Regulations' Impact on Data Breach Costs
Analyzing Latest Ponemon/Symantec Cost of Data Breach Study
The 2013 Cost of Data Breach Study recently released by the Ponemon Institute and Symantec shows that organizations that have a chief information security officer have lower costs for each record breached than those who lack a CISO.
"The reason that the CISO exists really is to maintain a strong security posture, to put processes and systems in place to protect the data," says Robert Hamilton, Symantec's director of product marketing, who participated with Ponemon Institute's Larry Ponemon in an interview with Information Security Media Group (transcript below). "By having someone focused on that effort, you're naturally going to put systems and processes in place and see your cost per record [breached] fall."
(A chart in the transcript below shows how much organizations save in the cost for each record breached if they have a CISO.)
Aside from enlisting a CISO, organizations can work to lower the cost of data breaches by taking other key steps, says Ponemon, chairman of the market research and polling firm.
"Just being prepared, having an incident response plan in place, doing the manual low-tech things as well as having the right technology is very important," Ponemon says. "Vigilance is everything in this game."
In the interview, Ponemon and Hamilton analyze other findings from the 2013 Cost of Data Breach Study, including:
- The overall cost of the average breach, by nation;
- The average number of affected records for each breach, by nation;
- Why regulation plays a factor in the cost of a data breach.
Ponemon in 2002 founded the Ponemon Institute, a research think tank dedicated to advancing privacy and data protection practices. He also is an adjunct professor for ethics and privacy at Carnegie Mellon University's CIO Institute.
Since late 2008, Hamilton has been Symantec's director of product marketing, leading marketing teams for data loss prevention, encryption and user authentication.
Range of Breach Costs
ERIC CHABROW: This is the eighth year you've conducted the Cost of Data Breach survey. Is there anything in this new survey that surprises you?
LARRY PONEMON: Every year there are at least one or two surprises, and I think the biggest surprise for me is just the market variation across countries. We do nine country studies now, and if you kind of look at the range of cost, on the low end we see India and Brazil, and on the very high end we see Germany and the United States. We're not talking about pennies that differ apart; we're talking about big, big differences in cost. We have some theories behind it, but in general we think that's a very interesting finding. There are others as well.
CHABROW: What do you find as some of the theories?
PONEMON: One theory is that as organizations are more heavily regulated, the cost goes up initially, then tends to flatten out and actually starts to decrease. The most heavily regulated industries in data breach would include financial services and healthcare within countries like the United States and Germany. That may explain in part why the costs are so high. There's a second possibility and that is we find that the cost associated with malicious or criminal attacks are more expensive than data breaches resulting from negligence or system glitches, and we know ... data breaches that occur because of external attacks, hackers or malicious insiders are more likely to happen in places like Germany and the United States than in Brazil and India. I think those are some of the reasons why we think the cost differences are just so great.
CHABROW: Could there be a factor in that, in some of these more regulated countries, there's more value to the information that they have?
PONEMON: That's a good question. I don't think there's just one issue. I think it's probably a collection of factors. In some countries, like Germany for example, I think people care a lot about their privacy and, as a result, companies do more to preserve their trust than countries like Brazil and India. Not to pick on India and Brazil, because they're great countries, but maybe it's a less important kind of an element between consumers and companies.
CHABROW: You mentioned healthcare and financial services being two sectors that have the highest per capita breach cost. Is it just regulation? Is it anything about the kind of data they have?
PONEMON: I think the data is definitely a factor. Obviously, if you're a bad guy, you go where the money is, so you look at banks or investment management brokerage companies, and we know that's the reality. The empirical evidence proves that time and again. But also the data is more sensitive - the confidential information held by financial service companies and healthcare organizations, more so than, say, a retailer or a consumer products company. I think that plays a very important part to this whole issue of cost.
Root Cause of a Breach Changing
CHABROW: The type of data breaches varies, as you point out. The survey reveals that human errors and systems problems caused about two-thirds of data breaches last year. Has that trended over the years, and is malicious activity on the rise as a cause of data breaches?
PONEMON: We find that the root cause of a data breach is, in fact, changing. When we first started to do the study, the category of malicious or criminal insider was relatively small, and this year it's actually the single largest category, representing overall about 37 percent of the total. But before we get carried away with that result, the reality is that still low-tech issues - system glitches, employee negligence or even incompetence - are much more likely to occur and cause a data breach than a criminal attack either inside the organization or external to the company.
ROBERT HAMILTON: Let's not discount also that a lot of laptops are lost or stolen every year, and that accounts for a tremendous cost to organizations for trying to notify users that may have had their data on that laptop.
CHABROW: It does seem that way. In our own coverage on our HealthcareInfoSecurity site, a lot of the losses we report are about lost laptops.
HAMILTON: Yes. Literally thousands of laptops are left just at the TSA security checkpoints every week. It's a pretty common occurrence.
