Top 5 Stories


Data Breach Costs: Damage and Danger are Greater than Many Realize

08 May 2014

According to the Ponemon Institute's ninth annual Cost of Data Breach Study, the consolidated total cost of a data breach increased 15% in the last year, to $3.5 million. But some experts say those figures likely underestimate the full scope of the damage.

Duncan Fisken, senior vice president and general manager for EMEA at RedSeal Networks, believes the actual cost of a breach is considerably higher than the consolidated average of $145 per record that Ponemon estimates, even though that in and of itself represents an increase of more than 9% year-over-year.

"These figures are likely to be very conservative and may well be confined to the actual cost of the breach remediation and measurable loss of revenue,” Fisken told Infosecurity in an email. “There are other hidden costs which are much harder to quantify, for example reputational damage, illustrated by the battering a company’s share price can take in the wake of a much-publicized breach as in the Target case, further hit by [CEO] Steinhafel’s departure. Reputational damage can also be the area from which there's the longest road to recovery. Most would agree that the cost of recovering a lost customer is many multiples of the cost of acquiring a new customer in the first place.”

Other collateral costs that cannot be overlooked are those associated with recruiting new C-level executives; Target has had to find a new CIO and now a new CEO, he pointed out. “Executive searches at this level can often be long and expensive affairs. More difficult to monetize are the opportunity costs incurred during the ‘rebuilding’ period.”

The Ponemon report also revealed that the probability of a company having a data breach involving 10,000 or more confidential records is 22% over a two-year period – and that most IT departments don’t feel prepared. Only 38% of Ponemon study respondents said they have a security strategy to protect their IT infrastructure, and the majority of companies (50%) have low or no confidence that they are making the right investments in people, process and technologies to address potential and actual threats.

Those results run counter to findings in a new survey from Tripwire, which found that 64% of respondents have confidence in their incident response plan. And 40% of retail and financial organizations said that they only need two to three days to detect a breach.

“It is great that recent breaches have increased cybersecurity awareness and internal dialogue,” said Dwayne Melancon, CTO for Tripwire, in a statement. “However, the improved internal communication may be biased by a false sense of security. For example, 95% of respondents said they would be able to detect a breach on critical systems within a week. In reality, nearly all of the recent publicly disclosed breaches have gone on for months without detection.”

Melancon continued, “Furthermore, only 60% of respondents believe their systems have been hardened enough to prevent the kind of data loss similar to that seen in recent high profile breaches. These attitudes seem to indicate a high degree of overconfidence or naiveté among information security practitioners. I believe a number of these organizations may be in for a rude awakening if their systems are targeted by criminals.”

Fisken noted that the situation will only worsen over time if attitude changes aren’t made. "Networks are becoming ever more complex as enterprises grow through acquisition and the need to seek more innovative ways to differentiate themselves against their competitors; this is now true of almost every market vertical,” he said. “The increasing complexity and size of networks presents the CISO with the significant problem of preparedness; the need to be in proactive mode, rather than reactive; to predict threats by having sight of the attack surface of the network and, more especially, what those attack vectors mean in terms of the exposure of business-critical assets to would-be attackers.”

This article is featured in:
Data Loss  •  Industry News  •  IT Forensics



jisantangelo says:

09 May 2014
Thinking about how the danger might be greater than we think. Exactly how many copies of our data are roaming around uncontrolled in Target's (or any other company's) environment? Do we know, do they know, are there some copies of data that are more vulnerable than others?

Joe Santangelo

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×