cost of data breach

Money, money, money

The Ponemon Institute’s 2017 Cost of Data Breach study, published this past spring, held some grim-looking—and possibly prescient—news: data breaches are becoming more expansive, and organizations must prepare. But how? With the Equifax breach disclosure barely in our rearview mirrors, it’s a good time to reflect on some of the findings in the report, and think about how to apply those findings to breach mitigation.

Starting with some good news: the 2017 average cost of a data breach and the cost per record lost decreased from the previous year by 10 percent and 2.9 percent respectively. Nevertheless, the average number of records lost or stolen during data breaches increased by 1.8 percent. What this may indicate is that while companies are growing more efficient at identifying and handling data breaches, and the value of the data lost or stolen may be less in 2017 than it was in 2016 (though this is not true across all industries), companies are having a problem containing the amount of data accessible to unauthorized parties. Lower costs are positive for the breached companies, but an increase in the amount of data lost/stolen is bad news for customers, as customer data is the most likely to be impacted by a breach.

I work all night, I work all day

Still, though we have yet to see any major organization feel a long term negative impact in regards to customer acquisition or retention, stock price, or crippling financial loss, a $3.62 million dollar[i] average sticker price per breach is significant financial risk exposure on which most boards of directors are not inclined to gamble. Thus, it is in companies’ best interests to continue to find ways to decrease breach costs year-on-year.

According to the survey data, the top ways to materially affect the cost of a data breach are improved incident response (decrease of $19.3 US dollars per capita), extensive use of encryption (-$16.1 USD per capita), employee training (-$12.5 USD per capita), and business continuity management (BCM) involvement (-$10.9 USD per capita). Of the top answers to the survey, it’s interesting to note that two out of the four factors are “respond,” or post-breach measures: incident response and BCM involvement. In other words, preventative actions can only take a company so far—it’s the “not if, but when” theory. Quickly detecting, handling, and recovering from a breach will be more effective towards lowering costs to the organization.

With that in mind, let’s briefly review incident response (IR) preparedness:

To pay the bills I have to pay

Create an incident response plan: Sticking with the “not if, but when” theory, all organizations should build a plan that details how the organization will respond to incidents. The irony is that an effective IR plan covers details of how to determine if an incident occurred in the first place. It’s counter productive (and raises costs by $5.5 USD per capita) to jump to conclusions, precipitously declare an incident, and issue notification. The first step, therefore, is outlining what constitutes an incident and then describing steps to take after it has been determined that one exists.

Ensuing steps should include (but are not limited to):

  • Identifying all participants (not only technical personnel, but executives, HR/press teams, external resources, etc.) and preparing a list of contact information
  • Detailing roles, responsibilities, processes, and procedures
  • Defining technical requirements and resources (and knowing where to find them, e.g., network diagrams, archived logs)
  • Setting a communications plan

Test the incident response plan: All companies should create a detailed IR plan, but merely having one won’t affect any positive impact if all involved parties haven’t practiced the steps. Neglecting to test the plan for accuracy, effectiveness, and thoroughness is akin to giving a piano performance without ever practicing the notes on a keyboard. You can look at the piano score all you want, but if your fingers are not trained through hours of work to navigate difficult sections, the performance is going to be an unpleasant mess.

Review and revise the incident response plan: Once the IR plan has been tested (through tabletop exercises or a real incident), it’s critically important to conduct a post-test assessment to determine where rough patches occurred, where processes could be streamlined, what went well, and how to be better for the next go-around.

And still there never seems to be

Business continuity management involvement takes a similar format, in that preparedness and practice allows the organization to restore normal operations in as little time as is possible, and with minimal disruption.

Of course, implementation, proper configuration, continuous monitoring, updating/patching, and testing of security technologies can also help organizations identify and mitigate incidents, if managed correctly. “Extensive use of encryption” is the second most effective factor in driving down breach costs. Only slightly further down on the list are:

  • Use of security analytics (-$6.8/capita)
  • Extensive use of DLP (-$6.2/capita)
  • Data classification schema (-$5.7/capita)

A single penny left for me

No one perfect method exists to prevent and detect data breaches, but having a firm grasp on the tools, techniques, and procedures that will help the organization quickly identify and respond to incidents will lead to lower costs, happier customers, and less risk to present to your executives and board.



[i] All costs in the Ponemon study were converted to U.S. dollars


Attend InfoSec World 2018 in Orlando, Florida, March 19-21, 2018 to try your hand at an incident response tabletop exercise. Work with colleagues in a mock setting that will prepare you for a real-life incident in "Beware the Ransomware."