What's the True Cost of a Breach?Akamai's O'Connor on Calculating, Communicating Costs
As the world becomes more hyper-connected, and companies and individuals share more and more data, the financial incentives for malicious actors continues to increase.
But when you're thinking about securing your data assets and web site, how do you really know the value of what you're protecting? Akamai's Terrence O'Connor shares how to determine the cost of a data breach.
When talking to the business, the conversation has to be grounded in finance, O'Connor says.
"We need to understand in dollars: What are our assets, and then what is the impact if we lose those assets?" he says.
In this exclusive interview, O'Connor, head of Akamai's Threat Advisory Services Group, lays out the myriad of factors and total formula that go into calculating the cost of a breach to your organization.
In this conversation, O'Connor discusses:
- Why it is important to determine the cost of a breach;
- How to assess the value of the assets you're protecting;
- How to turn this calculation into a business case to help secure more budget for security.
O'Connor is an Enterprise Security Architect and Manager of Threat Advisory Services and Security Special Projects with Akamai Technologies. He draws on 15 years of experience in secure software development, cyber risk, information security auditing and executive information security management to keep organizations up to date with cybersecurity best practices. Prior to joining Akamai, he was the Global Security Architect for one of the largest travel global distribution services, where he helped to implement cybersecurity best practices at every level of the organization.
The Cost of a Data Breach
TOM FIELD: Why is it important that we determine this cost of a breach?
TERRENCE O'CONNOR: A business has assets. Those assets need to be protected. All businesses have assets. If you're a bank, you have a vault to protect your money. If you are a store, the same thing; you're trying to protect your goods from being stolen by people. In IT, we have both tangible and intangible assets, and we don't want them to get lost, stolen. We don't want to have to write anything off or reduce the value of those assets due to a breach. What do we need to do in terms of a business to help them understand this cost?
When we talk to a business, it's always in terms of dollars: time costs money, assets cost money, everything costs money to acquire for a business. So we need to understand in dollars what are our assets, and then what is the impact if we lose those assets.
Making the Calculation
FIELD: What are the key factors that go into this calculation that you're discussing?
O'CONNOR: The calculation is extremely simple. We just talked about assets, and we talked about each asset having a value. And again, those assets could range from a physical device to a single piece of information. Each one of those has a cost associated with it. That cost could have been to acquire it, store it or to develop that content. All of those things have a cost.
What we do is take the number of those assets and bucket them into groups of cost to acquire. A piece of personal information, a single user record or a single PII record -- we actually have a good estimate of what that costs if we lose it. So what we do is take the total number of those and do a very simple calculation: What did it cost us to acquire and what is it going to cost us if we lose it? And we just multiply those together and get a result.
The Ponemon Institute does a yearly survey and asks companies what their estimate of a breach cost happens to be. The last one that I saw, from 2013, was roughly $135 averaged across the globe and about $199 per record in the United States. The reason for the discrepancy is that in the United States, we're a little more litigious than the rest of the world. The cost goes down as we distribute that across global presence.
Value of Assets
FIELD: How do you assess the specific value of those assets?
O'CONNOR: This is probably the hardest thing for us to do. With a piece of personal information, we have a pretty good estimate. You could also look at the laws in your particular jurisdiction, because there are penalties if you lose certain records. We've seen, over this year in particular, healthcare companies getting fined and litigated against, and they're losing money that way based on the number of records that have been disclosed. What we need to do here is understand what it would take us to acquire, and what happens if we actually lose it.
A good example is, if you're a media company, how much time did it take you to develop a piece of media content? This is timely for this particular interview. We've seen this. We've seen people using very high value assets, disclosing those to the internet. We've also seen companies losing multiple records. So people's personal information being disclosed, health records being disclosed, and we've actually got disclosed information about the cost of these things. You get some sense of the value of these records by what you're seeing other companies incurring from a cost perspective. So again, a simple calculation for your organization is: How much did it cost us to acquire, how much do we expect that asset to bring in from a revenue perspective or, alternatively, brand information or marketing information, how much do we expect to gain from that information from a dollars perspective?
