Global Study on Costs of Data Breaches in 2015

IOE and ERI examine the cost of a data breach in 2015.

global-data-breach-costs-2015

The State of the Data Breach

On January 25, 2015, health insurer Anthem experienced one of the largest data breaches in both its industry – and recent history. While, by this point, data breaches had become a dime-a-dozen, especially in healthcare, with organizations such as Premera Blue Cross, Excellus BlueCross BlueShield, and CareFirst reporting cybersecurity breaches and hacks, the scale of the Anthem incident set it apart.

The Anthem attack affected 80 million individuals – former and current customers, employees, and even Anthem CEO Joseph Swedish – and their personal data and information, putting them at high risk for identity theft and other fraudulent activities. This data included names, dates of birth, social security numbers, addresses, phone numbers, email addresses, and employment information.

Fallout from the Anthem attack continues to reverberate throughout the insurance and healthcare industries and consumer-facing organizations writ large. In early 2016, the FBI continued to ignore requests for information on who committed the attack (although, some have speculated the Chinese to be the culprit) and whether any data has been used fraudulently since. Anthem, however, is facing a pending class action lawsuit from consumers who claim their personal data has been accessed and used fraudulently and the health insurer’s “grossly inadequate computer systems and data security practices” are to blame.

Those allegations strike a chord with another of 2015’s major data breaches: the United States Office of Personnel Management (OPM). In early June of 2015, the OPM announced that millions of background investigation records of current, former, and prospective employees and contractors had been stolen in a “cyber intrusion” that began in 2014. Weeks after the first admission of a breach, the OPM revealed a second larger attack that targeted the personal data of millions more Americans who applied for security clearance, bringing the total number of individuals affected to 22.1 million. The failure to disclose and the ultimate handling of the attack resulted in the resignation of the director of the OPM, Katherine Archuleta. Months after her departure, the agency revealed another 5.6 million individuals’ fingerprints were stolen in one of the attacks – a figure five times the amount originally divulged.

While many officials have pointed fingers at China as engineering this attack, the OPM’s data and cybersecurity processes, much like those at Anthem, have also come under fire. And that’s nothing to say of the ongoing criticism its “mishandling” of the attacks prompted – as recently as June 27, 2016, the OPM reported that 10 percent of the individuals whose information was stolen in the attacks have yet to be notified. The independent inspector general’s office at OPM has been highly critical of OPM’s efforts to better secure databases, which have included the transfer of its background investigations database to the Department of Defense. Following the most recent round of OPM audits, the office concluded, “a very high risk that the project will fail to meet its stated objectives of delivering a more secure environment at a lower cost,” and pointed to a lack of full understanding of the scope of the project and lax management of it as fundamental issues.

It’s important to note, though, the underlying vulnerabilities exposed by these hackings as well as the act itself are not unique to major organizations. Incidences of data breaches are growing in frequency and cost – both to consumers and businesses of all sizes. In the following sections, we review current research on the direct and indirect costs associated with data breaches, the growing concern over hardware security and how organizations, enterprises, and small businesses are reducing the costs of data breaches.

Data breaches – costing companies dollars and customers

Data breaches are increasing, and the means for preventing and managing them are growing costlier with each passing year. The 2015 Cost of a Data Breach study, which surveyed 350 global companies, from Ponemon and IBM estimated that data breaches affected 76 million households and 7 million small businesses in 2015. Similarly, Kaspersky Labs reported in a study that surveyed more than 5500 companies in 26 countries that 90 percent of these businesses admitted experiencing a security incident in 2015, with another 46 percent saying they lost sensitive data due to an internal or external security threat.

While data security breaches have affected organizations, companies, and governments worldwide, some nations experience disproportionately higher costs when it comes to cyber incidents. For example, the U.S. registered the highest per capita cost, averaging $217 in 2015, the Ponemon study reported. Additionally, year-over-year, the average per capita cost increased, from $188 in FY2013 to $201 in FY2014 and $217 in FY2015. Similarly, the U.S. experienced the highest average organizational cost in FY2015 – $6.53 million – followed by Germany at $4.89 million. However, the U.S. had the third largest average number of records stolen (28,070), behind the Arabian region (29,199), and India (28,798).

