Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

5/8/2018
02:00 PM
Jeremy Wittkop
Jeremy Wittkop
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Properly Framing the Cost of a Data Breach

The expenses and actions typically associated with a cyberattack are not all created equal. Here's how to explain what's important to the C-suite and board.

There is a lot of research, including Ponemon’s annual Cost of a Data Breach study, which does a good job of quantifying the average cost of each record lost across a large sample of records. Ponemon reasearch also provides some really interesting information related to the difference between direct and indirect costs of a breach across multiple countries. It is a must-read for me every year as soon as it is released.

However, the challenge with leveraging current cost of a data breach reports with the organizations I work with is that this type of research, when applied, yields a graph of breach cost by size that is linear in nature.

Chart 1: Sample data breach costs based on estimates from current studies. (Source: Jeremy Wittkop)
Chart 1: Sample data breach costs based on estimates from current studies. (Source: Jeremy Wittkop)

From my experience, such a graph does not reflect reality. It’s far too simple. What's missing from traditional linear charts are at least two major inflection points that represent the escalation of awareness surrounding an organization’s breach.

Who Knows What, When?
All breaches incur a minimum cost related to identification and remediation, essentially a minimum cost of entry. This entry point is followed by a flattening curve until the size of the breach hits its first inflection point – organizational awareness. In addition, there are two thresholds that may cause a second and even a third inflection point. These thresholds relate to general public awareness and press coverage.

The trigger for a second inflection point is when security nerds like me pay attention, start talking about it, start writing about it, and begin using it as examples in presentations, podcasts and blogs. A third inflection point is triggered when a breach becomes big enough news that it hits the mainstream and everyone becomes aware of it. You can use different logical tests to determine whether a breach has hit mainstream, but I like the non-technical family member test. This is when my least security-minded or technically inclined family member starts asking me about a breach. At that point, I know it is a mainstream event.

The existence of the inflection became apparent to me as I was reading an entertaining report in USA Today about the top 20 most hated companies in the United States. As I scrolled up the list from the bottom, I passed Harvey Weinstein’s company, airlines that beat and bloodied their passengers, and companies that have experienced various public relations disasters. In the number one spot I found Equifax. Another article, about Equifax, described how, as a publically traded company, it lost 31% of its marketplace capitalization, totaling over $5 billion, a measure of the value of their company, since the breach.

Breaches that Increase Data Breach Costs
Another fun research project is to look at inflection points that reflect an increase in the cost of a data breach. For example, if you review Target’s topline sales in Q3, the year of the breach, and Q3, the year after, you will see a decline in sales of more than $1 billion, or 20%. This is in an industry sector that actually grew during the same period. So, while the initial breach occurred over a set period of time, the organization continues to experience longer-term effects.

Bottom line: if an organization does not properly disclose, does not know the extent of a breach, or isn’t forthcoming with information to the public, the additional negative publicity will increase the indirect costs related to a breach.

Chart 2: Data breach cost estimates as they actually happen. (Source: Jeremy Wittkop)
Chart 2: Data breach cost estimates as they actually happen. (Source: Jeremy Wittkop)

If a CIO, CISO or other person responsible for maintaining data security is only providing damages associated with a cost per record to the rest of the executive team, the executive team or board may not be thinking about, or be able to visualize, how different types of incidents would monetarily affect the organization. To do so, you must account for different categories of incidents, and what the inflection points represent. A minor event (Inflection Point 1: Security incident becomes more widely known), won’t gather much attention outside the organization, and is often accidental. It typically can be minimized with commonly available security tools and may not be required to be reported externally.

The second type of event (Inflection Point 2: Security incident hits the mainstream.) occurs when organizations start to evaluate brand impact and the cost per record starts to increase. Most security professionals, for example, are familiar with the Deloitte breach, but most non-security people are not.

The final breach category (Inflection Point 3: Ongoing media coverage and remediation.) would likely make the nightly news and have a major impact on enterprise value. The majority of companies in the world do not have enough data for a breach rise to this level. However, for those that do, there are few security expenses that are not justified if they can materially impact the likelihood of such an event.

I am not proposing that companies hide breach incidents from their clients. My point is that costs associated with events are not equal and do not follow a linear path. The type of incident, its size, overall impact, and the mitigation process all affect the actual cost of a breach, which is a concept that is critical for executive teams and boards to understand. As  security professionals, we must spend more time trying to build and perfect realistic investment models, and less time cheapening our mission by sowing seeds of fear, uncertainty and doubt. All of that starts with calculating the true cost of a data breach.

Related Content: 

Jeremy Wittkop is chief technology officer at Denver-based InteliSecure (http://www.intelisecure.com), where leads a frontline team that investigates and ensures the integrity and functionality of every custom solution designed for its clients. He evaluates new offerings for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
managedoutsource
50%
50%
managedoutsource,
User Rank: Apprentice
6/18/2018 | 5:01:35 AM
Thank you for sharing
While all kinds of data breach can be expensive, it was great for this article to break this down for better understanding.
jeremy_wittkop
100%
0%
jeremy_wittkop,
User Rank: Author
5/9/2018 | 2:58:01 PM
Re: All good points .... but
Thank you for the comment! I understand the frustration when ridiculous comments such as that are made by members of leadership who should know that if one individual can cause the entire program to fail, it is the program that is broken. I also understand the frustration of the general public when Equifax's board of directors were re-elected after the breach. I would suggest that the root of the problem with Equifax is that they have a business model that is compulsory for data subjects. These types of issues are the reason that data privacy regulations are being passed in major markets around the world.

I would suggest from my conversations with executive leadership that organizations that must ask for permission from data subjects to gather their information and who ultimately must win their business, that those organizations are much more sensitive to how they handle personal information. Ultimately, we are in a consumer-driven economy. If the general public decides that they ways in which companies secure their personal data will impact their purchasing decisions, the business community will identify those trends and respond accordingly.
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
5/8/2018 | 2:22:01 PM
All good points .... but
Remember the attitude of the Equifax C-Suite when the CEO blamed the entire catastrophe on ONE, JUST ONE, IT staffer who failed to perform an update.  Lunacy and ignorance all combined into one stupid comment.  If THIS is the attitude and understanding C-Suite has of IT as a business practice, then all your points are worthless.  Oh, BTW - staffers are always cheaper in Bangalore too. 
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10101
PUBLISHED: 2019-07-23
WebAppick WooCommerce Product Feed 2.2.18 and earlier is affected by: Cross Site Scripting (XSS). The impact is: XSS to RCE via editing theme files in WordPress. The component is: admin/partials/woo-feed-manage-list.php:63. The attack vector is: Administrator must be logged in.
CVE-2019-10101
PUBLISHED: 2019-07-23
VCFTools vcfools prior to version 0.1.15 is affected by: Heap Use-After-Free. The impact is: Denial of Service or possibly unspecified impact (eg. code execution or information disclosure). The component is: The header::add_FILTER_descriptor method in header.cpp. The attack vector is: The victim mus...
CVE-2019-10173
PUBLISHED: 2019-07-23
It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regre...
CVE-2019-14241
PUBLISHED: 2019-07-23
HAProxy through 2.0.2 allows attackers to cause a denial of service (ha_panic) via vectors related to htx_manage_client_side_cookies in proto_htx.c.
CVE-2019-10101
PUBLISHED: 2019-07-23
MODX Revolution Gallery 1.7.0 is affected by: CWE-434: Unrestricted Upload of File with Dangerous Type. The impact is: Creating file with custom a filename and content. The component is: Filtering user parameters before passing them into phpthumb class. The attack vector is: web request via /assets/...