If we lose the information, what is the impact to our business per asset? Get an estimate for that. Your organization might already have an estimate. I've actually worked with organizations that have done a cost projection on what it would cost them if they lose a single record to do mitigation, to account for litigation costs, and to estimate what it would cost to get protection services for identity and fraud, etc. So if you have a number for that asset -- and it could be projected, it could be a real tangible number that you've come up with. If we lost a laptop or we lost 30,000 records, what is each one of those little things going to cost us?
FIELD: How do we account for reputational damage in the event of a breach?
O'CONNOR: This is probably the hardest thing for us to determine. We've had very high-profile breaches. So does that breach mean that somebody's going to stop shopping at your store? Does it mean that they're going to stop using your products? Does it mean they're going to have less trust in you as an organization to store their data securely? The answer to all of those is probably yes, but what's the impact? How much of that is going to happen? We don't have good estimation models for that. The people that have the best estimate of this are generally in the marketing department. The marketing department understands how much it cost the organization to build its brand. How much did it cost them to market my brand? How much did this cost me throughout the year? And then if something bad happens -- if one of our executives does something bad or something is disclosed by another organization -- what is that impact?
Generally speaking, this is usually a large organization. They have someone that has this calculation. If we do something bad, how much will it cost us to do the PR to mitigate that impact? It's not a matter of if we're going to be breached as organizations; it's when, and how big is that breach going to be and how impactful is that breach going to be? There is so much there. There are so many assets sitting out in all of our organizations that it's really a matter of when and how do we mitigate that impact.
The organizations, when they do this estimation model, it's a percentage of how much they've spent to build up that brand or equity in their brands. They'll use that estimation to give you a cost. So talk to your marketing department, talk to your PR department. A really simple question I ask is: If something bad about our organization is disclosed, what is the impact going to be from a reputational standpoint, and how much will it cost us to mitigate that through PR? There's no calculation that we can do offhand to gauge reputational damage. We are starting to have evidence based on what's happened to other organizations on the impact of those. It's going to vary across organizations, what they do and the type of assets they have.
Turning Calculations into Security Budget
FIELD: How do I turn this calculation into a business case where I can help secure more budget for security?O'CONNOR: I'll stop us there and say this isn't about budget; it's about doing what's right for our business. So, we already have a calculation that's going to tell us how much this is going to cost us if something bad happens. We've got a number of assets. We've got a cost of those assets. And we multiply those together, and that gives us our profile. So now we've got X amount of potential impact to the organization if a certain number of records are disclosed. I usually take the lump sum if I do this in an organization. I'm always trying to figure out what products or services we probably need to do as best we can to secure those assets. I've already got a budget that I have in mind, and you should have that as well. We often hear people say "another Target" - it's not about if you're a Target or if you already have the security stuff [and] think that you're already secure. Everybody on the internet is a target. Devices aren't foolproof. You need multiple layers of defense. So make sure that you've got that bucket in mind - of products, services, budget - that you're going to need.
Now I'm going to talk about how we sell this to the business. And it's really a feeling, so you have to make sure that the business understands the risk and what it's going to take to mitigate risk; map it to concepts in terms that they understand. So what does the business understand? The business understands dollars. When we discuss risk models, I'm going to give you a very simple example. This works for any organization. You've got three different buckets: High, medium and low. Depending on your organization, those buckets might have different thresholds. The threshold is the amount of money we think we're going to lose or is going to be impacted by something. That something, in our case, is a security breach. And those bucket sizes, take a bank for example, might be $100 million for the low end. So if it's $100 million or less in impact, that's in the low-risk bucket. If it is $100 million to $500 million, that's a medium risk bucket. Banks have really big buckets for their risk models. If it's $500 million and everything above that, [it] goes in the high-risk bucket.
What we do is take that calculation - we've got our assets, the cost of those assets - multiply the two together, and say, for this type of asset, we have a potential loss of $150 million. We've got 100 million records at $1.50 each, whatever that happens to be. That's a low risk. That's not good because we've got -- that data could have a huge impact to our reputation. So now you go and you get that number, if you can get it, and you say, okay, well, if something bad happens, what's the PR cost? So we add that on top. So maybe that's $50 million. So we're getting close to a medium risk.
