News & Commentary

5/8/2018
02:00 PM
Jeremy Wittkop
Jeremy Wittkop
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Properly Framing the Cost of a Data Breach

The expenses and actions typically associated with a cyberattack are not all created equal. Here's how to explain what's important to the C-suite and board.

There is a lot of research, including Ponemon’s annual Cost of a Data Breach study, which does a good job of quantifying the average cost of each record lost across a large sample of records. Ponemon reasearch also provides some really interesting information related to the difference between direct and indirect costs of a breach across multiple countries. It is a must-read for me every year as soon as it is released.

However, the challenge with leveraging current cost of a data breach reports with the organizations I work with is that this type of research, when applied, yields a graph of breach cost by size that is linear in nature.

Chart 1: Sample data breach costs based on estimates from current studies. (Source: Jeremy Wittkop)
Chart 1: Sample data breach costs based on estimates from current studies. (Source: Jeremy Wittkop)

From my experience, such a graph does not reflect reality. It’s far too simple. What's missing from traditional linear charts are at least two major inflection points that represent the escalation of awareness surrounding an organization’s breach.

Who Knows What, When?
All breaches incur a minimum cost related to identification and remediation, essentially a minimum cost of entry. This entry point is followed by a flattening curve until the size of the breach hits its first inflection point – organizational awareness. In addition, there are two thresholds that may cause a second and even a third inflection point. These thresholds relate to general public awareness and press coverage.

The trigger for a second inflection point is when security nerds like me pay attention, start talking about it, start writing about it, and begin using it as examples in presentations, podcasts and blogs. A third inflection point is triggered when a breach becomes big enough news that it hits the mainstream and everyone becomes aware of it. You can use different logical tests to determine whether a breach has hit mainstream, but I like the non-technical family member test. This is when my least security-minded or technically inclined family member starts asking me about a breach. At that point, I know it is a mainstream event.

The existence of the inflection became apparent to me as I was reading an entertaining report in USA Today about the top 20 most hated companies in the United States. As I scrolled up the list from the bottom, I passed Harvey Weinstein’s company, airlines that beat and bloodied their passengers, and companies that have experienced various public relations disasters. In the number one spot I found Equifax. Another article, about Equifax, described how, as a publically traded company, it lost 31% of its marketplace capitalization, totaling over $5 billion, a measure of the value of their company, since the breach.

Breaches that Increase Data Breach Costs
Another fun research project is to look at inflection points that reflect an increase in the cost of a data breach. For example, if you review Target’s topline sales in Q3, the year of the breach, and Q3, the year after, you will see a decline in sales of more than $1 billion, or 20%. This is in an industry sector that actually grew during the same period. So, while the initial breach occurred over a set period of time, the organization continues to experience longer-term effects.

Bottom line: if an organization does not properly disclose, does not know the extent of a breach, or isn’t forthcoming with information to the public, the additional negative publicity will increase the indirect costs related to a breach.

Chart 2: Data breach cost estimates as they actually happen. (Source: Jeremy Wittkop)
Chart 2: Data breach cost estimates as they actually happen. (Source: Jeremy Wittkop)

If a CIO, CISO or other person responsible for maintaining data security is only providing damages associated with a cost per record to the rest of the executive team, the executive team or board may not be thinking about, or be able to visualize, how different types of incidents would monetarily affect the organization. To do so, you must account for different categories of incidents, and what the inflection points represent. A minor event (Inflection Point 1: Security incident becomes more widely known), won’t gather much attention outside the organization, and is often accidental. It typically can be minimized with commonly available security tools and may not be required to be reported externally.

The second type of event (Inflection Point 2: Security incident hits the mainstream.) occurs when organizations start to evaluate brand impact and the cost per record starts to increase. Most security professionals, for example, are familiar with the Deloitte breach, but most non-security people are not.

The final breach category (Inflection Point 3: Ongoing media coverage and remediation.) would likely make the nightly news and have a major impact on enterprise value. The majority of companies in the world do not have enough data for a breach rise to this level. However, for those that do, there are few security expenses that are not justified if they can materially impact the likelihood of such an event.

I am not proposing that companies hide breach incidents from their clients. My point is that costs associated with events are not equal and do not follow a linear path. The type of incident, its size, overall impact, and the mitigation process all affect the actual cost of a breach, which is a concept that is critical for executive teams and boards to understand. As  security professionals, we must spend more time trying to build and perfect realistic investment models, and less time cheapening our mission by sowing seeds of fear, uncertainty and doubt. All of that starts with calculating the true cost of a data breach.

Related Content: 

Jeremy Wittkop is chief technology officer at Denver-based InteliSecure (http://www.intelisecure.com), where leads a frontline team that investigates and ensures the integrity and functionality of every custom solution designed for its clients. He evaluates new offerings for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
managedoutsource
50%
50%
managedoutsource,
User Rank: Apprentice
6/18/2018 | 5:01:35 AM
Thank you for sharing
While all kinds of data breach can be expensive, it was great for this article to break this down for better understanding.
jeremy_wittkop
100%
0%
jeremy_wittkop,
User Rank: Author
5/9/2018 | 2:58:01 PM
Re: All good points .... but
Thank you for the comment! I understand the frustration when ridiculous comments such as that are made by members of leadership who should know that if one individual can cause the entire program to fail, it is the program that is broken. I also understand the frustration of the general public when Equifax's board of directors were re-elected after the breach. I would suggest that the root of the problem with Equifax is that they have a business model that is compulsory for data subjects. These types of issues are the reason that data privacy regulations are being passed in major markets around the world.

I would suggest from my conversations with executive leadership that organizations that must ask for permission from data subjects to gather their information and who ultimately must win their business, that those organizations are much more sensitive to how they handle personal information. Ultimately, we are in a consumer-driven economy. If the general public decides that they ways in which companies secure their personal data will impact their purchasing decisions, the business community will identify those trends and respond accordingly.
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
5/8/2018 | 2:22:01 PM
All good points .... but
Remember the attitude of the Equifax C-Suite when the CEO blamed the entire catastrophe on ONE, JUST ONE, IT staffer who failed to perform an update.  Lunacy and ignorance all combined into one stupid comment.  If THIS is the attitude and understanding C-Suite has of IT as a business practice, then all your points are worthless.  Oh, BTW - staffers are always cheaper in Bangalore too. 
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.