As organizations rely increasingly on data to give them a competitive edge and advanced technology to protect their clients’ data as well as their own, they are in essence drawing a proverbial target on their back. When these carefully crafted IT security solutions fail them and their customers, the costs are enormous, both financially and intangibly, in the short and long term.

Paying for data breaches

The effects of data breaches are wide and varied, encompassing immediate, direct costs – legal remediation, discounts, refunds, forensic and investigative services, assessment and auditing solutions, PR and other consultants, and notification costs – and indirect costs – abnormal customer churn, reputational damage, increased customer acquisition efforts, and regulatory issues.

While notification costs have remained relatively static FY13-FY15, fluctuating between $0.17 million and $0.19 million, the three remaining cost components have steadily increased during this period, with detection and escalation costing $0.99 million, ex-post response totaling $1.07, and lost business coming in at $1.57 in FY15.

As breaches increase in frequency, the cost per security incident rises

In fact, recovery from a security breach on average costs enterprises $551,000 and small- and medium-sized businesses (SMBs) $38,000, according to the Kaspersky study. However, these figures represent only the immediate costs required to recover from such an attack. Indirect costs, including customer retention, reputation management, etc., total $69,000 and $8,000 for enterprises and SMBs, respectively.

The Ponemon study found, though, that such costs varied by industry. Rather, the financial effects of a data breach changed greatly dependent upon the industry. Data security incidents carried the heaviest toll in healthcare and education, with the average cost of a stolen record being as high as $363 and $300, respectively. The industries with the lowest cost per stolen record were transportation and the public sector – $121 and $68, respectively. However, all organizations experienced an increase in cost-per-record, and the retail industry’s average saw one of the most dramatic cost spikes, from $105 to $165, perhaps due to breaches at major retailers such as Amazon, Target, and Home Depot as well as growing consumer pressure and outrage.

Data breach detection and management services, tools and strategies are costing more

Finding and managing a data breach and the services required to do so is only driving data breach figures higher. Such services include: investigate and forensic activities, audit services, crisis team management and communications to executives and boards of directors.

Employing these services, be it through the use of third-party providers or providing workers with extra compensation, increased year-over-year, from $0.76 million in FY14 to $0.99 million in FY15, the Ponemon research estimated.

Data breaches are contributing to higher abnormal customer churn rates and reputation damage

Across the research on data breaches, lost business is believed to contribute the most to rising costs, and be the heaviest financial consequence for organizations, rising from a total average of $1.33 million in 2014 to $1.57 million last year, Ponemon estimated. “Lost business” encompasses the following data points: abnormal customer churn, increased customer acquisition efforts, reputation loss, and diminished goodwill. Add to this, consumers growing awareness and concern regarding identity theft as well as the security of their personal data and it should come as no surprise that ex-post customer costs are rising exponentially.

Unsurprisingly, data breaches spur customer attrition. While the financial effects of consumer loss might not be immediately visible, continued customer churn and attrition will prove detrimental to organizations’ bottom line in the long term at the very least. Further, the cost of activities related to customer loss, such as loyalty rewards and programs as well as new customer acquisition efforts, is steadily increasing, according to Ponemon, from $1.45 million in FY14 to $1.57 million in FY15.

Preventing and managing customer retention and acquisition grows more costly the bigger a firm becomes, as the larger the data breach, i.e. the more records lost and/or compromised, the greater the cost. For larger organizations the possibility of negative media attention can make maintaining customer loyalty – one of the greatest costs in a data breach, as it contributes to abnormal churn rates – even harder to maintain.

By combining “consultancy expenses, lost opportunities due to damaged corporate image, and spend on marketing and PR activities aimed at reducing the impact to reputation,” researchers at Kaspersky estimated the average financial cost of damage to brand reputation to be $8,653 for SMBs and $204,750 for enterprises. However, the researchers acknowledged the difficulty of calculating the loss of brand value, especially as it relies heavily on sentiment. For that reason, these figures may be much higher, compounding in the long term.

Investing more heavily in customer retention as well as preventative strategies such as comprehensive device and data disposal services and annual audits could help organizations mitigate such losses. This would especially useful for industries such as health, pharmaceuticals, finance, and technology, which are more vulnerable to relatively high abnormal churn following a data security incident. Such options will be discussed at greater length in later sections.