What about all the other assets that I have? What if we lose different types of assets that are somewhat similar to the type of asset that we're talking about? Let's say it's PII, [that] has a good estimation. Let's just say $135 per record, and we lose four million records. Now we've got a $400 million loss or thereabouts. Now we're falling into the high-risk bucket. We can go to the business and say, "Okay, here's all of our calculations, here's what we need to protect it." Your budget might be $20 million; it might be a very low amount to protect an organization of that size. We need X, Y, and Z, and here's why we need it. And then you map it to their risk model. Every organization has a risk model; it might be in our head, it might be on paper, but they've got a risk model. They say, "Okay, this is going to really hurt me, it's $600 million worth of risk. It's in our high-risk bucket, we're going to prioritize that now and make sure that we get that in the budget for either next year or now. They're going to prioritize it somewhere.
The key thing here is to educate - and I do this all the time. You need to educate your IT personnel and executives on how to communicate risk to the business effectively. You need to make sure that you're using the terms they understand and are putting it into quantifiable elements. The bottom line is, everybody uses money, so it's what's the impact in dollars to us as an organization.
Starting the Assesment
FIELD: Where does this assessment process start, and who needs to be involved from the outset?
O'CONNOR: If you're in risk management, the IT security organization or the company's security organization as a whole, you need to take an inventory of all of the things that could have a direct impact to your organization. That means that they're going to look at all of your assets. This is no different than any other organization out there. If you manage a warehouse, what are the goods in my warehouse? If my warehouse burns down, what does that cost? If somebody comes in and steals a bunch of pallets, what does that cost my organization? You don't have to go into the nitty-gritty with this inventory. Get high-level numbers - if you're looking at PII, and I used to work for a company that had a tremendous amount of PII, I would just go to the people that manage the database and ask how many records [there are right now]. I'd tell them, "Okay, these are the records that I'm looking for." They'll do the quick count. That can give you a count of those assets. You can do that pretty simply.
You also know the physical assets. How many laptops do I have out? Out of those laptops, how many people might have sensitive data? And usually it's all of the laptops. Everybody in the organization could have sensitive data on their laptop.
Now that I've got the inventory, I need to bucket it into different types. So I've got my physical assets, I've got my informational assets, then I've got my what I like to call intellectual property. So these are things that we've developed that have cost us time and money to do, and that might have a revenue impact in the future if it gets disclosed. Maybe I'm a software company and my software gets leaked to the Internet and people are downloading it for free. That has a real bottom line impact to my business. I want to make sure that I've got all of these different types of data, get inventory to them, and measure the value.
Assume that worst-case scenario, you lose all of them. It won't happen that way, but let's say you lose everything; we have to bring out to the board and say this is worst-case scenario. And then you've got the other things, which are intellectual property. We've done research and development, this costs us time to make, and it would cost us a huge amount of money if we lose it. If evident right now, it will be interesting to see what the numbers turn out to be. We've had some organizations recently lose intellectual property that's going to have a real impact to their bottom line. We don't know what that impact is yet, but it's going to be a tangible impact to their bottom line in loss of sales. So it will be interesting to see what that correlation happens to be.
It's going to be wildly variable for organizations. So different organizations have a different cost associated with both developing that content, releasing it and making money off of it. But very simply, do an inventory, put them into bucket types, and then put a value estimate on those bucket types.
Hiring on a Bare-Bones Budget
FIELD: I don't have budget to hire additional headcount to manage applications and data center security, my key vulnerabilities. What do you suggest?
O'CONNOR: This is a question that comes up a lot. While I'm not directly in a sales organization, I do run a services organization, and that comes up a lot. The customer says, "How do I justify this? I don't have any budget right now, I know that we need to do something, but I just don't have it. I don't have the budget, I don't have the ability to get headcount, I don't have the expertise in my organization. So what do I do? How do I figure this out? How do I either justify that cost to the organization and we get the money and address the situation, or, alternatively, how do I train my people up or use services that I might already have to get me where I need to be?"
