It’s back! The 2019 Cost of a Data Breach Report delves into the price, potential and pain points of corporate IT breaches. On this week’s SecurityIntelligence podcast, the venerable squad of David Moulton and Pam Cobb are joined by Larry Ponemon to highlight key takeaways from the new study.
Data Breach Response Times Are Slowing
According to the 2018 Cost of a Data Breach Report, it took enterprises 266 days on average to identify and contain a data breach. This year’s report put the number at 279 days, and Ponemon notes that “companies dealing with malicious or criminal attacks are basically dealing with a timeline that’s longer.” Specifically, these cases take 314 days to fully identify and remediate.
In addition, the cost of a data breach isn’t confined to the term of the breach itself. While the report found that the bulk of costs occur within the first six months, Ponemon points to costs such as legal fees and customer churn that can emerge one or even two years after a breach is initially detected. Also expensive are credit monitoring and discounts offered by companies to prevent turnover; if customers use them en masse, the price tag can quickly hit tens or hundreds of millions.
The Good News: Security Awareness Is Spreading
The 2019 Cost of a Data Breach Report also contains some good news: 51 percent of data breaches now “fall into that category of malicious or criminal attacker.”
Why is that a good thing? Because slowly but surely, the number of internal, user-caused breaches is decreasing, thanks to “a much higher level of sensitivity about privacy and data protection within organizations.” Part of this stems from new legislation, and part comes from improved user training to recognize and avoid potential security risks.
The report also showed that a well-oiled security incident response team paired with strong policy offers significant cost savings of up to $1.2 million across the organization. Achieving this goal requires a broad-spectrum approach, including formal, organizationwide policies, regular incident response plan testing and end-to-end encryption.
What Will It Take to Decrease the Cost of a Data Breach?
Ponemon is clear: “You’ll never get to a perfect level of zero data leakage.” But companies are getting better at identifying, detecting and containing data breaches. He predicts that over the next two to five years, the overall cost of a data breach will start “coming down in a substantial way.” How? By “having plans and processes in place for dealing with data leakage, data breaches and so forth, and having a more formal set of activities that tie into business strategy.”
Put simply, it’s about practice: Companies must invest in new tools, such as artificial intelligence (AI) and automation, while also regularly testing incident response controls and policies against real-world threats to see how they stack up, making necessary adjustments before attacks occur.
Curious about the cost of a data breach for your organization? Listen to the podcast, check out IBM’s data breach calculator and download the full 2019 Cost of a Data Breach Report.
Pam: Hey David, if you had one $1.2 million, what would you do with it?
David: All right, 25 percent of it into bonds immediately. 75 percent of it into stocks minus enough to take my wife out for a pretty nice meal. I’m thinking $300-$350, maybe $400 so that I could have that extra bottle of wine. But I don’t need $1.2 million immediately available to me. I would get in trouble with it.
Pam: Did you hear that sound, David? That was the sound of my eyeballs rolling out of my head because that was a pretty lame answer.
David: No, that’s exactly what I would do with it. Maybe a…no, I don’t even need a new computer. So I’d be good.
Pam: And what kind of cheap wine are you buying your wife? Come on. You get a good bottle of Opus for $800. Goodness, we gotta get you schooled, son.
David: We don’t drink that kind of wine. We’re not fancy people.
Pam: Well, if you’ve got $1.2 million, maybe that’s the time. But if I had $1.2 million, I might stock it away for a rainy day in case of a data breach.
David: Is that gonna be enough?
Pam: Well, according to the new 2019 Cost of a Data Breach report, when you combine all of the incident response team, and the activity they do, and testing the incident response plan, the savings for business amounts to about $1.2 million.
David: That’s an enormous amount of money. And that’s a lot of bottles of wine for people like me.
Pam: I don’t think they’re spending all that savings on wine though. I feel like businesses have other priorities.
David: A hundred percent.
Pam: This is the Security Intelligence podcast where we discuss cybersecurity industry analysis, tips, and success stories. I’m Pam Cobb.
