Wednesday, January 13, 2021

Understanding the Cost of a Breach - Wall Street journal

Interesting quotes and snippets from WSJ Pro Research article by Bob Sloan:

  • The costs involved in resolving an incident can be significant, with research showing costs in the U.S. are more than twice the global average at $8.64 million
  • System downtime following a data breach, ransomware incident or denial of service attack is often the largest single factor in the overall cost of a breach. 
  • The Ponemon Institute's Cost of a Data Breach Report for 20202 is the 15th annual survey detailing the costs associated with cyber attacks that result in a data loss event as a result of a remote cyber attack by a foreign state or criminals, a deliberate theft by a malicious insider, or employee negligence 
  • The Ponemon Institute study found businesses with over 25,000 employees incurred average breach costs of $4.25 million, while breaches at organizations with 5,001-10,000 employees actually cost more ($4.72 million). 
  • Breaches that result in the loss of customer data records can more easily be compared than those where the attacker's aim is to disrupt and extort a business. 
  • Over the last 12 months the ransom cost alone has increased steeply to almost $234,000, though some victims are paying seven- and eight-figure ransoms. 
  • Unplanned system downtime can be part of a data breach incident, but is the hallmark of a ransomware attack and is the solitary aim of denial-of-service attacks. Coveware assessed the average system downtime of a ransomware victim in Q3 2020 to be 19 days10, an increase of 19% over the previous quarter and up from 12.1 days in Q3 of 2019. 
  • Lost business, which includes customer turnover, lost revenue and the increased cost of acquiring new business as a result of the reputational hit taken by the victim, is the single largest cost factor in a data breach--40% of the average total cost representing $1.52 million12 according to the Ponemon Institute. NetDiligence research puts the figure for lost income for SMEs at an average of $343,000 for breaches that occurred between 2014 and 2018, though the median of $45,000 suggests some very large losses skewed the average costs upwards 
  • Perhaps the least public of all attacks are the stealthy operations carried out by nation states. The aim in most cases is to steal trade secrets or intellectual property without being detected and these are among the costs most difficult (though not impossible) to assess. IP can constitute over 80% of a company's value today14, but its loss may not cause any financial impact to the victim. 
  • Across all companies surveyed, 61% of total breach costs were incurred during the first 12 months, but this fell to 44% of costs in highly regulated industries. Companies operating in the retail, industrial, entertainment sectors (among others) had incurred 92% of costs within two years, while those in the energy, health or financial sectors (among others) incurred 15% of costs after two years. 
  • The negative impact was found to hit a low point around 14 days after the breach announcement, falling on average 7.27%, but had (on average) recovered after six months23. The longer term impact (up to three years) was more difficult to establish and research findings differ, though most agree the effect diminished in the long term. 
  • There is a lack of research on this subject. Sample sizes of studies tend to be reasonably small and those companies involved tend to be larger. 'Mega-breaches' involving the loss of tens or hundreds of millions of customer records can skew average figures and create substantial differences between mean and median costs. There is no single methodology for estimating costs, meaning different studies can produce very different results. 
Source: Understanding the Cost of a Breach 

Rob Sloan, Research Director, WSJ Pro 

No comments:

Post a Comment