The Ponemon Institute is out with its 5th annual "Cost of a Data Breach" study, and in an exclusive interview Dr. Larry Ponemon discusses:
Ponemon is the Chairman and Founder of the Ponemon Institute, a research "think tank" dedicated to advancing privacy and data protection practices. Dr. Ponemon is considered a pioneer in privacy auditing and the Responsible Information Management or RIM framework.
Ponemon Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a various industries. In addition to Institute activities, Dr. Ponemon is an adjunct professor for ethics and privacy at Carnegie Mellon University's CIO Institute. He is a Fellow of the Center for Government Innovation of the Unisys Corporation.
TOM FIELD: What is the cost of a data breach?
Hi, this is Tom Field, Editorial Director with Information Security Media Group. The long awaited Ponemon Report is out, talking about the latest breach statistics, and we are privileged to be speaking with Larry Poneman, the Chairman of Ponemon Institution.
Larry, thanks so much for joining me.
LARRY PONEMON: Well, thank you, Tom; it is a pleasure to be here.
FIELD: So. the report is just out; what would you say are the headlines from this latest annual report?
PONEMON: Oh gosh, well, probably the number one headline is that the cost of data breach is still significant. And why is that important? Every year we are surprised by the fact that the cost of data breach increases. A lot of people believe that over time the public is immune to all of this, and we have become complacent to data breach notifications -- that we really don't care much about companies losing their data. But that is not true. It seems that people, the public at large, we really care deeply about data breaches. We don't like them, and we don't want companies to lose their data, and we certainly don't want the cyber criminals to gain access to this information.
FIELD: Larry. is it too simplified to say what is the cost of a data breach this year, or can you give us a hard statistic on that?
PONEMON: Sure, let me give you a hard statistic. Last year the cost of data breach, as measured on a per compromised record basis (sometimes referred to as a "per victim cost") was $202 dollars, and this year it is a whopping $204 dollars. So that is actually a $2 dollar increase on a per compromised record basis, which by the way doesn't sound like much, but suppose you had a data breach that was 100,000 records? It would be a small fortune.
FIELD: What do you find to be the biggest changes this year since the previous year's report?
PONEMON: Well, the biggest change this year -- there are actually several. Number one, the cost categories that the proportion of costs against different activities that we measure basically stayed pretty constant, but there were really some notable exceptions to that. One notable exception was the legal defense cost category. Usually that is not a large cost for an organization based on a whole bunch of factors, but this year that legal defense cost increased by more than 50 percent.
We think that is kind of an indicator, maybe a leading indicator, that companies are starting to recognize that the possibility, the real possibility that they might someday face a very expensive litigation, maybe even a class action litigation. Interestingly about that cost category, the legal defense category, it was across our whole sample. So it was in financial services, telecom, the retail industry sector and so forth.
FIELD: Larry, beyond the hard costs to an organization, what are breaches costing in terms of some of the soft costs?
PONEMON: Well, one of the soft costs -- and even though we call it soft, it is a real cost to an organization -- is the brand impact. An organization that has a data breach, unfortunately it is a bad fact, people care deeply about it, and it affects the hard-earned reputation of organizations. Now while it is a soft cost, it could be enormously expensive for an organization to have to get back to where they were; so that is number one.
Other soft costs that we look at would be things like turnover, loyalty, customer loyalty would also be affected. So we think that if you take the sum of all of these soft costs, even those that aren't measured in our model, it could be pretty expensive. And companies need to pay attention to the costs that may not be on a balance sheet or on a financial statement because they are really a huge economic burden for them.
FIELD: Now you have had a chance to certainly go through lots of different data from this report, what breach trends are you detecting as we go into 2010?
PONEMON: Well, Tom, that is an interesting question, and every year we try to figure out, 'So what's the root cause of the data breach and the costs associated with different causes?,' and the three broad categories of root cause include negligence, systems glitches and malicious and criminal attacks.
In the category of malicious and criminal, this year we noticed that probably that category increased by almost twice, so it really went up quite a bit. But in that category we started to see something that we never saw before, which were like data stealing malware, botnet attacks, these insidious technologies wormed their way into systems, maybe even going from an endpoint through the network, and had the ability to signal out data.
