Or, have you been hurt?
In an earlier post we talked about the level of password protection layered onto your personal data by the service providers (tl;dr: not enough). In this post we're going to look at how much it hurts those same providers when your data eventually does go missing.
The Ponemon Institute, now sponsored by IBM (link here), has been doing fantastic work over many years surveying the cost of data breaches. The survey is extensive (global, many participants, industry etc.) and produces remarkably consistent results. Possibly, to keep the data varied, and relevant to many, the survey limits itself to breaches under 100,000 records (so we are not dealing with megabreaches here).
How do breaches cost service providers?
Data breaches really do hurt businesses: each record has an associated cost of about $160. About half of that is driven by technology costs (detection, incident response) but the other half is customer-driven (notification, lost business).
Of the categories mentioned, the most detrimental is lost business. Once you, the user, stop trusting the service provider they start losing your business, and regaining that trust is an expensive business.
Loss of trust shows up in abnormally high churn rates (which can hit over 5% for Financial, Healthcare & Services) and our service provider then has to bear all of those customer acquisition costs all over again.
Costs vary strongly by industry...
...and a good correlator for expense is regulation (e.g. health, education, finance top the table).
It's obvious that regulatory strength should echo & mimic the sensitivity, and perhaps financial value, of the underlying data, but I've seen a nice point made elsewhere (darkreading: here) that shelf life should also matter: certain bits of data are really personal and stick with you throughout your life; others fall away.
Costs by Country
Costs also varied significantly by country, but perhaps - incorrectly - I found these a little less interesting. Perhaps, as you would expect, countries with more expensive living costs tended to show up at the head of the table (US $220, DE $213 etc.).
The one country result that did catch my eye was the UK (nearly exactly equal to the global avg, c.$160), especially given the contrary information we know about the cost of the Talk Talk hack.
Why do breaches happen? Conspiracy or cock-up?
Well, as you might have guessed, human error (and we lump in here system config problems) accounts for about half of all breaches; but criminal activity & malicious intent drives the other half. And, it's the latter that tends to be the more costly and time-consuming to detect & remedy, adding about $35 per record.
How can a data service provider reduce the cost? Fail to prepare. Prepare to fail.
Preparedness is key. The two biggest factors in reducing recovery costs are:
- Having an incident response team: $16
- Extensive use of encryption: $13
Of the two, as a user of, and data-supplier to, that service, I personally want to see a lot of focus on (2), to ensure all of my data is as safely protected as it can be prior to the occurrence of any bad events. Regardless, it is nonetheless comforting to know that these kinds of publishable metrics begin to lead us toward alignment of both the service provider's and my goals.
As a slight aside, buried in the data, was another comforting fact, namely that holding cyber insurance had little impact on ultimate costs (I'm guessing offsetting claims aren't included in the cost estimate) through the introduction of moral hazard.
Why does it keep happening?
The Ponemon report does a great job of explaining how our web service providers suffer at the hands of the hackers. And we can begin to appreciate how those costs really ratchet up for an operator in the wrong industry, in the wrong country, and suffering the wrong type of breach (read: malicious breach of US Healthcare operator, maybe $450-500).
What I can't quite figure out, is why I keep reading about breach after breach?
- Perhaps the job of protecting against breach is technically incredibly difficult? I can well believe this (insiders, phishing - you're getting attacked from all angles).
- Perhaps hackers are an incredibly pernicious bunch? Hard to know, but, yes, definitely maybe.
- Perhaps hackers are naturally indolent but the market value of data is sufficently motivating? Also, maybe - this is something I'll return to in a later post.
- Or, is it that these costs are still microscopic versus revenue per user and so data protection is not properly addressed? Hard to know, but I do know that when, we read about breaches we (nearly) always find that password encryption/storage was incredibly weak.
We mightn't yet know the answers, but the idea of 'security by design' - rightly lauded in the new GDPR regulations - certainly does not feel as if has yet been embedded within the architecture of our service providers.