IT Security: The Rising Costs of Quick ResponsePosted on October 23, 2012
By Robert J. Rua
A recent benchmark study reveals an alarming trend that shows no sign of slowing – the rising costs of data breaches. The study was released by Symantec Corp., one of the world’s leading information storage and security solutions providers, and the Ponemon Institute (PI), a leading researcher of privacy and data protection practices. It is their sixth annual study of data security benchmarks. Fifty-one American companies participated in the study, representing 15 different industries, including: healthcare, pharmaceuticals, finance, retail, services, education, technology, manufacturing, research, transportation, hotels and leisure, media and communications and energy. These disparate companies all had one thing in common – in 2010 they experienced some form of large data breach. The amount of records compromised in these breaches varied from 4,200 to 105,000.
According to the study, organizational costs related to data breaches have grown significantly in each of the past five years. In 2010, the average cost per data breach reached a whopping $7.2 million or approximately $214 per compromised record. That’s a significant jump from 2009 when the average per-record cost was $200. The most expensive data breach included in the 2010 study cost a company $35.3 million to resolve. The least expensive data breach was $780,000.
The driving factor behind these rising costs? Compliance pressures for faster response times to escalating data security threats. According to the study, the good news is that organizations in the private and public sectors are showing signs that they are making serious efforts to improve the speed of their responses to data breaches. Forty-three percent of the companies that participated in the study reported that they notified victims within one month of the breach, a 7 percent improvement from 2009.
Here is the bad news: Quick responders saw significantly higher per-record costs than slower responders for the second consecutive year. The average per-record cost for companies that notified their customers within one month of a data breach was $268, a 22 percent increase over the average per-record cost for quick responders in 2009 – no data breach response attribute had a higher percentage increase last year. By contrast, organizations that notified customers more slowly (30 days or more) paid on average $174 per-record, 54 percent less than quick responders. Slow responders actually saw an 11 percent decrease in their average per-record costs from 2009.The study took into account a wide range of data breach related costs, including:
· expense outlays for detection, notification and ex-post response;
· direct costs such as the expense of forensic experts, outsourced hotline support, free credit monitoring subscriptions and discounts for future products and services;
· and, indirect costs such as in-house investigations and the extrapolated value of customer loss due to turnover or diminished acquisition rates.
Analysis of the economic impact of lost or diminished customer trust, as measured by churn rates, was also taken into account in the study. Regulatory compliance contributes to lower churn rates by boosting customer confidence in organizations’ IT security practices. Overall, average abnormal churn rates across all 51 incidents stayed level at 4 percent. Pharmaceuticals and healthcare were once again the industries with the highest churn rate (both up a point to 7 percent in 2010). The industries with the lowest abnormal churn rates were the public sector (less than 1 percent) and retail (1 percent). Industries with the highest 2010 average per-record costs were communications ($380), financial ($353) and pharmaceutical ($345). Those with the lowest costs were media ($131), education ($112), and public sector ($81).
For the third consecutive year the study found that direct costs accounted for the largest proportion of overall data breach costs, while indirect costs continued their trend of gradual decrease. Increases in legal defense costs remain a leading reason for increased spending in ex-post response, as companies fear successful class action lawsuits by breach victims. These trends indicate that companies are making serious efforts to repair the damage breaches cause and are slowly rebuilding customer and partner confidence. This, in turn, is lowering the number of present and potential customers who take their business elsewhere after a breach. These results may also bolster the argument that organizations are focusing more on regulatory compliance, as direct costs correspond to the cost activities covered by data protection regulations.
Malicious Attacks on the Rise
Protection against viruses, malware and spyware infection has become organizations’ top priority. According to the study, 2010 marked the first time that malicious and criminal attacks were the most common and most expensive cause of data breaches. In previous years, malicious attacks have been consistently ranked the least common form of data breach. Thirty-one percent of all data breach cases included in the study involved a malicious or criminal act, a 7 percent increase from 2009. At $318 per-record, the average cost of malicious attacks increased a staggering 48 percent from 2009. Nearly all of the study respondents (97 percent) reported that they considered cyber attacks the most severe threat to their ability to carry out their missions.
Breaches by third-party outsourcers are becoming slightly less common but much more expensive. Though third-party mistakes experienced a slight decline in 2010, their per-record cost rose $85 (39 percent) to $302; an indication that compliance with government and commercial regulations for data protection are dramatically raising breach costs involving outsourced data. Similarly, breaches involving lost or stolen laptop computers or other mobile data-bearing devices have remained a consistent and expensive threat. While the number of reported breaches involving stolen or lost mobile devices decreased from 34 to 35 percent, the per-record costs rose $33 (15 percent) to $258 per-record. Historically, device-oriented breaches have cost more than many other types of breaches due to the expense of necessary investigations and forensics.
