Euro, pound, yen and yuan, no need to feel left out, no physical border has stopped the possibility of data breach so far. Still, here in the U.S. it’s a key factor in many technology budget/risk calculations. So just what does it cost to get hacked?
A recent article from the Ponemon Institute has attempted to find out. According to their 6th annual report on the subject (for 2010), researching 51 U.S. companies with breaches, from 15 market segments, the costs are on the rise. In 2009 they found the average cost per record breached was $204, increasing in 2010 to $214/record. They found the average Data Breach cost a company $7.2 million, something no boardroom can scoff at.
Recent headlines are dotted with data breach incidents, as Randy Abrams and David Harley have highlighted. Some feel the public will care less over time as headline prominence may fade, lessening the financial impact, but it hasn’t happened yet. Also, some market segments clearly have more potential exposure risk, (i.e. financial institutions) than a small retail store would. On the other hand, while a small retail shop would have lower numeric dollar cost, the results can be even more devastating, especially in light of the recent credit shortages threatening small business cashflow, affecting their ability to rebound.
Meanwhile larger institutions, possibly able to shunt the initial financial blow, have higher brand damage costs, which may be even more difficult to deflect and quantify in a hyper-competitive marketplace, i.e. PS3 vs. Xbox 360. When customers have that kind of choice, they may favor the one they view as most secure.
In either case, the study finds that knee-jerk reactions are costly. Taking the time to do proper forensic analysis may take time, but it’s more than offset by having an accurate unified message to those directly impacted, rather than hasty blanket statements sent to a larger audiences which may not be impacted. This drops directly to the bottom line. It seems companies are just eager to “get this over with”, an understandable position. In a recent example, the forensic evidence of a breach was eliminated altogether in a hasty effort to restore functionality, making analysis all but impossible, or at least inconclusive. The lack of a proper post-mortem also stymies the process of determining how to prevent further similar breaches.
Bottom line, there’s a price to pay, either for prevention or cure, and it’s rising. More good news: many of the data breaches could’ve been prevented and/or blunted by relatively simple use of industry Best Practices, not necessarily breaking the organization “Piggy Bank” in the process. But upper management and shareholders sooner or later have to realize the high cost of doing nothing, and that cost is rising.
Author Cameron Camp, ESET