Inside the Cost of a BreachLarry Ponemon on Breach Evolution, Impact, Prevention
The average per capita cost of a data breach is down, according to the latest Ponemon Institute study. But as the Global Payments breach shows, organizations still have many reasons to be concerned, says researcher Larry Ponemon.
"The moral of the story is organizations need to be vigilant," says Dr. Larry Ponemon, founder of the Ponemon Institute, which conducted this year's Cost of a Data Breach study with sponsorship from Symantec. "You need to keep your eye on the ball," he says in an interview with Information Security Media Group's Tom Field [transcript below].
According to the annual report, the average per capita cost of a data breach has declined from $214 per record to $194 since 2011's report. "But I don't think we should start celebrating and saying, 'Yay,'" says Ponemon, who offers his theories on the reasons behind the reduction.
Complacency is part of the equation, he says. "We think people in general may be becoming numb to the data breach notification process," Ponemon says. "Most people have received at least one data breach notice; they may not even be aware of it because they don't open their mail. The may see it as junk mail."
Another factor, he says, is the rise of intellectual property breaches, which are not a part of the annual study. "We focus on one type of data breach - the type of data breach [of personal records] that requires notification in the United States and then other parts of the world - but in reality there are other, maybe more costly, data breaches that companies are experiencing every day," Ponemon says.
To prevent breaches, organizations need to incorporate intelligence systems into their repertoire of tools to detect and prevent breaches. These include network, traffic and security intelligence tools. "These tools help an organization achieve a higher level of transparency," Ponemon says. "It ... helps them to understand patterns that basically you want to investigate because they're irregular, they're rare events."
Having detailed intelligence can grant an organization the ability to discover an issue much faster.
Other prevention tools he recommends include data loss prevention. "It's almost hard to do it manually, especially for an organization of ... more than 100 employees," he says.
"Tools will help identify when there's an irregular outflow or something looks suspicious, and with these tools an organization could be much better, much faster at identifying a breach," Ponemon explains.
In an exclusive interview about the breach report, Ponemon discusses:
- Why breach costs have declined;
- Organizations' top vulnerabilities;
- The most effective technology solutions to prevent breaches.
Ponemon is the Chairman and Founder of the Ponemon Institute, a research "think tank" dedicated to advancing privacy, data protection and information security practices. Dr. Ponemon is considered a pioneer in privacy auditing and the Responsible Information Management or RIM framework. Dr. Ponemon was named by Security Magazine as "Most Influential People for Security."
Ponemon Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a various industries. In addition to Institute activities, Dr. Ponemon is an adjunct professor for ethics and privacy at Carnegie Mellon University's CIO Institute. He is a Fellow of the Center for Government Innovation of the Unisys Corporation.
TOM FIELD: This study is in its seventh year, is that correct?
LARRY PONEMON: That's correct. This is the seventh year in the United States, and we've also conducted a comparable study in other countries, in fact eight countries in total this year.
Breach Costs DecreaseFIELD: The news everybody is talking about this year is the actual cost of a data breach decreasing. Can you talk about that a little bit, please?
PONEMON: Since we started the study seven years ago in the United States, we saw an increase in data breach cost, and it was small, sometimes not a significant increase, but a steady increase both in the total average cost of a data breach and the per capita cost, which is really a cost on a per compromised record basis. This year, we were surprised, and I was personally stunned, to see that the average cost as well as the per capita cost decreased substantially.
Let me give you some numbers. In 2010, our previous study, the total average cost of a data breach was approximately $7.2 million and that decreased to $5.5 million this year. It's still a significant amount. $5.5 million is not chump-change, but that represents a 24 percent decrease. On the per capita cost side, it went from $214 per record to $194 per record, which is a little over a 10 percent decrease, or a $20 decrease. It was very surprising to us that cost decreased, given that people still care deeply about their privacy and they really don't like getting a notification that their data has been stolen or lost.
FIELD: To what do you attribute the decrease in the cost per breach?
PONEMON: We believe we know the root cause of that decrease. We think people in general may be becoming numb to the data breach notification process. Most people have received at least one data breach notice; they may not even be aware of it because they don't open their mail. The may see it as junk mail. But the moral of the story is people do care about privacy; they expect organizations to protect their data. But the fact that so many data breaches occur, it seems like on a daily basis that people are - as I said before - numb by the whole thing so they become indifferent and may become complacent, which is dangerous because people should care when an organization loses their data and they should be proactive in managing the potential consequences or risks like identity theft that can occur as a result of data loss.
