Last week, reputable security researcher The Ponemon Institute published the 2011 edition of its annual “US Cost of a Data Breach” study which found that the average organizational cost of a data breach in 2011 declined 24% to $5.5M v. 2010. This survey was based on results collected from 49 US companies that experienced a data breach in 2011.
Before infosec professionals and CFOs go dancing in the streets over this news, they should examine the data and findings and not just focus on the decreasing cost.
These are my thoughts:
- Be wary of averages-This is not to fault Ponemon’s findings and not meant to be a treatise on statistics, but averages can often be skewed by large outliers on either end of the data spectrum. For that reason, it would have been interesting to compare the average cost with the median cost as the median can often be more representative.
- $5.5M is still a big number-Yes, costs have decreased, but costs have not decreased to zero. Data breaches still cost millions of dollars. That figure is still sobering and should not be an excuse for organizations to reduce their concern or budgets for dealing with potential data breaches.
- Data breach costs should be declining for several reasons including:
- Organizational improvements and increased awareness. The seeming daily crescendo of data breaches in the media has made organizations of all sizes and verticals more aware of the risks of data breaches. Some have begun to take some proactive steps to build data breach mitigation plans, so that instead of sprinting around frantically after a breach, organizations are better prepared and thus spend less money dealing with the breach.
- Increased supply. This is simple economics. The rise in data breaches has led to an emergence of service vendors, consultants and other experts capable of assisting organizations with data breaches and how to prevent data breaches. Many of these options did not exist 3-5 years ago, meaning that there is now a bigger available supply. I do not have empirical evidence to support this, but I believe it to be a reasonable theory. Increased supply generally leads to lower pricing.
- Cynical consumers. The Ponemon report noted that “lost business costs” (reputation losses, customer churn and increased customer acquisition costs) had the biggest single year cost decrease and was one of the drivers behind the year over year decline. I would argue that customer churn is declining because so many organizations have been victims of data breach that it is difficult if not impossible for consumers to switch to another provider who has not already been victimized by a breach! In this scenario, if my bank/retailer/insurance company/hospital is compromised, I don’t necessarily have a wide range of alternatives that have not already had public data breaches. Therefore, the incentive for me to switch is marginal and I may be inclined to just stick with my current provider, warts and all. That keeps churn costs down, but is not reason for rejoicing.
This report is still worth reviewing and I’ll certainly be interested in the 2012 report to see if the cost trend continues. But against the backdrop of the Ponemon report, we also have Verizon Business’ latest Data Breach Investigations Report which also released last week. This report does not delve into remediation costs and covers worldwide breaches instead of just US based ones, but is still worth reading. According to Verizon Business, 2011 had the 2nd highest data loss total (174 million records) in the 10 years that Verizon Business has been producing this report, further proving that the data breach problem is unfortunately still going to remain with us for a while.
Computer security image used under Creative Commons License courtesy of Mikey G Ottawa, original artist.