The next big threat – hardware?

Cyber-based data breaches continue to increase in number, and the ease at which they can be accomplished has become staggering. However, many experts are now predicting hardware systems to be hackers’ next big target.

According to Popular Science, software security is huge business, on track to be worth $156 BILLION in the next five years. Comparatively, hardware security – from setup to disposal – is relatively invisible, with little research even tracking this market, despite growing concern over the effects such an attack could spark. When General Michael Hayden, a retired four-star general in the Air Force who also headed both the CIA and the NSA, was asked about hardware hacking at a cybersecurity panel at the Aspen Institute in 2011, he summarized it as thus: “It’s the problem from hell.”

The problems hardware hacking presents are “more extensive, more dangerous, and more difficult to combat,” Popular Science explained. Why? Because anywhere hardware exists, it can be hacked. Your coffeemaker could go awry; your personal data could be stolen off an old laptop; or, worse yet, sensitive government information could reenter the market on “new devices.”

In fact, one larger area of concern is corporate policies for the wiping and disposal of electronic devices once they break down or are deemed obsolete. The data security threat presented by hardware is only compounded by a lack of comprehensive knowledge and policies on the proper disposal of devices, including smartphones, computers, tablets, hard drives, etc. These devices, as previously noted, house reams of sensitive data that could put business’ financial data at risk as well as the personal information of employees and consumers and, in the worst case, government data.

In 2015, the United Nations reported that up to 90 percent of the world’s electronic waste, also known as e-waste, is illegally traded or dumped each year. This means, if devices’ hard drives are not successfully wiped, companies’ sensitive and confidential information could end up in the hands of hackers and other criminals. For American organizations, the situation is even more serious, as the U.S. is the only nation in the developed world that has signed but not yet ratified the Basel Convention, which prohibits the exporting of e-waste. The severity of the resulting possibilities makes it imperative for organizations to create and/or review their e-waste disposal and data management strategies.

Can a data breach be prevented?

To be blunt: It is very, very unlikely. However, as various studies have shown, there are strategies and protocols organizations can adopt and implement to reduce the likelihood and cost of a data breach. While budgets remain tight for some businesses or available investments are being used to plug other holes, planning for a data breach and how it would be handled ultimately pays off in the long run – both in cost-effectiveness and reputation. As researchers in the Kaspersky study advocated, “The cost of a security breach is always higher than the cost of protection: the ability to reduce the risk and avoid the shaky path of recovery always pays off.”

The first 48 hours: Time is money

The amount of time it takes for organizations to identify and contain data breaches impacts the ultimate cost. In 2105, the estimated mean time to identify a breach was 206 days and to contain one was 69 days, according to the Ponemon research. But this varies depending on the type of attack. Malicious and criminal attacks take the longest on both accounts, while the time period for each shrinks markedly for human-caused data breaches.

Failure to quickly identify and contain a security incident will lead to higher costs and will only increase with each passing day. How prepared organizations are in terms of detection and management will influence the ultimate cost of a breach. One of the most important factors to successfully managing and getting ahead of a data breach in its first 48 hours is whether an organization has a detailed incident response plan, which outlines how news of a breach will be communicated to stakeholders, board members, customers, and media and via which mediums, Nigel Hawthorn, chief European spokesperson for Skyhigh, wrote for Info Security Magazine. Each will require different information at a different times, so Hawthorn urges all organizations to practice “fire drills” that involve the entire organization – from starting employees all the way to the C-suite.

This latter group may be represent one of the most effective keys to reducing the impact of a data breach. The Ponemon research found 70 percent of C-level US and UK executives who participated in the survey believe board oversight is critical to effective and efficient incident response. And financial figures from the same research suggest they are correct: Organizations with board involvement in IT security and response strategy experienced cost per record expenses decrease by an average of by $5.50. However, a successful incident response plan requires the contributions of all stakeholders.

Prepare for the worst with business continuity management

Business continuity management (BCM) is critical to controlling and reducing the overall costs (both financial and indirect) of a data breach. It is a holistic management process that identifies potential threats and ways to prevent and mitigate them through the development of business resilience.