Certain Breaches Excluded
FIELD: It probably should be pointed out - there are certain types of breaches that aren't included in this report just so it wouldn't skew the numbers. Can you clarify that a little bit?
PONEMON: Sure, and that's a good question and I appreciate that you asked that. Each year, we focus on data that requires notification to regulators and to breach victims, so we're really looking at data like customer information, employee information, information that identifies the natural person. But obviously there are many other types of data breaches. Data breaches of intellectual property, for example, would not be included in our study and obviously that could be very, very costly. My gut tells me that the number is probably much more substantial than the cost of a data breach resulting from customer and employee data being stolen. We focus on one type of data breach, the type of data breach that requires notification in the United States and then other parts of the world, but in reality there are other, maybe more costly, data breaches that companies are experiencing every day.
FIELD: So in other words, someone might look back on 2011 and say, "Wow, we had RSA, we had Sony, we had Epsilon," but those are not the types of breaches that would be included in your study?
PONEMON: Exactly. If an organization steals data about a customer or that of an employee, it's fair game and we'll study it. If an organization is stealing the source code of a company or the architectural rendering or product plans or board-of-director minutes, this information is very, very valuable to bad guys but that's not part of our study. Now, I will tell you that we're starting to look at this issue, and will most likely start the study, a broader class of data breach, over time.
Top Headlines From Report
FIELD: Beyond the cost reduction, what do you see as the major headlines from this year's study?
PONEMON: Well obviously the cost reduction issue is important, but again I don't think we should start celebrating and saying, "Yay." The costs are relevant; the costs are still pretty significant for most companies. I also think that a theme of this year's study from a root-cause perspective is it seems as if malicious or criminal attacks are on the rise in which case organizations will actually experience a cost increase.
Remember, last year's average cost of a data breach was $214. This year it is $194. But if an organization experiences a malicious or criminal attack, it's actually $220 per compromised record on average so we shouldn't be celebrating because malicious and criminal attacks can actually be a much more serious type of data breach that could be much more costly to organizations.
So I definitely think that's another major finding of our study this year, and we also find that organizations can do something about cost. For example, if an organization has a chief information security officer, they have good governance and control practices in place, they're using enabling technologies like data loss prevention tools or encryption or tokenization, organizations can actually substantially reduce both the probability of a data breach and the cost of the data breach. So there's actually a happy message in these numbers as well.
'Organizations Can Do Something'
FIELD: When you take a step back from the report, what type of conclusion should we be drawing from this annual study of the cost of a breach?
PONEMON: The main issue is that an organization can do something about the cost of a data breach, but it's impossible to stop all data breaches. Even the best organizations, organizations with the best controls and the best technologies, will very likely experience data loss of some kind or data theft of some kind over the course of the year or several years.
The second best thing that we can do, given that it's a reality that data loss happens, is to make sure that you're prepared. Have an incident response plan. Have identity protection services. Make those available to consumers and customers. Just basically be prepared for it. As I mentioned a couple of seconds ago, technologies like DLP, encryption and others are very important, but the full story requires organizations to have good control and governance practices in place and in general you need a leader. That's why we find that organizations that have a chief information security officer with overall responsibility for data loss or data theft, those organizations tend to actually incur a lower cost on average. So even though there's a big salary that we pay to CISOs, it more than pays for the salary. There are things that organizations can do to reduce that cost.
FIELD: You've had the opportunity to really study these breaches in some detail. Having looked at these incidents, what are some of the lessons that we should be learning from the breaches that we've experienced?
PONEMON: One important lesson is that organizations need to be mindful that the problem may not be their IT organization, but it could be a third-party, an organization that you entrust your data to, thinking that the organization has comparable security and data protection practices and policies in place. Unfortunately, a lot of organizations are too trusting of their third parties and now with the birth of cloud computing we have to be really, really careful when we make a decision to work with a third party that would have access to our crown jewel information, our most sensitive or confidential information. We see a lot of organizations making the mistake that if they have a legal contract and they review maybe some evidence that the organization had an audit, like a SAS 70 or complied with ISO, that their job is done; everything is okay. We find that a lot of data breaches really result from an insecure third party. You mentioned before Epsilon. Epsilon is an e-mail marketing organization and basically they had a problem that had affected their business customers, because business customers assumed that Epsilon had their security nailed down.
