Data Breaches More Common, More Expensive
There’s not a lot of good news in security these days. Data breaches are not only more common, they’re also more expensive. They’re more likely to be caused by criminal activity than by accidents. And it appears that some of the most common ways to prevent them are turning out not to work.
All this comes from a variety of security studies out recently. There are three major findings:
- Data breaches are more expensive. “The average total cost of a data breach for the 350 companies participating in this research increased from $3.52 to $3.79 million,” according to the Ponemon Institute’s 2015 Cost of Data Breach Study. “The average cost paid for each lost or stolen record containing sensitive and confidential information increased from $145 in 2014 to $154 in this year’s study.”
And this data doesn’t include gigantic data breaches (because, thankfully, they’re not very common), so Ponemon limits itself to studying breaches of 100,000 or fewer data records.
- Data breaches are more likely to be caused by criminal activity. It used to be a given that, despite the image of the shadowy hacker, most data breaches actually happened due to human error or through malicious employee activity. But now criminal activity is more likely to be the cause—and criminal activity is a more expensive security breach than human error.
“Cyber attacks have increased in frequency and in the cost to remediate the consequences,” writes the Institute in its report. “The cost of data breaches due to malicious or criminal attacks increased from an average of $159 in last year’s study to $170 per record. Last year, these attacks represented 42 percent of root causes of a data breach and this increased to 47 percent of root causes in this year’s study.”
In comparison, system glitches cost $142 per record and human error or negligence costs $134 per record, the report continues.
- Costs and repercussions depend on the industry. Depending on the amount of regulation a particular industry has, its costs could be higher. “The average global cost of data breach per lost or stolen record is $154,” the report explains. “However, if a healthcare organization has a breach the average cost could be as high as $363 and in education the average cost could be as high as $300. The lowest cost per lost or stolen record is in transportation ($121) and public sector ($68). The retail industry’s average cost increased dramatically from $105 last year to $165 in this year’s study.”
Moreover, companies in certain industries—such as health, pharmaceutical, financial services and service organizations—are also more likely to lose customers from a data breach, Ponemon reports.
Thieves are also targeting one industry to steal data to use to attack another industry. For example, the Internal Revenue Service (IRS) recently revealed that it had been targeted by thieves who used stolen personally identifiable information about U.S. citizens to download tax transcripts. Using that information, they went on to submit as many as 15,000 refund requests, which added up to $50 million stolen, according to the Wall Street Journal.
But the thieves might also be hanging onto the stolen information for future requests, notes the Associated Press: Old tax returns can help thieves fill out credible-looking returns in the future, helping them get around IRS filters that look for anomalies in the information provided by the taxpayer.
This ties into recent research from Google that security questions don’t work very well. Ironically, part of the problem with security questions is that people lie to try to make their answers harder to guess—but they lie in predictable ways. In addition, some of these questions are easy to guess because there are only so many potential answers or because there are a number of common answers, while others have answers readily found in social media, Google writes.
What to do? There is a tiny bit of good news, according to the report:
- Having a company’s board of directors take a more active role in the event of a breach reduces the cost by $5.5 per record.
- Some companies are taking out insurance to protect themselves in the event of a data breach, which can reduce the cost by $4.4 per record.
- Having business continuity management involved in remediation can reduce the cost by an average of $7.1 per compromised record.
- It’s also become slightly less expensive to notify victims: Notification costs have declined from $0.19 million in 2014 to $0.17 million in this year’s study.
- Smaller data breaches are more likely than large ones. “While the likelihood of a data breach involving a minimum of 10,000 records is estimated at approximately 22 percent over a 24-month period, the chances of a data breach involving a 100,000 records is less than 1 percent,” Ponemon notes optimistically.
On the other hand, costs associated with lost business—such as abnormal turnover of customers, increased customer acquisition activities, reputation losses, and diminished goodwill—are going up, Ponemon writes: The average cost has increased from $1.45 million in 2014 to $1.57 million in 2015.