Tuesday, July 9, 2013

The Cost of a Data Breach

The 2013 Cost of Data Breach Study (pdf report) was just recently released from Ponemon and Symantec. There's lots of interesting data within the report.

Here's my initial impressions from the report:

Cost per Record Breached - $42 - $199
That's quite a range, but certainly a good number to use when considering the potential costs of a breached data store versus the cost of implementing defensive/mitigating controls.

Strong Security Posture, CISO, and Incident Management Plans drive down costs
The correlation between maturity of security program, presence of c-level commitment to security (via a CISO) and good incident planing intuitively makes sense to result in lower breach costs. It's good to see this captured within the report with data points to defend.

Human Error, Malicious Attacks and IT System Glitches represent nearly equal threats for data loss
Although the report states "Malicious or criminal attacks are most often the cause of data breach globally", the numbers show the three root causes to be close to evenly distributed.
  • Human factor - 35%
  • System glitch - 29%
  • Malicious or criminal attack - 37%
From my perspective it seems the highest ROI may be to first address the human factor and the somewhat nebulous category of "system glitch". I of course wouldn't discount addressing the malicious attacker too, but walk before you run. If you are disclosing data due to employee and system errors then that's a good place to start first.

I hope to dive deeper into the report over the coming days and also compare the findings with other recent benchmarks and studies from this year.

-Michael Coates - @_mwc