The moral of the story is organizations need to be vigilant. Data loss happens all the time, and as I mentioned before its not just data about people or households or customers or employees. It could be your crown jewel data, your trade secrets, the things that organizations spend a lot of money protecting. You need to keep your eye on the ball. I think that's the moral of the story.
FIELD: Now you've talked about the third-party vulnerabilities. Within organizations, what emerged as their top vulnerabilities in-house?
PONEMON: Well, from an in-house perspective, we think about the criminal being like a hacker somewhere in China or maybe in Central Europe or Russian Federation, and it does happen. Bad guys do try to steal data from remote locations, but there's also the dangerous or malicious insider, and we find in our study - and not just this year but over seven years - that the insider problem can be a big problem.
Organizations need to be vigilant. They need to look at what people do. They need to have tools that help them understand when a person is off the reservation, so to speak, and they're operating outside of their space. They need to nail down the way they issue privileges to people. In general, that insider problem is still a very significant vulnerability that organizations have not managed effectively as of yet.
Another issue on the technical side, applications, now where we see mobile applications and web-based applications and cloud applications, we have kind of a mess out there. A lot of these applications that we assume are okay because they're used widely, we wrongfully reach the conclusion that they're safe and they may not be. So I think this whole area of application security needs to be a much higher priority in the list of security steps that organizations take. We've done other studies as well to show that a lot of the security spending and effort is on the network side, and very, very little of the spending is on the application side. So again, organizations need to be vigilant. If they're using commercial applications, especially in kind of the mobile universe, we need to be careful and not assume that everything is safe simply because it's used widely and used by other organizations.
Top Prevention, Detection Solutions
FIELD: You talked about some of the technology solutions. What jumps out at you as some of the most effective solutions that organizations are doing to prevent or detect breaches?
PONEMON: Well, let's look at that whole issue of privilege that I mentioned a second ago. Organizations are starting to use security intelligence systems. It includes things like SIEM and network intelligence and even traffic intelligence, and these tools help an organization achieve a higher level of transparency. It basically helps them to understand patterns that basically you want to investigate because they're irregular, they're rare events. It helps you to have a much lower false-positive rate so when you're spending your time investigating what may be a potential breach or an issue, you have the ability to kind of get at that issue much faster. Network intelligence, traffic intelligence and security intelligence tools like SIEM become very, very helpful to organizations.
Now on the other side, in managing your data protection responsibilities, it's almost hard to do it manually, especially for an organization of any size, like more than 100 employees. So I strongly recommend organizations consider using DLP, data loss prevention tools, the inverse of a firewall. A firewall prevents bad guys from getting in so what you're trying to do is protect the organization from wrongful getting to the information in the form of documents that are attached to e-mails or USB memory sticks being used incorrectly.
The moral of the story is there are tools that will help identify when there's an irregular outflow or something that looks suspicious, and with these tools an organization could be much better, much faster at identifying a data breach. It's not just about preventing a data breach which is a good thing to do, but it's also about quick detection and fast remediation, so DLP becomes helpful.
Finally, I'm a big fan of encryption, if you have end-to-end encryption, you have encryption of data at rest, you have encryption of data in motion, and you have e-mail encryption. There are lots and lots of tools available to basically secure confidential and sensitive information. There are other crypto tools that also may be helpful like tokenization and also there are new tools that are developed like dynamic data masking. It wasn't around a few years ago, but this technology allows you to protect information in not only the development mode but also in production.
In total, organizations have tools. They may be expensive in the short-term, but if you look at the total cost to manage your data-protection responsibilities, I think these tools more than pays for themselves. So, definitely, organizations need to focus on these.
FIELD: We haven't talked about different industrial sectors. Are there industries that you're finding are more prone to breaches now, and over the course of the seven years do you find that some of these industries are learning and applying lessons?
PONEMON: Good question. Basically, there are industry differences. Each year we do our benchmark study and one of the problems with our benchmarking process - because it's rigorous and it's so detailed at each organization - we tend to have small sample sizes. You do a survey; you have 1,000 people. You can cut and divide the organization by industry very easily, but when you have a sample, even a good benchmarking sample of 45 or 50 organizations, it's hard in a given year to look at an industry effect.
