using real world metrics to calculate today's cost of a data breach
TRANSCRIPT
The Scary Truth
It now takes an average of 31 days at a cost of $20,000 per day to clean up and remediate after a cyber attack
- Ponemon Institute, 2014
This presentation leverages metrics from the 2014 Ponemon Institute Study
• Conducted annually since 2005
• Analyzed 314 breaches in 16 industry sectors
• 61 of those breaches were in the United States
• Industries represented include financial, retail, healthcare, technology, and pharmaceutical
Costs of a Data Breach
$201 Per Record*
• Direct Costs: $66– Legal defense costs
– Audit and consulting services
– Public relations, communications with customers, etc.
• Indirect Costs: $135– Lost business
– Increased costs to acquire new customers
– In-house investigations, etc.
• Financial Industry Costs: $236 average per record
*2005 Survey - $138, 2013 Survey - $188, 2005-2014 Average - $191
Costs of a Data Breach
• 44% involved malicious or criminal acts
– Malware, criminal insiders, phishing/social engineering, SQL injection
– Cost per record of $246
• 31% involved “human error”
– Negligent or careless employees
– Cost per record of $171
• 25% involved system “glitches”
– Cost per record of $160
Costs of a Data Breach
• Average breach size: 29,087 records*
• Average notification costs: $509,000
• Average total cost: $5.85 million
• Abnormal customer churn increased 15% between 2013-2014
* By design the Ponemon survey excludes breaches greater than 100,000 records
What increases costs?
$10
$43
$37
$3
$18
$25
$15
($13)
($20)
($10)
$0
$10
$20
$30
$40
$50
Lost or stolen devicesBreaches involving third-
parties Notifying too quickly Engaging consultants
2013 2014
What decreases costs?
*2014 was the first year BCDR was included in this survey; therefore, there is no historical data.
($34)
($42)
($23)($21)
($17)
($13)
($10)
($45)
($40)
($35)
($30)
($25)
($20)
($15)
($10)
($5)
$0
Having a strong securityposture
Having a formal incidentresponse plan in place
prior to the breachHaving a formal BCP in
place prior to the breach* Employment of a CISO
2013 2014
Real-World Example
Department of Veterans Affairs
• May 3, 2006, an employee copied data onto a laptop and took it home without authorization
• The data was neither encrypted nor password protected
• The laptop was stolen
• The laptop was recovered a month after the theft with no evidence that the data was accessed or used
Real-World Example
Department of Veterans Affairs (cont’d)
• The data copied to the laptop included records on every American veteran discharged since 1975
– 26,500,000 veterans exposed, including their names, dates of birth, and social security numbers
– VA later revised estimate to include an additional 2.1 million active and reserve service members
• $7 million in notification costs
• $7 million in call center costs
• $20 million class action settlement
Real-World Example
Ohio State University
• December 2010, “hackers” gained access to a university server containing the personal information of over 760,000 current, former, and prospective students and faculty
• The information included names, social security numbers, dates of birth, etc.
Real-World Example
Ohio State University (cont’d)
• A year of free credit monitoring
• Dedicated call center for issue resolution
• Third-party forensic services were engaged to investigate
• All victims were notified in writing
• There was no evidence that access records were exploited
• The costs for the notification, investigation, and remediation exceeded $4 million
References
• Ponemon Institute, “Cost of Data Breach Study”
• Zurich General Insurance, “Cost of a Data Breach”
• Kaspersky “Global Corporate IT Security Risks”
• American Bankers Association “Target Breach Impact Study”
• Verizon “Data Breach Investigations Report”
• Information Week “8 Most Common Causes of Data Breaches”
• Symantec “Internet Security Threat Report”
• PWC/CERT/CSO Magazine “US State of Cybercrime Survey”
For more educational content from TraceSecurity,
• Download thought leadership
• Watch webinars on-demand
• Read our blog, and
• Receive our monthly newsletter
• Follow us on social:
www.tracesecurity.com ©2014 TraceSecurity, Inc. All rights reserved worldwide.