Why Regulation's a Factor
CHABROW: The survey notes that the cost of data breaches dropped in the U.S., yet it's still the highest when it comes to cost and size of data breaches. ... We discussed briefly the point about maybe regulation as being part of the reason behind it. First of all, why would regulation be a factor? Is it just the cost of meeting regulations that add up? Wouldn't those regulations help prevent some of these breaches?
HAMILTON: ... Regulations always cost companies in the early stage because they have to change, in some cases change significantly, their business process. That's definitely a cost and that creates probably in the world of data breach more confusion, more steps that you have to go through, in order to keep the regulator happy. But we also know that it helps an organization from a structure point of view. Regulations like HIPAA and some of the financial services regulations provide prescriptive guidance, steps that you can take. As organizations learn to do this, they probably become even better and more efficient at managing the cost of the data breach.
Regulations in the early stage are probably just cost-increasing, but over time could actually become cost-decreasing. I think there's evidence of that in the U.S. study because we've been looking at it over eight years. The cost of data breaches and the regulations driving data breach started way back in 2003 with California S.B. 1386. There's a nice track record and you can start to look at the pattern of how regulation affects cost.
CHABROW: So you're saying that, in fact, the initial costs were there and that's why the U.S. is high, but in part it's dropping a bit because maybe the regulations help tell organizations how to secure themselves?
HAMILTON: Well, I think you're onto something there. Regulations over time have helped organizations get a handle on the insider causes of data breach. That's people just doing dumb things with data, people not knowing that they're handling confidential data and [not] encrypting laptops so that when they get lost they don't have to notify anybody. But also consider over the years that the proportion of system glitches and human errors is dropping in the U.S. as a relative proportion, and what's taking up the slack is the attacker. As you see in the data, the cost per breach for an attacker is running $277 per record loss, versus human error and system glitches [which] on average only cost about $160. As people get a handle on the insider and breaches are caused more by outsiders, we may see the average cost in fact rise.
CHABROW: That's discouraging.
PONEMON: It's reality, unfortunately.
Cost Savings Per Record Breached for Organizations with CISOs
CISOs and Breach CostsCHABROW: In the study, you mentioned several steps that could maybe help limit cost. One was that organizations with CISOs - chief information security officers - are better situated in controlling data breach cost than those without. Do you have any quantification of what percentages of organizations have CISOs?
PONEMON: In the sample, if you look at all of our countries - 277 in total that participated in nine countries - a minority of companies have a chief information security officer or one individual with overall responsibility for IT and information security. But that number is increasing. ... But we also have other Ponemon studies that show that percentage is increasing steadily over time. ...
CHABROW: Why does the CISO help limit data breach cost?
HAMILTON: The reason that the CISO exists really is to maintain a strong security posture, to put processes and systems in place to protect the data. Many CISOs that we talk to believe the No. 1 function that they serve is to secure the organization's confidential data. By having someone focused on that effort, you're naturally going to put systems and processes in place and see your cost per record fall.
Lowering the Cost of Data Breaches
CHABROW: You had several other suggestions of how organizations could lower the cost of data breaches. What are one or two good ones that our listeners should perhaps follow?
HAMILTON: I think an easy one is to encrypt the laptops. Invest in whole-disk encryption so that if you have a mobile workforce and they inadvertently lose their laptop, you're basically covered. That's safe harbor. There's no reason to even investigate what was on the laptop and no need to inform anybody whose records may have been on that laptop. In general, we believe - and what we hear from our customers ... [it's important] to educate employees as to what's confidential data, to have annual training, and in your security awareness training really speak about treating confidential data the right way. It goes a long way to raising awareness of the problem.
CHABROW: Are there certain elements of not treating it the right way that are common in many organizations?
HAMILTON: Yeah, absolutely. We did another survey with Ponemon that told us that over half of employees regularly e-mail data to their home e-mail account. We know from other organizations that have done surveys that up 20 percent of home computers are infected with malware, so you're going from a secure environment to a relatively insecure environment. Putting a stop to that practice could really do a lot to protect data.
Survey's Key Takeaways
CHABROW: Are there any other takeaways you want to share on the survey?
PONEMON: The whole issue that low-tech solutions - training, awareness and governance - are as important as technology. It's a very complex thing managing data breach, and there may be a company that might do it so well that they could actually reduce the cost to zero. But it's very unlikely that a company, any company, even with the best security posture is going to basically find that they're ... potentially not at risk of a data breach. Just being prepared, having an incident response plan in place, doing the manual low-tech things as well as having the right technology is very important. Vigilance is everything in this game.
HAMILTON: I'm going to have to reiterate what Larry just said in terms of the incident response plan. Over and over, we hear that customers [that putting] together a small team of human resources, legal, compliance and representatives from the operational units is a key practice in helping to get a handle on the inevitable breach that may occur. To avoid what we call a crisis within a crisis, definitely have a team pulled together that's able to react quickly in the event of a breach.