David: And I’m David Moulton.
Pam: So I recently had a chance to have a conversation with Dr. Larry Ponemon, of the Ponemon Institute, about the latest Cost of a Data Breach study. And one of the things that really stood out to me was, you know, the impact of awareness and training activities.
Pam: I’m excited to be joined again by Dr. Larry Ponemon, who is of course, spearheading the Ponemon Institute’s Cost of a Data Breach study that IBM has worked with for 2019.
So Larry, what we’ve seen in the findings this year is that the cost of a data breach is once again rising globally. And there’s a lot of data to back this up in terms of what the root causes are. And there’s three different root causes. Can you tell us what those are, and then what the difference is between all of those?
Larry: Sure, it’s a pleasure to do that. So just to put this in proper context, we’ve been looking at the root cause of a data breach for about 14 years. We’ve kept just a ton of really interesting findings because what we do find is that organizations that have a serious data breach are more likely to be dealing with a criminal or malicious attacker.
Other types of data breaches that could still be very costly to an organization, such as human factor issues. You know, negligence and so forth, as well as system glitches that still represent a very significant part of the total number of data breaches. But the most severe data breaches usually involve some kind of a criminal activity. That criminal may be external hacking in, or even an internal, like a malicious employee, or a malicious insider. And it does make a difference.
And kind of, we step back a little bit, it makes sense because a criminal, a bad guy that’s attacking you spends a lot of his or her resources hiding in the dark regions of the internet, or you know, the dark web, and so on. So they work hard to not be caught, and therefore, things like the time it takes to detect a data breach is longer for organizations that are dealing with a malicious or criminal attacker. But those three categories are the broad categories that we look at, which is malicious criminal attack, system glitch, which is failure in the technology or even a business process failure, and the human factor, which is good people making mistakes. And obviously, those mistakes result in a data breach.
Pam: So between those three, what have you seen as the most common cause of a data breach in this year’s study?
Larry: Well this year, approximately 51 percent of our data breaches fall into that category of malicious or criminal attacker. And what’s interesting about that number is that number has slowly but surely been increasing over time. So if you look at the total population of data breaches, those data breaches that are due to the bad guys trying to access the sensitive and confidential information, represents a larger chunk of all data breaches.
But we don’t want to trivialize the fact that it’s still a fair number of data breaches are not about bad people doing bad things, but good people who just make mistakes, or a system failure, which is not one person, but it’s collectively, mistakes are made, and it results in data leakage.
Pam: So if that proportion of human error is decreasing, Larry, are you telling us that user education is working?
Larry: Great question. I think it is working. I think there’s a much higher level of sensitivity about privacy and data protection within organizations. I remember we had a meeting many years ago, like more like 20-25 years ago when I was a partner PricewaterhouseCoopers, and we were visiting a potential client, and they thought we were in the piracy business, not privacy business.
We were halfway through the meeting and they said, “I think the nature of the questions that are being asked here,” you know, like stealing intellectual property, whatever, “it does relate to piracy.” But that’s not the mission. And I think a lot of companies didn’t really know they had that privacy and data breach could be as costly as it is. So things have really changed, and I think awareness and training activities has played a very significant role.
Pam: Great. So when we’re looking at those malicious attacks, I mean, are you getting into the perspective of the sole actor, organized cybercrime? Do we get into that level of detail?
Larry: Well, we have that information. You know, we do a fair amount of interviewing. That’s how we collect most of the information for our research. And we try to understand, you know, at a high level we know the root cause, but sometimes we don’t know the individual details because there’s a lot of digging that has to go on in order to understand the full impact of the data breach.
But we do know things like, you know, phishing and spoofing, mistakes that are made by just being, not having a high level of cyber hygiene in an organization can basically lead to significant data breaches. But there are a lot of factors, you know, underneath the headings of like criminal or malicious. There are probably, you know, at least 20 or 25 subcategories that we’d roll up into the broad category called malicious or criminal. And that’s true for the categories as well.
