Data Breach Costs: 10 Ways You're Making It Worse
Ponemon Breach Study Holds Valuable Lessons
Inadequate response plans and poorly executed procedures caused data breach costs to rise significantly at some businesses, according to the Ponemon Institute. The research firm interviewed more than 1,400 individuals in 277 companies as part of its "2013 Cost of Data Breach Study: Global Analysis." The study, sponsored by Symantec, estimated the costs of data breaches in nine countries. The breach costs varied by region, but Ponemon Institute researchers found a number of common costly errors.
1. Poorly Executed Or Nonexistent Incident Response Plan
The Ponemon Institute report found that organizations that had an incident response plan in place had lower data breach costs than those that didn't. But that's not all. Organizations need to conduct consistent training exercises to ensure that the incident response plan can be properly executed when a breach takes place, according to the Ponemon Institute. Far too many companies have incident response plans on shelves gathering dust.
2. Poor Or Nonexistent Security Culture
Penetration testers trained to find ways to gain access to corporate systems point out that the best defense is often end users, if they are made aware that security is a top priority. Chief information security officers often put plans in place to help create a culture of security at businesses. But it takes time, according to the Ponemon Institute. Building a sense of security into end users cannot happen with one-off training programs -- there needs to be a systematic and consistent security program over an extended period of time, according to the Ponemon Institute. Organizations with a strong security posture according to its benchmarking measurements were able to contain costs when a data breach took place.
3. Lack Of Strong Leadership
Organizations with strong security programs often have chief information security officers who have been in place for a number of years, according to security experts. A strong leader encourages participation, keeps top executives informed and builds momentum around the program. Organizations that have appointed a C-level information security professional had fewer expenses at the time of a data breach, according to the Ponemon Institute.
4. Poor Control Over Third-Party Responsibilities
Organizations that had breaches due to an error on the part of a contractor or other outsourced organization often incurred additional data breach costs, according to the Ponemon Institute. A chief security officer should be involved in contract negotiations when outsourcing business functions, say security experts. Contractual agreements, especially those involved with cloud providers, need to address security and clearly delineate responsibilities of both parties involved.
5. Publicly Announcing A Breach Too Soon
Organizations that notified data beach victims quickly nearly always incurred more expenses than those that waited for more information from the investigative team, according to the Ponemon Institute. Forensics investigators are paramount to understanding the scope of a breach and how many individuals need to be notified about the potential exposure of their sensitive information.
6. Lost Or Stolen Smartphones Or Tablets
Organizations that were forced to acknowledge a data security breach as the result of a lost or stolen laptop, smartphone or tablet had higher data breach costs than those that had a breach as a result of exposure from internal systems, according to the Ponemon Institute study. If the data breach involved a lost or stolen device, the cost was increased by as much as $15 per record, according to Ponemon. Increased costs associated with computer forensics and a lack of insight into the scope of the breach often added to expenses.
7. We Can Handle It Ourselves
The "circle the wagons" attitude of handling the breach in-house can be costly, according to the Ponemon Institute report. Organizations that sought outside help from a security consultancy often controlled expenses from growing out of control. Outside help can assist those in charge make level-headed decisions, following the incident response plan, even if the circumstances force pressure to deviate from the procedures, according to the Ponemon Institute.
8. Lack Of Experience
Organizations that suffered two or more data breaches often contained breach costs over time, the Ponemon Institute found. Chief security officers nearly always say that the first breach they encountered was the most stressful -- yet rewarding experience -- of their career. Experienced organizations sometimes learn from past mistakes made during a breach and refine incident response plans so the second or third breach response is conducted more efficiently.
9. All Sensitive Data Was Exposed
The size of a data breach is often commensurate with the cost of the breach, according to the Ponemon Institute. The more data that was exposed often translates into higher breach notification costs and a lengthy remediation period. Organizations may want to take a tip from the Payment Card Industry Data Security Standards, which recommends that merchants segment off the most sensitive systems from the rest of the network. At the very least, it makes it more difficult for an attacker to gain access to sensitive systems -- and the longer it takes to gain access, the higher the probability that systems will detect an ongoing intrusion in progress.
10. Reputation, Customer Turnover Matter
Customer churn, the turnover of clients as a result of a data breach, can have a significant impact on data breach costs, driving them upward, according to the Ponemon Institute. While breach notification rules in the U.S. may have insulated businesses from a significant fallout as the result of a breach, companies that do business globally suffer higher costs associated with data breaches. France experienced the highest rate of abnormal churn at 4.4 percent and Brazil experienced the lowest churn rate, the Ponemon Institute found. The U.S. abnormal churn rate came in at 2.8 percent.