Figures Don’t Lie, But…

by Hank Berkley
Contributing Editor

More than once this blog has referred to the costs of a data breach as a function of the number of impacted records. For some reason that seems to be the standard measure. The last IBM sponsored report from the Ponemon Institute suggests that the average global cost increased from $141 in 2017 to $148 in 2018 per lost record. But is this a valid metric? You have likely heard of the actuary with one foot in a bucket of ice and the other in scalding water who, on average, was very comfortable. These numbers appear to fall into that same category.

This is not to say that there is no value in this analysis; only that one must look beyond the headlines to obtain that value. If information security was all about averages, the same set of solutions could be applied equally to all situations. Ponemon does recognize this to some degree in that they took the largest eleven data breaches out of their numbers because they skewed things significantly.

Last week a US court proposed that Yahoo pay less than $0.04 per data record for the roughly 3 billion they lost between 2013 and 2016. Even if you add in an outrageous guess of $1 billion for their other costs to analyze the loss, remediate the problems and for legal costs, their cost per lost record is under $0.50. This implies that there is something other than a direct relationship between the size of the loss and the cost. Per this analysis, losing less than 10,000 records typically cost $2.1 million while 5 times that many only triples the cost to about $6.7 million. Yet based on our experience the smallest losses of a few hundred records would likely cost in the $100,000 area or four times the Ponemon cost per record.

This is not to say the report is not without merit. We found particular interest in some of the cost factors that Ponemon derived from various factors. One such item was that the cost of lost customers (meaning future revenue) accounted for over 60% of the total cost of a breach in the US (less in other countries). How does this apply if your business doesn’t have a lot of repeat customers or if you only have a handful of very large customers?

Another number worth some further review is that in the US about 52% of the breaches came from bad actors (internal and external). The other half came from software glitches and human error. This suggests that an investment in employee training can have a large ROI. But does it? There really isn’t enough information to make that assumption.

This is a report from global companies that had breaches. All the companies that either did not participate or did not have any breaches were excluded. Did those without losses attain those results through employee training or through some other cyber security investment? This report can’t tell us that. We know from experience that changing employee behavior has a positive impact, but this report doesn’t offer great proof in either direction.

Also, in the area of questionable conclusions is the report’s finding that if you have a data breach, there is a way to predict the likelihood of another breach within 24 months. Somehow, they deduce that a company with a loss of 20,000 records has about a 20% chance of having a repeat incident within two years. What is missing is the reason for the loss. Did the company choose not to make changes to their cyber practices after the first breach because the changes would have been more expensive than another loss? Was security just not a high priority in the organization? Was the nature of the business one that would attract hackers and make attacks more likely?

There is a lot of good information in this report and it is likely that many of the topics were discussed by IBM and Ponemon before publishing it. Unfortunately, we are not privy to those finer details and without them it is questionable as to what we can conclude for our own specific situations.

Some of the broader conclusions appear to be universally applicable, although putting a dollar value on them seems like a stretch. For instance, encryption and insurance appear to lessen costs of the breach, though the costs of encryption and insurance seem to have been omitted. Good investments? These sweeping statements don’t tell us. At best we should walk away knowing that there are topics that we should look at within our own organizations. IBM and Ponemon are good companies with a lot of very smart people, but at the end of the day cyber security needs to be very customized and a broad analysis requires interpretation for your specific situation.