Pam: Okay. So when we start looking at these impacts of data breaches, can you talk more about the lifecycle, so that time it takes from that initial compromise to when companies actually identify, and then contain the breach?
Pam: What was that average time and how has that changed?
Larry: Gosh well, it’s basically unfortunately a factor that seems to be increasing. It takes more time and a whole process of identifying, and then ultimately containing the data breach. And you would think that over time that would get better because companies would have more experience in dealing with data breaches.
But the evidence suggests that not the case. For example, if you look at the time it takes to identify, and the time it takes to contain, we’re looking at, I think it’s 279 total days in order to get to the point where you’re actually in the containment mode, and you’re getting to the point where you’re almost ready to remediate.
So that time it takes is very important because one of the reasons why costs increase in many cases is simply because it’s harder and harder to detect the root cause, the data breach itself. When you think about the lifecycle, it starts with the actual event that’s many weeks, months, even years can occur before it’s identified. And then once it’s identified, it’s kind of like a race, you know? I want to get the bad guy out of my system. I want a clean house. And containing the quarry’s a great deal of effort on the part of the organization.
And one of the things that we note this year – it’s kind of a new feature of the report – is that most of the cost of the data breach occurs, you know, during that first six month to one year period of time. But there are other costs that occur over a longer timeline. It could be more than two years in some cases before you have all of your costs remediated.
But it’s not just like an event that occurs on Tuesday, and Thursday you’re celebrating that everything’s done, and everything’s contained, and we can move onto the next problem. It can take, you know, more than two years before you would see, you know, all of the costs associated with that data breach. We actually have a statistic. It was something like two-thirds of your costs are determined in the first year. And then one theory is basically would be costs that occur two, or even more than two years out. So it’s a long tail.
Pam: I have like three follow up questions based on what you just said. So you said 279 days. Is that average time to, you know, identify, remediate, contain. Is that longer than it has been in the past?
Larry: It is. It is. It an increase from, I think, it was 266 days last year. So it’s unfortunately moving up. If you look at it over five years, it’s roughly in that same ballpark. So you know, I think it’s true that we’re getting better at identifying data breaches. I think that’s true across the board, you know, whether it’s a bad guy or a good guy making a mistake, whatever.
But it looks like the bad guys and the good guys are, well, we’re getting better at detecting. There are also, the bad guys are doing things that are making them stealthier, you know, more difficult to deal with. So it’s kind of the yin and yang, that we’re pulling in different directions. And the end result is we’re not seeing huge improvement in the time to identify, and the time to contain the data breach.
Pam: So let’s hearken back to your earlier comment that malicious attacks cause more expensive breaches. How does that play out in terms of the lifecycle itself?
Larry: What we find is that companies that are dealing with malicious or criminal attacks are basically dealing with a timeline that’s longer. It takes more time for people to identify and more time to contain. And just a specific number is if you’re dealing with a malicious or criminal attacker, the average days to both identify and contain is 314 days. The average overall is 279 days. And we see a pretty significant difference from a time point of view.
And if you’re dealing with a human factor or system glitch, which is less costly, also we see that it takes a shorter amount of time to identify and contain. I believe that number is 183 days for a system glitch, and 182 days for that human factor category.
Pam: Okay. So now I wanna dive a little more into your comment about those long tail costs, those things that could take up to two years.
Pam: In my mind, I think of when I’ve been affected by breaches, it’s oh, the credit monitoring, that the company that got breached has to pay for. Is it things like that or is it something more internal focused?
Larry: Well it’s both internal and external. To be honest, that cost that are dealing with litigation and, you know, the worst kind of litigation for a company is like class action litigation. These organizations are incurring very large legal fees, and those legal fees might occur more than two years out. So that’s an example of a type of cost that is something you’re probably not gonna see in the total at the beginning unless you get retainers and that sort of thing.