When properly implemented and utilized, BCM reduces the impact of a data breach markedly, with the Ponemon study finding per capita cost went down by an average of $7.10 with BCM involvement. BCM’s impact is even more impressive during the incident response process – the per-record cost is reduced by an average of $14. Further, the difference in the total average cost of a data breach between organizations that employ BCM and those that fail to do so is approximately $500,000. Involving a BCM team from the onset will also diminish the chance for companies to experience multiple data breaches in a single year. For organizations that employ BCM personnel, the likelihood of a material data breach was 21.1 percent and for non-BCM users it was 27.9 percent.

Perhaps the most convincing case for involving BCM personnel in data security management and planning efforts is the relationship between BCM and the number of days it takes to identify and contain a data breach. The mean time to identify a breach for organizations with BCM involvement is 178 days, compared to 234 for those with no BCM involvement, according to Ponemon. Mean time to contain displays a similar pattern – 55 days with BCM, 83 without.

Employee training can decrease the chance of a security incident

One of the top three causes of a data breach is human error. In fact, IBM’s 2014 Cyber Security Intelligence Index found 95 percent of all security incidents involve some type of human error. As such, more organizations are investing in employee training in an effort to reduce the chances of a security incident being caused by a worker.

According to the research from Kaspersky, SMBs and enterprises alike are increasingly deploying training modules and seminars as both preventative and remedial measures. On average, 47 percent of SMBs and 53 percent of enterprises invested in training in an effort to prevent further future breaches, costing $5,500 and $52,000, respectively. And training brings results. The Ponemon study reported employee training reduces the costliness of a data breach by $8.0 per capita.

More and more companies are abiding by this wisdom. Gartner, Inc. research vice president Andrew Wells stated in 2015 that the security awareness training market is growing by 13 percent annually, currently exceeding more than $1 billion in annual revenue globally. Additionally, he added the chief information security officers (CISOs) are using such training to improve organizational compliance, correct poor security habits and increase security knowledge.

Conclusion

As technology becomes increasingly embedded in our personal and business worlds, it will be more important than ever for organizations and individuals to invest in strategies to keep their confidential and sensitive information safe from cradle to grave. This will include paying greater attention to hardware in particular – where organizations purchase their devices and how they dispose of them will be critical to the safeguarding of private information.

Electronic Recyclers International guarantees clients 100 percent data destruction and responsible recycling for nearly any electronic device. ERI offers comprehensive software and hardware data destruction, erasing data in accordance with U.S. Department of Defense standards and then destroying data in its state-of-the-art proprietary shredders. As cybersecurity continues to be a top priority for businesses of all sizes, trust your data will be securely destroyed, disposed of and, ultimately, protected by ERI.

References

http://www.latimes.com/business/la-fi-mh-anthem-is-warning-consumers-20150306-column.html

http://www.fiercehealthcare.com/payer/one-year-later-controversy-still-surrounds-anthem-data-breach

http://krebsonsecurity.com/tag/anthem-breach/

http://www.crn.com/slide-shows/security/300077563/the-10-biggest-data-breaches-of-2015-so-far.htm/pgno/0/10

https://www.washingtonpost.com/news/powerpost/wp/2016/06/27/many-victims-of-opm-background-investigation-files-theft-still-not-notified/

http://www.nbcnews.com/tech/security/opm-hack-government-finally-starts-notifying-21-5-million-victims-n437126

http://www.theatlantic.com/technology/archive/2015/09/opm-hack-fingerprints/406900/

http://www.forbes.com/sites/stevemorgan/2015/12/20/cybersecurity%E2%80%8B-%E2%80%8Bmarket-reaches-75-billion-in-2015%E2%80%8B%E2%80%8B-%E2%80%8Bexpected-to-reach-170-billion-by-2020/#12f978602191

http://www.infosecurity-magazine.com/opinions/the-first-48-hours-respond-data/

http://www.csoonline.com/article/2926173/security-awareness/cisos-turn-to-security-awareness-solutions-to-change-poor-employee-behaviors.html

http://www.unep.org/newscentre/default.aspx?DocumentID=26816&ArticleID=35021