As Data Breach Costs Soar, Boards of Directors Must Get Involved
Data breaches continue to make headlines. They aren’t going away, and more importantly, the cost of a data breach is soaring for enterprises. However, if boards of directors and top executives are actively involved in risk management and security, they can significantly reduce costs related to a data breach.
That’s one of the top findings of the “2015 Cost of Data Breach Study: Global Analysis,” a benchmark research report sponsored by IBM and independently conducted by the Ponemon Institute. The study provides insights and trends that CISOs can marshal as they communicate with their C-suite colleagues and boards of directors. Already tasked with protecting companies from a multitude of ever-changing threats, CISOs can now show key stakeholders the specific economic costs of a security breach and the actions that will safeguard the enterprise and provide savings.
Ponemon’s 2015 Cost of Data Breach Study at a Glance
This year’s report reveals that the cost of a data breach rose by more than 16 percent from 2014. Lost business represents the most expensive data breach cost and has steadily increased over the past three years. These expenses include the abnormal turnover of customers, increased customer acquisition activities, reputation damage and diminished goodwill. The costs associated with breach response and detection have also increased and typically cover aspects such as remediation, legal expenditures and regulatory interventions.
Here are some other fast facts from the 2015 Cost of Data Breach Study:
- The institute surveyed 350 companies in 11 countries.
- The average total cost of a data breach reached $3.79 million.
- There was a 16.3 percent increase in the total cost of a data breach.
- The average cost per lost or stolen record is $154.
- There was a 6 percent increase in cost per lost or stolen record.
What Factors Into the Cost?
For the first time, the Ponemon Institute examined two factors that affected the financial consequences of a data breach. The first is executive involvement in an organization’s IT security strategy and response to data breaches. Research revealed the positive consequences that result when boards of directors take a more active role in risk management and data breach prevention. Such involvement reduces the cost by $5.50 per record. The benefit of participation was underscored by respondents: 79 percent of C-level U.S. and U.K. executives surveyed say executive-level involvement is necessary for achieving an effective incident response to a data breach, and 70 percent believed board-level oversight is critical.
This has critical implications. Data security and the protection of corporate “crown jewels” need to be discussion topics at board meetings and a priority for company officers such as the general counsel, CIO and CTO. It’s equally important that a designated board committee make risk management and security a regular agenda item. A third party with global experience in enterprise security who can serve as a trusted adviser to the board should be retained. Most importantly, the board needs to identify gaps in the company’s security and address these deficiencies.
The second factor is cyber insurance, which can mitigate the cost of a data breach. With the increasing cost and volume of data breaches, IT security is quickly moving from being considered a purely technological issue to a larger business risk. This shift has spurred increased interest in cyber insurance, which reduces the cost by $4.40 per record. Though such insurance should be considered as a last line of defense, if a policy is properly tailored, it can serve as part of an enterprise’s integrated approach to risk management, which should include rigorous security controls, operations and technology for addressing cybersecurity.
According to the report, other factors that can lower the cost of a data breach include establishing an incident response team, the extensive use of encryption, employee training, business continuity management, CISO leadership, insurance protection and consulting services. The Ponemon study also shows the relationship between how quickly an organization can identify and contain data breach incidents, thereby limiting the financial consequences. Malicious attacks can take an average of 256 days, while data breaches caused by human error takes an average of 158 days.
Knowledge Is Power
This report is critical reading for anyone who wants a worldwide perspective on the security threats behind data breaches and the role management can play to contain them. IBM has created a number of resources for you to learn more about and share this report.
The Ponemon study is further evidence of the need for rigorous security policies and management systems — programs that proactively protect all parts of the organization including users, data, applications and infrastructure. To do it right, CISOs, executives and boards of directors need to focus on four key concepts: optimizing security programs, stopping advanced threats, protecting critical assets, and safeguarding cloud and mobile environments.