Vigilance and Prevention: An Ongoing Challenge
Negligence remains the most common cause of data breaches. The increase in number of breaches caused by negligence in 2010 rose only slightly – from 40 to 41 percent – but the average cost per-record rose 27 percent to $196 per-record. This steady trend reflects the ongoing challenge of ensuring employee and partner compliance with security policies. Companies are getting more vigilant about prevention, as system failures decreased from 36 percent in 2009 to 27 percent in 2010. This trend indicates organizations may be more conscientious in ensuring their systems can prevent and mitigate breaches through new security technologies and compliance with security policies and regulations. The study data seems to bear it out: Investments in identifying and remediating data breaches are paying off.
Encryption and other technologies are gaining ground as post-breach remedies, but training and awareness programs remain the most popular. Sixty-three percent of respondents use training and awareness programs after data breaches, down 4 percent from 2009. Encryption is the second most implemented preventive measure as a result of a data breach, at 61 percent. Both encryption and data loss prevention solutions have increased 17 percent since 2008.
“We continue to see an increase in the costs to businesses suffering a data breach,” says Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “Regulators are cracking down to ensure organizations implement required data security controls or face harsher penalties. Confronted with both malicious and non-malicious threats from inside and outside the organization, companies must proactively implement policies and technologies to mitigate the risk of costly breaches.”
“Securing information continues to challenge organizations at all levels, but the vast majority of these breaches are preventable,” adds Francis deSouza, Senior Vice President, Enterprise Security Group, Symantec. “Organizations must not only protect the data itself wherever it is stored or used, but also create a culture of security including training, policies and actions. The results of this study show that companies with information protection best practices in place can greatly lower their potential data breach costs.”
By taking a holistic approach to data protection, companies can better protect data wherever it is – at rest, in motion or in use. Symantec recommends that organizations implement the following best practices, whether or not they have suffered a data breach:
· Assess risks by identifying and classifying confidential information.
· Educate employees on information protection policies and procedures, and hold them accountable for non-compliance.
· Deploy data loss prevention technologies which enable policy compliance and enforcement. For example, proactively encrypt company laptops to minimize damage following theft or loss.
· Integrate information protection practices into your business processes.
· Vet and evaluate the security posture of third parties before sharing confidential or sensitive information. Pick responsible vendors that can guarantee data protection through encryption and appropriate procedures and controls. Also, ensure that third parties protect data on their employees’ mobile devices.
While manual and policy approaches are a good start, by themselves they are not as effective as a multi-pronged approach that includes automated IT security solutions. Many kinds of automated, cost-effective enterprise data protection solutions are now available to secure data both within an organization and among business partners. Some of the most popular and effective of these technologies currently available include:
· Encryption (including whole disk encryption and for mobile devices/smartphones). Ensure that portable data-bearing devices – such as laptops, smart phones and USB memory sticks – are encrypted, especially for extensive business travelers. Also, consider implementing inventory control, anti-theft devices and data loss prevention (DLP) policies, practices and technologies.
· Data loss prevention (DLP) solutions.
· Identity and access management solutions.
· Endpoint security solutions and other anti-malware tools.
In addition, by centralizing the management of IT security solutions companies can automatically enforce IT security best practices throughout their organizations and align data protection with their security policies and regulatory or business-partner mandates.
Companies in a rush to respond to data breaches often do not believe that they have the time to bring in outside help to meet compliance requirements. As a consequence, fewer companies are using external consulting support, even though such support lowers data breach costs. The proportion of respondents that engaged outside consultants fell 7 points in 2010 to 37 percent. The study data suggests that moving too quickly through the data breach process may cause cost inefficiencies for companies, particularly during the detection, escalation and notification phases. Companies are choosing to absorb the additional costs of quick response due to the pressure of compliance with commercial regulations and state and federal data protection laws. Despite this pressure, PI and Symantec recommend that companies take as slow and thoughtful an approach to data breach response as possible – given the federal and state legal requirements applicable to their location, industry and circumstances of the breach.
Perhaps the most striking study trend is the strong correlation between data breach costs and the presence or absence of major data breach causes or data protection best practices. Specifically, 2010 costs for breaches involving all major causes grew between 15 and 48 percent from 2009.
Conversely, breaches that lacked those factors or illustrated best practices dropped between 1 percent and 27 percent. These figures may indicate that organizations’ data breach costs stayed relatively stable or only increased a small amount in most cases.
As in prior years, data breach cost appears to be directly proportional to the number of records compromised. Therefore, larger breaches continue to be a more serious cause for concern than smaller breaches. Customer turnover in direct response to breaches remains the main driver of data breach costs: For the second straight year, abnormal turnover of customers after data breaches appears to be the dominant factor in data breach cost.
Overall, the study data suggests that American companies are getting serious about their stewardship of sensitive personal data and are taking greater steps to ensure its protection from breaches. The study also reinforces the efficacy of best practices for IT security and privacy in protecting data and providing positive returns on investments.