Watch the NCA Webinar: Cybersecurity Trends and Threats 2018
By Mike Porter, Crowe Horwath
With the release in June 2017 of the newest IBM “Cost of Data Breach Study,” conducted by Ponemon Institute, the web is buzzing with discussions of what a breach costs.
As a result, now is a good time to provide a more nuanced analysis of this report through an examination of the assertions of a variety of recent breach cost reports that attempt to answer similar questions.
Recent Breach Cost Reports
|IBM and Ponemon Institute
“2017 Cost of Data Breach Study”
|Average Cost: $3.62 million (down from $4.00 million in 2016)
Average Global Cost Per Record: $141
Average U.S. Cost Per Record:
$200 (human error)
|This qualitative study used organizational surveys and interviews of 419 companies in 13 countries or regions across a variety of industries.|
|Journal of Cybersecurity – Oxford University Press
“Examining the Costs and Causes of Cyber Incidents”
|Median Cost: Approximately $200,000||This quantitative study incorporated multiple data sets compiled by Advisen (15,000 observations).|
“2017 Data Breach Investigations Report”
|This report does not mention the subject of breach cost.||Interestingly, the 2015 report states the cost as 58 cents per record, but also notes that this figure isn’t useful.|
“Understanding the Business Impact and Cost of a Breach”
January 2015 Report
|No generalized cost statement is included in this report.||Forrester opted not to set hard numbers – in my opinion, a wise choice.|
“2017 Annual Cybersecurity Report”
|Of the 29 percent of respondents who experienced a loss of revenue, 38 percent stated that a breach costs upward of 20 percent of operating revenue.||This qualitative study used survey data of 2,912 IT security personnel.|
“Lack of Security Talent: An Unexpected Threat to Corporate Cybersecurity” IT Security Risks Special Report Series, 2016
|A breach costs between $100,000 and $500,000 with strong IT security talent in place. A breach costs between $1.2 and $1.47 million without IT security talent in place.||This report argues that the personnel component is a huge factor in breach cost.|
“2015 Cyber Claims Study”
|Average Cost Per Record: $964.31
Median Cost Per Record: $13.00
|This report actively acknowledges that identifying a “per record” cost is problematic due to costs that cannot be directly quantified in terms of records such as investigation cost.|
“2015 Data Breach Statistics”
|An average breach costs between $4.7 and $11.92 million, depending on the number of records involved.||This report emphasizes that the cost of a breach is highly variable and contextual.|
If you’re like me, a few things stand out with this set of reports:
- Wide range of costs. Clearly, a great deal of difference exists between what the reports assert, ranging from a few hundred thousand dollars to many millions.
- Disparity of average vs. median costs. A relatively small number of huge breaches seem to be greatly skewing the averages. Several reports address this issue and opt to use median cost as more representative of reality. For more on the limitations of using averages, check out this podcast.
- Self-reported data. Most self-reported data is based on surveys and interviews characterized by perceptions of risk rather than by actual data, which can skew results.
What’s the Takeaway?
The goal is not to chastise these reports for attempting to answer the questions about what a breach generally costs. Instead, it’s to emphasize that the cost of a breach is a highly dynamic figure that should be rooted in the risk profile of your organization. For any given organization, the question, “What is the average cost of a breach?” is far less valuable than questions such as:
- What is the hourly cost to my organization if a breach halts point-of-sale operations?
- What is an estimate of lost revenue if we are unable to register new users online?
- Does my organization have a cost model to justify our cybersecurity budget?
These types of questions can be difficult to answer and will require constant re-evaluation because of the changing landscape of the business as well as the evolution of cyberthreats. That said, a functional understanding of cost factors can greatly increase the effectiveness of your cybersecurity program.
What Can You Do?
All organizations should consider performing cross-departmental analyses of such costs to tune cybersecurity budgets and spending accordingly. Key players would likely include finance, IT operations, revenue-generation business units, compliance, customer service, and, of course, risk management. Additionally, this analysis doesn’t necessarily need to be built from scratch, and it could leverage similar analyses such as a business impact analysis (BIA) or true downtime cost (TDC) analysis. Incident or breach cost analysis should also be baked into post-mortem reviews to continue to refine cost models.
The more your organization is able to reduce the uncertainty of cost due to a breach, the more the board, investors, and business partners will be able to see that you are taking a measured approach to keeping your data and business secure.
Mike Porter is a senior consultant with the Crowe Technology Risk Consulting group. He performs a variety of security assessments including security governance reviews, technical configuration analysis, and penetration testing. Mike has worked in information security in many industries with a focus on healthcare.