But basically, a lot of those costs happen late in the process. As compared to other costs that are basically pretty efficient that happen early, the category called detection and escalation detection would include basically forensics, and all that upfront stuff that you have to do to get your arms around the breach. In many cases, those costs will occur like in the first one or two months, and then it starts to tone down pretty significantly. So there are different types of costs in these different, you know, that takes longer or shorter period of time to be incurred.
Pam: What about the cost of customers leaving the business?
Larry: Yeah, oh that’s a hot potato. Very sensitive issue. We call that in our research turnover. Sometimes we refer to it in some of our older reports as churn. It’s really the same thing.
There’s no question that if an organization has a material data breach, that it’s a bad set of facts when you have to communicate to the customer that their data has been compromised. And in many cases, people will like discontinue a business relationship, or a business relationship can change in a significant way that’s gonna basically result in loss of business opportunities.
Also there are costs about, you know, customer acquisition costs. When you have a big data breach, you wanna keep your customers happy. So you might give them a discount on future services, and the sum of the discount could be pretty significant.
A good example, this is a data breach we looked at years ago, but it was Sony. They had many data breaches, but this is one involved their video gaming system. And as a result of their data breach, they offered like a hundred dollar discount. They expected about 12 percent of those receiving the discount to basically take it. It was closer to 100 percent. And the sum total that was millions of dollars of costs because they basically were giving away for free, you know, PlayStation. So there were those kinds of situations where, you know, there could be huge amount of cost that occur simply because of people leaving or they be kind as motivated to deal with an organization. It’s not respecting their data.
Larry: Yeah, wowie.
Pam: Yeah. So with all of these costs, what actions can companies take to reduce the cost? What have we seen successful in mitigating those breach costs?
Larry: Sure yeah. So one of the analysis that we do, we look at a total of 26 factors that either increase or accelerate the costs, or decrease, or decelerate the costs. And basically the idea is that if you do nothing at all, there’s a big cost. But if you do some of these things, you’ll end up having a cost savings. And that could be pretty substantial.
And one of the things that we know from our research, not just this year, but previous years, that if an organization is managing the incident response process, you know, formally with a strategy, and they have the right tools, and it’s really forming correctly, it’s not ad hoc processes, formal process within the organization, those organizations actually see cost savings, so the data breach is not as costly.
Now that’s the good news. The bad news, or the reciprocal issue, is cost increase when you don’t do things like train very well, or you basically are, you know, you’re not prepared for the data breach. You’re not doing any kind of testing in the plan. Or you basically have, in one case, like third-parties, vendors for example, that have a data breach, and now it’s involving your data, and not being able to control that relationship, if you will. The third-parties can actually lead to a cost increase.
Pam: So we’ve talked a lot about just the overall cost. And you mention a little bit about differences in industry. Where are you seeing the most success in terms of containing the cost of a breach? What industries are the best at that? And which ones maybe need a little more help?
Larry: Well, we know that some data breaches, because of regulatory issues, are more costly than others. And so when a data breach is really costly, organizations are more likely to take it seriously. And so we know that healthcare tends to be a very expensive breach because the value, you know, to the criminal, the full medical record, is just very, very significant in the black market for information. That patient information is king. And it’s considered very valuable.
We know that, so regulated versus, well, heavily regulated versus lightly regulated makes a big difference. In industries that are, I’ll call them exemplars, and it’s not true in every case, but in generally, generally across the years of doing this research, financial service organizations tend to have their act together. They tend to, you know, have process that may have been in existence 30 plus years ago, like to prevent fraud, and money laundering.
Those same activities are helpful in mitigating, or maybe identifying and mitigating data breach. And so a lot of financial organizations, financial service organizations, like banks, for example, and you know, capital markets, investment management, and even insurance, these organizations tend to be more sophisticated in detection, and managing, or containing a data breach.
