IT World Canada – Howard Solomon

Canadian CISOs who want more hard data to convince the C-suite and boards to devote more resources to cybersecurity have a new report to show.

If a study of 24 Canadian organizations is accurate, the total cost over a recent 12 month period of a breach of over 1,000 records went up 12.5 per cent compared to 2014 to just over $6 million.

Another way of looking at it is the average cost per record stolen or lost went up 10.6 per cent to $278 compared to the same period the year before.

These numbers come from a study released last week by the Ponemon Institute that was funded by IBM. The costs were based upon estimates provided by participating victim organizations.

The report is part of an annual global study of breaches in 13 countries (United States, United Kingdom, Germany, Australia, France, Brazil, Japan, Italy, India, the United Arab Emirates, Saudi Arabia, Canada and, for the first time, South Africa), which last year covered 383 organizations. The average cost of a breach across all those firms was US$4 million.

Importantly, the study included the cost of losing customers: Of the Canadian companies studied, for those that lost less than one per cent of their existing customers the average total cost of a breach was $4.77 million, well below the global averae of $6.03 million. When companies had a churn rate of greater than 4 per cent, the average cost was $7.88 million.

There are two cautions: First, Ponemon admits that 24 firms is a small sample for this country, and second, only organizations that suffered a breach of between 1,000 and 100,000 lost or stolen records in 2015 were counted – meaning Ashley Madison isn’t there. That way catastrophic incidents don’t skew the results.

The number of Canadian breached records per incident in the study period ranged from 4,800 to 70,998 and the average number of breached records was 21,200.
“Over the many years studying the data breach experience of more than 2,000 organizations in every industry, we see that data breaches are now a consistent ‘cost of doing business’ in the cybercrime era,” said institute head Larry Ponemon. “The evidence shows that this is a permanent cost organizations need to be prepared to deal with and incorporate in their data protection strategies.”

The report has other interesting numbers:

–It took more than five months to detect that an incident occurred and almost two months to contain the incident;

–54 per cent of the Canadian data breaches studied were caused by malicious or criminal attacks, 25 per cent were caused by human error and 21 per cent by system glitches. Companies that experienced malicious attacks had a per capita data breach cost of $304, which is above the average for all organizations studied. In contrast, companies that experienced system glitches ($250) or employee negligence ($246) had per capita costs below the mean value;

–The more records lost, the higher the cost of the data breach. The cost ranged from $3.59 million for data breaches involving 10,000 or fewer lost or stolen records to $6.88 million for the loss or theft of more than 50,000 records;

–Notification costs increased. These costs include IT activities associated with creation of contract databases, determination of all regulatory requirements, engagement of outside experts, postal expenditures and inbound communication set-up. The average cost increased from $0.12 million in 2015 to $0.18 million in 2016;

–Lost business costs increased. This cost category typically includes the abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill. Among all the 383 companies studied these costs increased from an average US$1.99 million in 2015 to US$2.24 million in 2016 — that’s of the overall $4 million average cost.

“The biggest financial consequence to organizations that experienced a data breach is lost business,” says the report.

Both direct and indirect per capita costs increased significantly. The indirect cost of data breach includes costs related to the amount of time, effort and other organizational resources spent to resolve the breach. In contrast, direct costs are the actual expense incurred to accomplish a given activity such as purchasing technology or hiring a consultant.

Direct expenses include engaging forensic experts, outsourcing hotline support and providing free credit monitoring subscriptions and discounts for future products and services. Indirect costs include in-house investigations and communication, as well as the extrapolated value of customer loss resulting from turnover or diminished customer acquisition rates.