Recognition of information security responsibility is reducing costs of breaches.
From time to time I look over the Ponemon Institute reports related to data breach costs to get a feel for the business value of securing data. After reading the most recent Ponemon Institute report, I want to talk about the interesting executive summary highlights.
The cost of data breach declined in 2011.
- Opinions vary on why costs would decline, but the decline can be generally attributed to both company preparation prior to breach and a lower customer churn value. When companies can take advantage of preparedness and mature response facilities the costs of the breach are spread out. It is also noted that a non-panic or hurried response promotes less spending after a breach.
More customers remain loyal following the data breach.
- I think two factors relate to this point. The prepared are forgiven and exposure teaches. Customers seeing a company with security features in place and one prepared to deal with a breach will readily stay with that company. This reduces churn and therefore cost of a breach. Companies have learned how to successfully deal with relations from previous public exposure events. We have learned that concentrated and deliberate attacks are unlikely to be rebuffed, but our direct and honest response can score points with consumers and regulators.
Negligent insiders and malicious attacks are the main causes of data breach.
- This makes sense on a fundamental level. How else could data be lost? It must be negligence or maliciousness. I’ll contend that the one allows the other.
Certain organizational factors reduce the overall cost.
- Organizations with direct Information Security leadership showed lower cost of breach metrics. This means the company has focus at the top for information security issues including breach response efforts. The role is described as a CISO, but the representation could take many forms. It is the assigning of the responsibility with corresponding resources which is important. There is also a note that engaging experienced third parties during a breach event can reduce the loss.
Detection and escalation costs declined but notification costs increased.
- Regulations and mandatory standards for information security practices relating to specific types of data are responsible for this point. The mandatory requirements allow companies to prepare and budget for the tools which provide detection. The requirements also inform companies on proper methods or processes to escalate. At the same time stronger notification laws have enforced more frequent notification activities increasing how much companies spend.
Breach costs are being reduced, but only for organizations that are prepared and that have assigned a direct leadership role for information security. As with most things in IT, preparedness results in the most cost effective outcomes when negative events are experienced. Assigning focus via a dedicated leadership position is the most important step a company can take.
Image Credit: Don Hankins
About the Author: As Director of Compliance and Security services, Ed Welsh maintains and guides a dedicated team in the delivery of Layered Tech’s compliance and audit services. Ed’s 16 years in IT security includes network and web application security experience from positions in the Financial Industry, HRBlock, Fishnet Security, and independent contracting. He holds a CISSP certification and has been successfully implementing PCI compliant hosting solutions for the last 5 years.