Other industries that kind of like laggers, but they’re kind of learning quickly, hospitality is making a big move. It used to be that hotels and hotel chains were terrible at managing personal information. That’s not the case today. A lot of, you know, large hospitality organization are doing a much better job. So we see certain industries trending to kind of a higher level performance with stronger security posture than others. But definitely financial service, utilities, again, because of regulations, you know, different categories of different industries basically experiencing better security and data protection. And that results in a lower likelihood of future data breaches. So definitely there’s an industry effect. And we look at a total of 18 different industry categories in this year’s study. So we do have a lot of industry-based data that over time that shows that pattern.
Pam: So regulations, you mentioned, affect industry, but they also affect geographies because different countries have different regulations. Can you talk a little bit about where in the world we’re seeing, you know, the best and the, maybe the worst cost of a data breach?
Larry: Sure, well, it seems that Europe is ahead of the game in terms of having regulations that are powerful, that really significantly impact the organization, you know, within that region or country. So when the General Data Privacy Regulation, the GDPR, is very, very significant, and it’s a difficult regulation to comply with, and the consequences of failure to comply, it could be enormous. It could be, you know, more than $100 million of fines against organizations that are not complying with the law.
Now even though it’s a European Union regulation, European regulation, companies, even small companies that do even a little small amount of business in Europe, could be subject to that regulation. So a lot of companies said, “Wait a second. We’re not a European company. Why should we comply?” Well the law is very clear that if you do even a small amount of business, you are likely to be held to that requirement of complying with a very rigorous law.
There are other countries that are developing European style privacy regulations, and even within our own country we’re seeing, at the state level, some major regulations that are coming down the pipe. You know, like a California regulation that is very significant implications for all organizations, like even those that have a small amount of business in California is subject to the law.
And we’re starting to see that European style privacy regulation occurring in lots of different countries, even in developing economies, as I mentioned, like southeast Asia countries, or Vietnam for example. We’re starting to see even countries that are, you know, less regulated that basically are…I hate to say third-world country, but they’re developing economies who are starting to pay a lot of attention to privacy related issues.
Pam: All right. Well, so you’ve been doing this report for many years now. And you’ve seen a lot of changes happen. Where do you want to see the most change in the results for the 2020 report? What do you hope improves, or changes, or what’s the vision?
Larry: Well, my vision is — and you know, obviously I tend to be pretty optimistic — in the short term, we’re going to see cost continue to increase, but companies are getting better at identifying, detecting, containing, and ultimately resolving data breaches. So I think what we’re gonna see over time, over the next maybe two to five years, the cost actually coming down in a substantial way. And this might vary by country, because we basically look at the cost of a data breach in the United States, but we look at other countries as well.
In countries that are, you know, from an economic point of view developing, like Vietnam for example, or southeast Asian countries, might see a longer time to seeing that cost reduction. But I things are getting better because of the tools, and the use of automation, and artificial intelligence, and all of that good stuff is allowing organizations to make the right choices that ultimately result in greater control and safety of the personal information collected, especially around customers, and employees, and other stakeholders.
Pam: So if there is one insight that stands out to you, what’s that one takeaway that you want listeners to take to heart?
Larry: Well, I think the most important issue is that the concept of a data breach, the idea that data’s leaking out of your organization is pretty serious stuff. But it affects every organization. And I don’t think that it’s about bad people doing bad things, although that’s a major part of what we look at. It’s as much about an organization that has the right procedures, and controls in place.
You’ll never get to a perfect level, like of zero data leakage. You know, if you are, you’re not doing business properly, because you need to use data. And you use data, you run the risk of data leakage. But think of the things that could be done, raising sensitivity, getting people to understand the rules, having plans and processes in place for dealing with data leakage, data breaches, and so forth, having more of a formal set of activities that tie into a business strategy, become very important.
And we’re seeing a lot of organizations that are paying very significant attention to their privacy positions, and the data protection issues that they have in place to protect information. It’s a serious issue for most companies today. And so I’ve seen it over the last, you know, more than 20 years of looking at data breaches that things are actually getting better, and that we should see cost reducing in different ways, cost reduction in different ways over the next, you know, few years. And I said two to five years, that’s my prediction. But it might be a little longer than that in some countries.
