Is the Cost of a Breach Becoming Yet Another Cost of Doing Business?
February 21, 2014 Leave a comment
- The steady rise of data breaches poses a danger that C-level executives will come to view those as a cost of doing business.
- But with those costs on the rise, organizations can’t afford the price tag, and they have to get better at managing risks in the new reality of mobility, cloud computing and consumerization of IT.
A few years ago at RSA I met an auditor who told me that at the time a lot of organizations that she dealt with considered fines from non-compliance with regulatory mandates to be part of the cost of doing business. With the frequency in the number of breaches associated with such lapses in compliance increasing at a steady clip, are we approaching a time when organizations will view the cost of breaches as yet another part of the cost of doing business? Have some organizations reached that conclusion already? The Identity Theft Resource Center reported that breaches increased by 30% in 2013 over 2012 across a range of industries, with its total number of breaches reported at 619. The total number of records exposed were 57,868,922, which included the 40 million reported by Target.
Despite the fact that security budgets are seeing incremental increases to deal with the increasing threat, I think it’s safe to say that most CISOs today view data breaches as inevitable. And I believe that much of the increased spending is being focused on speeding the time between initial infection and detection/remediation in order to minimize potential losses. Incident response has gotten a lot of attention lately, as it should.
But I don’t think C-level executives are resigned to the current reality, mostly because they really can’t afford it. The cost of breaches is high, and it’s going up. Take the Target breach for example. The cost just to replace the credit cards for banks and credit unions has topped $200 million so far, and that doesn’t include any potential fraudulent activity that may happen on the cards that have not yet been replaced. By one retail analyst’s estimates, the total costs to Target could be upwards of $1 billion. Its breach saw 40 million debit and credit accounts hacked, but personal information on some 70 million customers (some overlapping) was also accessed. That’s a significant increase compared to another big retail breach in 2007 when TJX saw 45 million card accounts hacked in a breach that cost the retailer a reported $256 million. And a recent Ponemon Institute study found that the average cost of a breach now has hit $188 per record in the U.S., with the total costs of data breaches estimated at over $5.4 million. That same study found that average losses are 18 percent higher than they were a year earlier. Increasing breach costs have been documented in other recent studies as well.
It’s great that security budgets are increasing. CSO Magazine reported in its Global Information Security Survey last fall that security budgets averaged $4.3 million in 2013, an increase of 51 percent over 2012. But IT shops also have to do a better job of managing risks, which are increasing dramatically as enterprises embrace cloud computing, mobility, virtualization and consumerization.