This is the salesman's job, and internally I would say the information security department, we are constantly sitting between different organizations. We're getting everybody at the table and discussing issues across the fence. Every organization has silos. We're discussing these risks. We have a better picture of the risk to the organization. We generally understand that we're not in a shape where we feel comfortable with our security posture.
Again, it's not about acquiring budget; it's about getting the appropriate level of protection for the business for these different situations. We have an overarching view of the organization from an information security or cybersecurity perspective; the organization needs to realize that this does not just stop at my database and the information [in it], or the information on my laptops. This now traverses that software that I just developed. What if it gets released to the Internet? What's the impact on the business? What if there is a piece of media that I've developed and it gets released to the Internet? What's the impact to my revenue stream? These are all things that come into play.
If you have a diamond, it's worth $100 million, you don't put it in a paper bag and walk it down the street. You're going to get a big vault. You're going to get strong security systems. You're going to guard it. You're going to get whatever you need to do to put an appropriate level of protection on that particular asset. That includes insurance, so don't count out insurance. Most companies have insurance for this type of thing, but it's been much harder to get, and it's going to get much more expensive because now we have dollar signs associated with types of breaches and the information across the business. Most businesses have some sort of insurance that protects them against this, but it's generally not enough. It's usually not enough to help us with these high-risk items.
This same methodology needs to apply to those critical business assets. So now we've got a calculation, a risk profile. We can communicate it to the business and say, "Listen, if you don't do something, here's the potential impact. Are you telling me that I can't have budget or are you telling me that I'm not going to get enough budget but I can have something?" So if you get something, you need something. You can't get extra headcount or extra devices this year, but maybe you scale up for next year. You know that you're not in a good security posture and have communicated that to your board, and now they're culpable for that.
Something's going to happen. We've done our job. We've educated our organization. Now we need to get resources, and those resources could be people, time, additional services from organizations that we already contract with. It could be money to get extra devices. If you have good IT partners, do they have services that are going to give you that level of protection for those assets? Will they manage it all for you and can you just go and get one big number from your organization and communicate that down?
You don't have the budget now, but you need to make sure that the organization is aware of where those gaps are. That's really our job as security professionals is to outline the risks, outline what we need to do our best job at mitigating those risks, showing the organization the gap, and then having them make that decision on how they want to mitigate that risk. We are partners with the business. We are explaining to them what the risk pool looks like in a very simple, easy-to-consume manner. So we have very simple calculations that they can understand where we come up with these numbers.
We've gotten inventory of our assets now. We've bucketed them into the different types of assets. We now have risk numbers associated with that because we have a risk model and put it into different buckets in the risk model. Let's not talk about budget; let's just talk about securing the organization. This all comes into play when we go to the organization and say "Here's what we need to do to get to a better posture." We can never tell an organization, "We are going to completely mitigate this risk for you." We just need to tell them this is probably the best posture we can be in, here's what we need to get there, here's the risk associated with not being there; help us to make that decision. We don't have any current budget, we've got all these partners that can potentially do these things for us, or we need these devices and we need some additional headcount. This is what we communicate to the organization. Ultimately, they make the decision.
They're going to give us a yes or no. Generally if you're in security and you've done auditing or you've done risk management, you push a piece of paper across and you say, okay, well, I showed you what the risk is, I need you to sign off that we're accepting that risk or that we're going to defer that risk until we can address it. But the organization is going to make that determination. They're going to give us money or they're not going to give us money. But at the end of the day, we've made them aware, we've done our job, and now it's a matter of [if] they're going to give you something because they understand that this risk has a real tangible impact to the organization. Nobody wants to be culpable for that risk. I would never want to be culpable for a giant risk to my organization. But at the end of the day, your senior management, they're culpable. They need to make sure they understand the risk, that we communicate it to them in a very easy-to-consume manner, and that they are doing what they need to do to address it.
Maybe they say, "We just can't do it this year' we don't have the funds or the capability to do it, but we can do it next year, and this is the timeframe." We will put it into our risk register that we're going to address it at this time. That's what we do in cybersecurity. We make the business aware. We tell them what we need to do the best job that we can at mitigating those impacts, and then they make the determination on when and what we get to make that possible.