So number one, these technologies are truly insidious. They are very difficult to detect, and once it is detected it is not really clear that you have a company strategy for getting it out. And the fact is, if this is a data-stealing malware in the hands of a criminal, or an organized criminal organization in some other country perhaps, or even state sponsored criminal activity, the experience can be unbelievably costly to the data breach victim.
Now think about it, if you have a data breach that resulted from a USB memory stick that fell out of your pocket, and you saw it fall on the train track and the train ran over it. Even though it is officially a data breach, it is really not going to lead to harm to an individual. But in the case of data-stealing malware, obviously there is someone that is looking for something, and when they get your data it is probably going to lead to potentially a bigger problem for the data breach victim. So that definitely is a trend this year. The root cause of negligence and system glitch events were much less costly than when it involved a malicious or criminal attack.
FIELD: Larry, how should organizations respond to the report?
PONEMON: Well, that 's a good question. I think organizations need to take a cold hard look at what they are doing today to mitigate or reduce the risk of a data breach. They should look at the data breach report that we issue as a warning sign that they too can become an organizational victim.
I mean, we had one case study out of the 45 case studies that we do, where the company spent over $31 million dollars to deal with a data breach. Now it may not be $31 million, in fact the average was about $6.7 million, but that is a lot of money. That is an enormous amount of money to spend, and in times like these, when every dollar counts, an organization can't really afford necessarily to have another three to four to five to six or more million dollars to something like this. And keep in mind that a data breach isn't an annual event; it can happen more than once. It can happen several times, so it is not a good idea to have them.
The other issue lesson to be learned is that if you do have a data breach, there are probably things you can do to at least reduce some of the cost burden. What we find is that organizations that have, for example a Chief Information Security Officer, they have a good governance process in place, you know you are not necessarily going to stop all data breaches, but when you have them they are going to be managed more effectively and more efficiently and so that would be a lesson learned.
Other interesting findings, which were really a surprising finding for me and for our research team, was that a vast response to a data breach like going from detection to notification quickly, actually may not be a great strategy for an organization. You would think that the faster that you report, the happier the individual -- you know, no one wants to learn that you were sitting on this information for months on end when you could have done something with this data. But it turns out that companies that move too quickly are also sloppy and may over-report; actually report to people who really aren't breach victims.
And so in the case where you have to balance quality versus time, I would say go with quality, but keep in mind that there is a point at which you probably are just going to be taking too long. You don't want to say 'Well, it took us a year to figure out who to report to' -- that's probably not an acceptable position. But if you need an extra few weeks, rather than trying to get it done in 30 days, maybe it is going to be five or six weeks. My guess is it is better to wait that little extra time and do it right. So that could be a good take away as well from this year.
FIELD: Larry, a final question for you. As you mentioned, you had a chance to go through some in-depth case studies. From those, what sorts of words or wisdom would you offer to organizations looking to prevent data breaches in 2010?
PONEMON: Well, keep in mind our sponsor is PGP Corporation, and we are an independent research organization. We love PGP, by the way, and we are customers of PGP, but I will say the number one take away is 'Encryption is good.' It is a solution that is available, that is reasonable, that can be executed quickly, and organizations that have a strategic use of encryption tend to mitigate or reduce the risk of a data breach in a very significant way. So that is number one.
There are other technologies a company could consider; data loss prevention tools definitely, and even access governance tools, identity and access management tools, you know on the need to know basis allowing people inside only under that rule and not going more than that, or not allowing more people to have access to have access to some of the sensitive information. Technologies do make a difference, and good technology is important. I am going to take the bold step of saying an organization that doesn't use this technology is foolish.
Number two: It is also about smart people. So, you can't forget about training and creating manual control procedures with monitoring that allow an organization to stay a couple of steps ahead of the breach event. And, finally, a breach event will occur even if you have the greatest tools, even encryption, it is still something that is - well, it is never failsafe; there is always a possibility that you can have a mistake. And keeping that in mind, an organization needs to have a plan in place, a management plan that allows them to deal with this issue in a most effective way. That is really the big take away I think.
FIELD: Larry, well said. I appreciate your time and your insight today.
PONEMON: Well, thank you very much.
FIELD: We have been talking with Larry Ponemon; the topic has been the cost and the scope of data breaches. For Information Security Media Group, I'm Tom Field. Thank you very much.