Data Breach Costs: Damage and Danger are Greater than Many Realize


According to the Ponemon Institute's ninth annual Cost of Data Breach Study, the consolidated total cost of a data breach increased 15% in the last year, to $3.5 million. But some experts say those figures likely underestimate the full scope of the damage.

Duncan Fisken, senior vice president and general manager for EMEA at RedSeal Networks, believes the actual cost of a breach is considerably higher than the consolidated average of $145 per record that Ponemon estimates, even though that in and of itself represents an increase of more than 9% year-over-year.

"These figures are likely to be very conservative and may well be confined to the actual cost of the breach remediation and measurable loss of revenue,” Fisken told Infosecurity in an email. “There are other hidden costs which are much harder to quantify, for example reputational damage, illustrated by the battering a company’s share price can take in the wake of a much-publicized breach as in the Target case, further hit by [CEO] Steinhafel’s departure. Reputational damage can also be the area from which there's the longest road to recovery. Most would agree that the cost of recovering a lost customer is many multiples of the cost of acquiring a new customer in the first place.”

Other collateral costs that cannot be overlooked are those associated with recruiting new C-level executives; Target has had to find a new CIO and now a new CEO, he pointed out. “Executive searches at this level can often be long and expensive affairs. More difficult to monetize are the opportunity costs incurred during the ‘rebuilding’ period.”

The Ponemon report also revealed that the probability of a company having a data breach involving 10,000 or more confidential records is 22% over a two-year period – and that most IT departments don’t feel prepared. Only 38% of Ponemon study respondents said they have a security strategy to protect their IT infrastructure, and the majority of companies (50%) have low or no confidence that they are making the right investments in people, process and technologies to address potential and actual threats.

Those results run counter to findings in a new survey from Tripwire, which found that 64% of respondents have confidence in their incident response plan. And 40% of retail and financial organizations said that they only need two to three days to detect a breach.

“It is great that recent breaches have increased cybersecurity awareness and internal dialogue,” said Dwayne Melancon, CTO for Tripwire, in a statement. “However, the improved internal communication may be biased by a false sense of security. For example, 95% of respondents said they would be able to detect a breach on critical systems within a week. In reality, nearly all of the recent publicly disclosed breaches have gone on for months without detection.”

Melancon continued, “Furthermore, only 60% of respondents believe their systems have been hardened enough to prevent the kind of data loss similar to that seen in recent high profile breaches. These attitudes seem to indicate a high degree of overconfidence or naiveté among information security practitioners. I believe a number of these organizations may be in for a rude awakening if their systems are targeted by criminals.”

Fisken noted that the situation will only worsen over time if attitude changes aren’t made. "Networks are becoming ever more complex as enterprises grow through acquisition and the need to seek more innovative ways to differentiate themselves against their competitors; this is now true of almost every market vertical,” he said. “The increasing complexity and size of networks presents the CISO with the significant problem of preparedness; the need to be in proactive mode, rather than reactive; to predict threats by having sight of the attack surface of the network and, more especially, what those attack vectors mean in terms of the exposure of business-critical assets to would-be attackers.”


source