The annual Ponemon Institute Cost of Data Breach Study shows a drop in the average cost — direct and indirect — of a breach for the first time in the seven-year history of the study. The likely explanation? More customers are sticking by victim companies.
My first instinct is not to draw any sweeping conclusions from the findings, because the study, sponsored by Symantec, represents in-depth research of selected victim enterprises in the U.S., rather than a survey that purports to draw on a statistically reliable sampling that accurately reflect the experience of companies across the country.
That being said, the size in the decline in the total cost per breach, $7.2 million in 2010 to $5.5 million in 2012, and the average cost per compromised record, $214 to $194, is sufficient to make me sit up and take notice. And Ponemon takes care to be consistent year-to-year in the types and sizes of enterprises it selects (in this case, 49 companies from 14 different verticals) and interview a number of people (400 for this study) to get a comprehensive view of each company’s experience. Moreover, Ponemon has very specific and consistent methodology for computing costs, based on the information extracted from the subjects.
So how to account for the decline after a continuous string of increases, putting aside the possibility that it’s an anomaly based on the particular mix of companies in this study? Customer notification costs were higher, more than offsetting a drop in detection and escalation costs, so the answer doesn’t lie there.
Customer churn — or, rather, the lack of churn — is by far the single biggest factor in this year’s report. We typically cite the loss of brand reputation and customer loyalty when we talk about risks associated with major data breaches. It stands to reason that people are going to tend to take their business elsewhere if they think you’re not protecting their personally identifiable information (PII), credit card numbers, health records, etc.
Perhaps customers have become inured to data breaches, or recognize that even companies with strong security programs get breached. In any event, the numbers are startling: The cost in loss business went from $4.54 million per incident in 2010 to $3.01 million in 2011, accounting for most of the overall decline. Ponemon quantifies this as the aggregate cost of abnormal customer turnover or churn, increased customer acquisition activities (e.g., special deals or other incentives to retain or win back customers or attract new business), reputation loss and diminished good will.
That’s good news for businesses, if the findings actually represent a trend, but that would also suggest that data breaches would represent less of a business risk than in previous years. Still $5.5 million per breach should be sufficient incentive to maintain a strong security program. [Note: Ponemon caps the breaches studied at no more than 100,000 records so that the averages are not skewed by unusually large breaches in the tens of millions of records.]
The headline news aside, the most instructive findings, which remain pretty consistent year to year, are the factors that impact the cost from one organization to the next. Enterprises that have someone in a CISO or equivalent position have a significantly lower cost per lost record: $80 per record lower than other organizations. This represents not so much the existence of such a position, but, rather, an enterprises level of commitment to security and its high profile in the organization. Bringing in outside consultants lowers the average cost by $41 per record.
Not surprisingly, companies experiencing their first data breach pay an average $37 more per record than those which have been through the wringer before. Stands to reason that companies get better with experience.
Interestingly, rapid customer notification is not necessarily a good thing. Companies that jump to notify people that their records may have been breached tend to act before they have made a full damage assessment wind up notifying too many people, at a cost of an extra $33 per record.
Multiply these figures by tens of thousands of records, and the cost adds up. As a congressman said about federal spending, “A billion here, a billion there, before you know it, you’re talking real money.”
Employee negligence — lost laptops, etc. — is the primary cause (39%) of data breaches, followed closely (37%) by malicious attack.
Some of the lessons:
- Good security helps pay for itself. Organizations that give security a seat at the table save money in the event of a breach. Despite strong security programs, bad things happen to nice companies, but they can reduce the impact.
- Hiring outside expert help pays off in the event of a breach.
- Stupid-proof your data. Implement clear policies about storing sensitive corporate information on mobile devices, including laptops, and enforce them with security technologies, including full disk encryption, removable storage management, mobile device management and data leak prevention tools.