Pierluigi Paganini
May 28, 2015
Every year, I propose you the findings of the report published by the Ponemon Institute related the evolution of the cost of a data breach, a very interesting study that provides an economic approach to the concept of “data breach”, which is essential every time you will have to speak about cyber security to the company executives. This year the researchers at the Ponemon Institute have analyzed results of 350 companies in 11 countries, every company surveyed had suffered a breach over the past year.
According to the report just released by IBM and the Ponemon Institute, the per-record cost of a data breach reached $154 this year, which represents a maximum value that is up 12 percent from last year ($145).
As already observed in the previous editions of the study, data breach costs varied dramatically by geography and by industry, the US had the highest per-record cost ($217), followed by Germany ($211).
The health care industry suffered the highest costs that were estimated at an average of $363 per record, a data that doesn’t surprise the experts due to the higher value of medical records respect credit card data.
A set of complete health insurance credentials sold for $20 on the underground markets in 2013 — 10 to 20 times the price of a U.S. credit card number with a security code, according to Dell.
Caleb Barlow, vice president at IBM Security, explained that data in a medical record have a much longer shelf life than that of a credit card number.
“With credit cards, the time frame from the breach to mitigation is very short,” Barlow explained. “But the health care record can be used to establish access in perpetuity,” “it can be used to establish credit or steal your identity ten or fifteen years from now,” he added. “Once this information is out there, you can’t get the genie back in the bottle.”
Another alarming result of the Ponemon report is the average total cost of a single data breach which it jumped $3.79 million thus registering an increase of 23 percent.
The analysis of the cost of a data breach reveals that “Loss of business” was a significant part of the total cost of a data breach.
The study analyzed also other factors that could influence the cost of a data breach, such as the availability of an incident response team that could help to promptly mitigate the incident and reduce per-record cost by $12.60. Other factors are the adoption of encryption mechanisms (cost reduction by $12), employee training (cost reduction by $8) and CISO leadership (cost reduction by $5.60).
“Companies that have thought about this ahead of time, that had their board involved, that had insurance protection, that had practiced what they would do, they had a much lower cost per breach,” said Barlow. “This is really compelling. We have tangible evidence that those who were doing that had a much lower costs. You don’t have days to respond — you don’t even have hours. You have minutes to get your act together.”
On the other side, factors that increased costs was the involvement of a third party in the cause of a breach ($16 per record), the outsourcing ($4.50 per record) and the loss or theft of company devices ($9 per record).
The cost of a data breach increases with the time necessary to mitigate the incident, on average, it took respondents 256 days to spot a breach caused by a threat actor and 82 days to contain it.
Below there are the key findings of the Ponemon report:
Enjoy the report, it is full of interesting data.
(Security Affairs – Cost of data breach, cyber security)