We've done hundreds of data breach studies over seven years, not only in the United States but around the globe, and now we have critical mass by industry and it seems financial services have the most expensive data breaches. I think the reason is when a financial services company, like your bank or your insurance company or your brokerage company ... loses your information, you're really disappointed. You basically set very high expectations for certain industries that are trusted, like financial services. So basically when an organization has a data breach, like a financial services company, you're more likely to churn or you are more likely to disengage. Remember, when I say churn, it's not in every case that an individual decides to leave, but in financial services what we see people doing is they'll find another comparable financial services company and over time they'll start shifting their resources, their money, their investments, even their home mortgage, to the other organization. So again, it's an expensive proposition for financial service companies.
Healthcare as well is usually above the mean, and below the mean, interestingly enough, are retail organizations. What's weird about that finding [is] retailers have your credit card information, so some of the same information that you would value if a bank lost that, you may not have the same perception if a major retail lost that information. It's still expensive, but it seems to be much less expensive for organizations in retail.
Finally, public-sector organizations, government organizations experience a lower loss simply because they're monopolies. If a bank loses your information, you find another bank, but if you're the veteran administration and you lose someone's information, a veteran's information, you don't have another veteran administration to go to.
FIELD: A follow-up on healthcare, if I may? We've seen the U.S. government put a lot of emphasis on breach prevention in healthcare, and of course healthcare organizations are being more vigilant now to detect and prevent. Do you see this emphasis showing up in your study at all, any fruits of their labor?
PONEMON: In our study we find that healthcare organizations are still experiencing a fairly high rate of data breach, and when a healthcare organization suffers a data breach, and it's a patient record, it could be much, much more damaging, obviously, to the individual, because not only are they subject to normal identity theft crimes but they're also subject to medical identity theft, which in another Ponemon study we show that it's a much more expensive proposition for the average consumer. Clearly, healthcare organizations are subject to rigorous rules, and for many years with HIPAA and HITECH, now these rules apply broadly to business associates and other organizations that acquire and use patient health information. All of this is a good thing for healthcare, but the evidence suggests that healthcare organizations still have a long way to go.
FIELD: We've talked about a lot. We've talked about application security, about third-party vulnerability, mobility. What are the breach trends that concern you the most?
PONEMON: Probably the number-one trend, and it does concern me quite a bit, is that the bad guys, the cybercriminals, are getting smaller and stealthier. And even with these wonderful tools like network intelligence or security intelligence or tools that we discussed a couple of seconds ago - it's really hard sometimes to see the criminal activity until it's too late, until your information is stolen and lost. The type of information that's being targeted is not the large databases. It's not everyone's credit card number. I mean that's still a major target, but it's also that other type of information. I call it intellectual property data. The bad guys are becoming much more surgical and they're becoming much more efficient at stealing information. My concern is that most organizations would not have the ability, the wherewithal, to detect it, because they don't have the tools or they don't have the infrastructure. That really is a big problem and that's why I mentioned before that the focus of this research is on data about people - customer and employee - but the data that involves economic espionage, intellectual property, may be a much, much more significant problem for organizations.
FIELD: And again you've talked about application security, DLP, encryption and network intelligence. What are the technology solutions that do encourage you the most in preventing breaches?
PONEMON: I definitely feel DLP and the widespread use of encryption, not just as a point solution but using it strategically, are really positive trends. But we also see organizations that are moving to the cloud, so we're seeing cloud security technologies that give a little bit more control to the cloud user, so I think that's a positive side. I also think that ... we're starting to wake up to the reality that cloud may not be safe, so cloud providers are stepping up their security efforts and perhaps over the next couple of years the cloud will be even a better place, a much more safe environment for data protection. These are encouraging signs.
On the negative side obviously, we have disruptive technologies, mobile technologies; people are using Facebook and they're using social media in the work place. All of these issues, they may seem extraneous but they actually increase the security risk and reduce the security posture of organizations.
Again, I'm upbeat on enabling technologies, but I still think we have a long way to go, and keep in mind that it's like a game of chess. We take one step and the bad guys move their pawn or their queen in a direction. So it's not something we could ever develop a solution that's perfect or even near perfect, given that we're dealing with cybercriminals, and people, who really drive and make a living stealing information.