The price Equifax will pay for the black hat attack it revealed last week, which compromised the names, birth dates, Social Security numbers, addresses, and in some cases driver's license numbers of 143 million US consumers, will be high. Although the exact figure won't be known until after the dust has settled -- perhaps a year or more down the road -- a look at a recent study conducted by the independent research group Ponemon Institute for IBM indicates the company's bottom line is in for quite a hit.
For 2017's annual Cost of Data Breach Study, Ponemon interviewed 419 companies in 13 countries (63 of them in the US) that had experienced a breach in the previous year. Among those attacks, the biggest one resulted in 99,500 records compromised -- orders of magnitude smaller that the Equifax breach.
The study found that in the US the average total cost of a data breach is $7.35 million, a 5 percent increase since last year. Globally, the number was $3.62 million, representing a 10 percent decrease. The difference largely has to do with a strong US dollar, according to Ponemon. Breaches taking place within the US also cost more on a per-record-compromised basis, with US firms paying $225 (a 2 percent increase over last year), and firms outside the US paying $141 (an 11.4 percent decrease).
Source: Ponemon Institute
The report explains that there are several things to consider when determining the total amount a data breach might cost.
Churn: This represents the number of customers lost due to the breach. Ponemon points out that programs to preserve customer trust and loyalty in place before a breach occurs will help reduce the amount of business or customers that are lost. Also, having a senior-level leader such as a chief privacy officer or chief information security officer who can direct initiatives to improve customers’ trust in how the organization safeguards personal information will reduce churn and the cost of the breach. Offering identity protection to customers affected by a breach is also successful in reducing churn.
One figure that doesn't bode well for Equifax: financial services tops the list of the industries most likely to lose customers after a breach, followed by life sciences and health. Education, communication, and entertainment are the least affected.
Data breach size: This one only makes sense: the more data lost, the higher the cost. For example, the report indicates that companies with data breaches that involved less than 10,000 records spent an average of $4.5 million to resolve the breach. Companies with the loss or theft of more than 50,000 records spent $10.3 million.
Time it takes to identify and contain a breach: Simply put, the faster a breach is identified and contained, the lower the cost. The good news here is that in this year's study organizations managed to reduce the time it took to identify breaches from an average of 201 to 191 days. Containment was also quicker, dropping from 70 to 66 days. Ponemon attributes this to investments in security technologies, such as security analytics, security information and event management (SIEM), enterprise wide encryption and threat intelligence sharing platforms.
Paradoxically, sometimes an organization's established security can get in the way. "Although some complexity in an IT security architecture is expected, to deal with the many threats facing organizations," the report said, "too much complexity can impact the ability to respond to data breaches." In addition, the use of so-called "disruptive technologies," such as access to cloud-based applications and data, and the use of mobile devices -- including BYOD and mobile apps -- can drive up the cost of dealing with a breach.
Detection and escalation costs: This includes forensic and investigative activities; assessment and audit services; crisis team management; and communications to executive management and the board of directors. According to Ponemon, "investments in governance, risk management and compliance (GRC) programs that establish an internal framework for satisfying governance requirements, evaluating risk across the enterprise, and tracking compliance with governance requirements can improve an organization’s ability to detect and escalate a data breach."
Source: Ponemon Institute
Post data breach costs: The cost to notify victims of the breach are included in this category, which were highest in the US. Also included: help desk activities, inbound communications, special investigative activities, remediation, legal expenses, product discounts, identity protection services, regulatory interventions, and the cost of resolving lawsuits.
Some of these costs can be brought down ahead of a breach with the purchase of cyber and data breach insurance, the report noted. However, compliance failures and the engagement of consultants can contribute to post-breach costs. Organizations are warned against rushing to notify victims before understanding the scope of the breach.
Ponemon also notes that the root cause of a breach also determines the cost, with malicious attacks being the most costly, followed by system glitches and human error respectively.