Making Sense of Security Breach Cost Numbers

What is the most expensive security breach ever? Before you answer, read the rest of this blog (trust me, you’re probably wrong).

According to a recent report by the Ponemon Institute, the mean corporate loss to IT security breaches last year was $3.8 million. During the four-week study period, participating companies reported being the subjected to at least 50 known attacks. And these companies reported taking as long as 14 days at a cost of nearly $18,000 per day to remediate a security breach.

The Digital Forensics Association also released an analysis of more than 2,800 publicly disclosed data breaches over the last five years that caused $139 billion – that’s a 12-digit number – in damages. This isn’t precise math, but if you do some rough numbers on the back of a napkin you’ll calculate a cost of about $9 million per breach.

Now if these numbers are making your eyes spin, let me put them into perspective. The Ponemon study, sponsored by security information management specialist ArcSight, targeted 45 companies across different verticals with 500 or more employees. And in the case of both studies, the costs included everything from detection, remediation, fines and litigation, mandated disclosures and post-event security improvements.

Still these are staggering numbers to most of the solution providers in the CompTIA community. When ITEEx CEO Earle Humphreys used the Ponemon numbers in his Breakaway presentation on the need for national data security legislation, you could hear people gasp. They weren’t really shocked by the extent of data loss, but the astronomical number that had little relation to the worlds in which they operate. Where does anyone come up with a mean loss number like $3.8 million per incident?

Ponemon is the same researcher who said it costs enterprises about $197 to remediate a breached identity record. By that number, the 2006 TJX breach of 94.5 million credit card accounts should have cost – all in – about $18.6 billion. In the end, TJX – the parent company of retailing brands Marshalls, TJMaxx and others – paid out roughly $300 million in remediation, notification and fines. It’s a bit of a difference.

Before I was a channel guy, I was a security guy (and a pretty good one, at that). For years, I would hang with all the bug hunters, malware researchers and gray hat hackers; I would listen to their tales of woe about how hackers were burrowing into networks and stealing the digital crown jewels of enterprises around the world. What I learned is that all computer security is a game of asynchronous warfare – in which the attacker has the cost advantage. Hackers only have to spend thousands – if not hundreds – of dollars to launch an attack. It costs the collective business community tens of billions of dollars each year to guard against possible – much less probable – attacks.

By the way, the answer to my riddle above: The most expensive security breach ever is the one that hasn’t happened. Businesses spend $60 billion to $100 billion annually on security to guard against attacks that often don’t come or have minimal impact on their operations.

Researchers and analysts like Ponemon, the Computer Security Institute and others release a continual stream of reports quantifying the loss or damage caused by security breaches. The inconsistency in the types and sizes of companies surveyed, as well as the lack of consistent valuation of data compromised in breaches means that it’s next to impossible to come up with a consistent or real value. That aside, these reports aren’t typically geared for the totality of the market – but rather large enterprises that are already spending billions on cybersecurity. For small businesses, any numbers are specious, at best.

Numbers, though, are relative. If an organization with at least 500 seats suffers – on average – a security breach costing $3.8 million per year, you can bet that smaller organizations are losing a proportionate amount in their breaches. It’s called the law of averages. But this argument makes the assumption that all attacks and breaches are the same. Part of the reason breaches and their associate costs are not uniform is because attackers aren’t uniform. Think of it this way: businesses tend to buy from like-sized businesses – enterprise to enterprise; small business to small business. The same paradigm applies to security and hacking. Justin Somaini, the chief information security officer at Symantec, said in a recent conversation that the type of hackers targeting large enterprises are predominantly different in skill set and resources than those targeting small businesses.

Does this mean these numbers are meaningless? Not necessarily. They have value so long as they’re used as indicators and not definitive metrics. Big numbers in security are little more than tools for spreading fear, uncertainty and doubt. But when used to show probable consequences for failing to safeguard systems and data, they resonate with businesses of all sizes. There’s actually a simple equation for figuring out risk exposure for any business: Risk = Threat (what’s coming at you) X Frequency (how often is it likely to happen) X Data Value (what’s the remediation cost). From there, you can pretty much determine a rudimentary risk exposure number and calculate an appropriate response.

A small business may shrug off $3.8 million as an improbable damage assessment, but they would have a hard time ignoring the relatively minor breach to their enterprise counterpart that would swamp them into oblivion. Just remember that security is about risk exposure and risk mitigation, and no one wants to spend more than they have to or lose more than they can afford.