Dr. Larry Ponemon is the Chairman and Founder of the Ponemon Institute, a research “think tank” dedicated to advancing privacy and data protection practices. Dr. Ponemon is considered a pioneer in privacy auditing and the Responsible Information Management or RIM framework. Today, Dr. Ponemon and IBM announced the 9th annual 2014 Cost of a Data Breach Study. Here’s a snapshot of our conversation.
What would you say is the number one finding from your research?
What is interesting is that globally the average cost of a data breach grew to $3.5 million (in U.S. dollars). That’s an increase of 15 percent compared to 2013. The average cost for each lost or stolen record containing sensitive and confidential information increased nine percent to $145. In the U.S., the average U.S. breach involved the loss or theft of 30,000 records and the average cost to the companies affected by the breach increased from $5.4 million in 2013 to $5.9 million in this year’s study.
Why is the cost of a breach going up?
Repairs, specifically to brand reputation and customer loyalty. These two areas were hit hardest by breaches. In an era when reputation and customer loyalty matter most, a single breach can take that all away before you say HeartBleed. As a result, in the aftermath of an incident, companies have no choice but to quickly channel an inordinate amount of unplanned spending to restore their brand image, bring back old customers and acquire new ones. In the global study, it was revealed that this challenge is even greater for certain industries, such as pharmaceutical, financial services and healthcare, which experienced higher customer turnover and as a result, had breach costs far exceeding that $145 figure that I mentioned earlier with respect to the global findings.
What are you finding to be the most common cause of a data breach today?
In most countries, the primary root cause of the data breach is a malicious insider or criminal attack. These are without question the most common. When we asked these companies what they believe to be the biggest security threat, the answers were malicious code and sustained probes both of which are on the rise. In fact respondents estimated that they will be dealing with an average of 17 malicious codes and 12 sustained probes each month.
Outside of technology and services what other investments can businesses make to help protect themselves?
Businesses should look to implement an incident response and crisis management plan that clearly lays out the steps they must take in the event of a breach. This year’s study found that efficient response to an incident and containment of the damage reduces the cost of breach by an average of close to $13 per record for global companies. If they have not done so already, organizations should also appoint a chief information security officer (CISO) and form a business continuity management team. Both have proven to be effective in helping to deal with the breach.
A last item to consider is insurance. I’m not talking about Progressive but rather cyber insurance. The common perception in the industry is that insurance encourages companies to slack off on security. The reality however is quite different. Cyber insurance not only helps companies manage the risk of a data breach but it also helps to improve their security posture which on its own can reduce the cost of a breach by more than $14 per record.
With the cost of breaches on the rise, it’s logical to assume companies are responding by spending more to protect themselves. Is that the case?
That’s an interesting question. After conducting interviews with close to 1,700 individuals, we found there is a significant disparity between what companies would like their security budgets to be and what they are. When asked about the level of investment in their organizations’ security strategy and mission, respondents said they would like to invest an average of $14 million over the next 12 months. Unfortunately, this may be a tough sell in many companies. What we found is that in reality over the next 12-month period, companies anticipate they will have an average of about half that amount, or $7 million, to invest in their security strategy. What that means is that businesses today are going to have to be smarter about the solutions and services they depend on to keep them protected.
For more information about IBM Security, follow @IBMSecurity on Twitter for visit the Security Intelligence blog.