint it would make the most sense but I have seen first hand the budgetary concerns when the CISO does report to the CIO. It's never that the security initiatives are not important, it just seems, and in some cases it may be so(infrastructure), that other technology endeavors take precedence.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
6/1/2015 | 10:22:47 AM
Re: Organized Crime
Hey @RyanSepe. The organized crime hackers the report refers to are mainly Eastern Europen organizations who use cybercrime as a way to profit. Nation-states are still a small % overall of attacks, as are hacktivists like Lizard Squad. 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/1/2015 | 10:26:59 AM
Re: Organized Crime
Thank you. In that case, I thought that EU had very stringent infosec rules and protocols. Are they enforced by those nations or why are they so prevalent on a group scale? Is it anonymity by the organization or apathy by the state in which they reside?
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
6/1/2015 | 10:29:06 AM
Re: Organized Crime
It's easy to hide behind layers of phony IPs, etc., but the main problem are nations in E. Europe that wink-wink cybercriminal behavior and don't extradite them to nations that investigate the activity.
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Inside North Korea's Rapid Evolution to Cyber Superpower
Kelly Sheridan, Staff Editor, Dark Reading,  12/1/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27409
PUBLISHED: 2020-12-04
OpenSIS Community Edition before 7.5 is affected by a cross-site scripting (XSS) vulnerability in SideForStudent.php via the modname parameter.
CVE-2020-27408
PUBLISHED: 2020-12-04
OpenSIS Community Edition through 7.6 is affected by incorrect access controls for the file ResetUserInfo.php that allow an unauthenticated attacker to change the password of arbitrary users.
CVE-2020-27765
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/segment.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. This would most likely lead to an impact to application availability, but could potentially cause ot...
CVE-2020-27766
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/statistic.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned long`. This would most likely lead to an impact to application availability, b...
CVE-2020-27767
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/quantum.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of types `float` and `unsigned char`. This would most likely lead to an impact to application avai...