Pam: Yeah, I think when I read the preliminary findings, one of the things that stood out to me was one of the new things that you measured this year, was just the real impact on practicing incident response. And I think that’s an important thing. So even no matter the formality of the incident response plan, of course, we encourage people to have a formal process, regularly practice. But even no matter what that plan is, just practicing it, which gets back to that trite saying, “Practice makes perfect.”
Larry: Exactly. And a lot of organizations are spending real resources to do that. And I’m happy to say that companies that four or five years ago were not doing very well, you know, still keeping in touch with the organizations, and they have implemented significant controls, both from a privacy perspective, and from a cybersecurity perspective, and that has resulted in kind of the change in attitude, even a shift in organizational culture in terms of the responsibility of the company to protect the information assets, especially information about your customers and consumers.
Pam: Well Larry, this has been such a great conversation. I’m so glad you came back on to talk about the report. We’re excited to have the results out there to help companies learn more about how to contain and mitigate that they make experience as a result of a data breach.
Larry: Well it was a pleasure to talk with you, and to get a company, get to do this again, of course. And for those people that are listening, please read the report. I think you’re gonna find it very interesting, the way…I always love getting feedback from the folks that are reading our research. So thank you very much.
Pam: Great. So if any listeners want to experience and play with some of the controls, and understand more about the data that we’ve discussed, you can go to databreachcalculator.mybluemix.net. And we’ll have links in the show notes.
So one of the things I really loved about that conversation with Larry was the breakdown of the amplifying and the mitigating factors. And while it’s pretty scary to take a look at the amplifying factors, and all of the reasons that things can go even more pear shaped is, you know, the idea of hybrid multi-cloud, and moving data, and workload, and apps to the cloud, and you know, IBM has a vested interest in that.
And but I love that on the flipside, there’s a mitigating factor for encryption, and being able to say, like sure, you have a lot of data in a lot of places, but there’s steps you can take to mitigate that effect, and help contain, and make it easier to contain something in the event of a data breach. And I think one of the other things that really comes about in that way too is the idea of offensive security testing.
So on that note, David, do you have any good news for us?
David: Actually, I do. So there was an article that came out this week, or at least I read it this week, about Virginia Tech’s cyber range. And one of the things that really struck me there was Virginia’s got an incredible need for cyber professionals. It’s something like 30,000 open jobs.
And what’s going on there is that at Virginia Tech, the Deputy Director, a guy named David Redman, has opened up an IT security lab, and is inviting in students from Virginia, and the cost is incredible. You don’t need $1.2 million. You need free. So I thought that was awesome.
And I think it’s these types of efforts where you’re bringing in more people into the fold, and looking at the problem from, you know, a greater group, or a larger group’s set of eyes. That really gives me a sense of, you know, to your comment about mitigating factors, you know, humans are still a big part of that mitigating factor. We’re gonna part of the solution. And what’s going on in Virginia’s fantastic.
Pam: Yeah, I grew up in coastal Virginia, but have been to Georgia Tech for summer technology programs. And I really find that inspiring that they’re making this bold move forward knowing that like the past time when you’re done with that range exercise is to go cow tipping.
David: Well you know, gotta have a little bit of real world experience to go with your cyber. Pam, have you ever tipped a cow?
Pam: I have not, no. I generally like to practice positive animal welfare practices.
David: Yeah, me too. In Texas, they’re longhorns, so I practice the stay away from them.
Pam: I feel like they have a natural tripod though, where they don’t tip over that easy.
David: You know what? I’m sure somebody here in Texas could tell you.
Pam: So that’s all we’ve got for this episode. Thanks to Dr. Larry Ponemon for joining us as a guest.
David: Subscribe to this podcast on Apple Podcasts or Soundcloud to make sure you never miss an episode. To explore the full cost of the data breach, visit our show notes on securityintelligence.com. Thanks so much for listening.