Can you count the cost of data breaches?
6 Sep 2018
It’s difficult to understand the financial impact to a business when a breach has occurred, but one expert helps organisations to make sure their cyber security investment numbers add up.
Apparently, the cost of data security breaches for organisations is going down. The latest ‘gold standard benchmark’ report says so, but how can we be sure when the numbers of cyber attacks is increasing? The findings from the latest study* show the cost of data breach incidents in Australia declined, $139 down from $142 per lost or stolen record. The total cost of data breaches in Australia decreased by 5 per cent compared to the year before.
The findings might be tricky for SMEs to put into a context because the size of organisations included in the study are larger than that of an average SME, and defining a single data breach file example is a slippery nexus indeed. Schools might define a single lost or stolen record as the details for one individual student, but others might include both parents’ details and their credit card information in the mix. An aged care provider could point to a Medicare card number as a single data record for a patient, but then exclude their blood type and other private medical information, citing those details as other data records that could also be the target of data security violation.
With all that is reported about the numbers, percentages, and dollar estimates and resulting costs to organisations in Australia and around the globe, the more desensitised SMEs are likely to feel about their responsibility for holding the private data of individuals. This is because reports in mainstream media tend to focus on the damage to big global brands. In 2016, hackers attacked a large insurance company. If the same thing happened today, the company would be legally obliged to notify customers who were affected.
Trying to estimate the cost of a data breach is probably like trying to measure quality of life, or digital experience. To learn more about the subject, it’s a good idea for people to engage with those who specialise in responding to security breaches.
An advocacy of the topic is Ben Harper, a professional Data Breach Compliance Navigator for Hal Group, whose expertise lies in cyber security. When asked to respond to findings that it takes an average 172 days for organisations to detect a breach or threat within their system, he was ambivalent about the choice of numbers used for discussing cybercrime, generally. He says it is extremely difficult to know what data has been taken out of an environment and how widely it has been redistributed after a data security breach.
“Australia’s research is not deep, and nor is it rich with insights about data breaches because we haven’t had compulsory requirements to report them until now,” he explains. “I agree that around 70 per cent of all data breaches are identified by a third party. Ransomware is a commercial industry now and those running it want to build commercial trust. While I don’t condone paying a ransom, most organisations will pay because it’s a lot less costly than not doing business for a day.”
“I look at the recent high profile case of a large insurer and it is alarming because a large institution can control a 3,500 independently-owned member base, but may not actually have as much control over their financial adviser IT environments. One advisor’s poor security protocols could have an adverse impact on a reputable brand and make consumers reflect on their choice of providers and affect other advisors’ business.”
Harper expects a media swell of stories to emerge with more cases coming to light through mandatory reporting and explains, “organisations will start to look at data breach security costs in a different way.”
“We are ten years behind the US and Europe on cyber security. After the 9/11 attack, security improved overseas but I think it’s going to be at least two years before peak industry bodies such as APRA, ASIC and others will develop regulations that force organisations to invest in security and cyber insurance. Boards will put the money required into software, which is necessary, but organisations need to take a more people-centric approach to protection,” he says.
Harper describes how many organisations still do things at work in ways that are remarkably slipshod when it comes to best practices.
“People still do the most innocent things, like come in to work with a USB they picked up on holiday, or email files from work to their personal email at home and back, and we need to invest in training people. Boards still assume that people will behave correctly but they will still invite malicious software without meaning to, through a USB, attachment or via dropbox.”
In the Internet of Things, he notes that mobile phones have a lot of unknowns but remain relatively secure.
“The device of choice will change week by week, and a Smart Watch carrier will identify a vulnerabilities exploited by threat actors. One week it could be the Smart Watch, the next an iPad. In every event the carrier will identify a vulnerability but it could still be three days that pass before they patch it up.”
He advises organisations to look more closely at detection software and implement intensive testing.
“Where we invest is in the area of detection, we are making the assumption that something is already inside your environment. There are products on the market to consider. We invest in a global, military-grade solution which has the smarts to detect information leaving the environment. The attackers are agnostic when it comes to the size of organisations, but they are still capable of targeting data that holds information with numbers of a 15-digit sequence for example, because it would equal a credit card for them.”
The cost per stolen record is estimated to be $155-195 per single file in a data breach, but Harper thinks anyone can talk numbers around a highly subjective topic.
“Does the cost per record translate to meaning a student or a patient? Talking to ‘Tier 1’ clients is very different to explaining the data breach costs to SMEs. If you’re an SME and you get ‘ransomed’ and your system is blocked, I tell clients that it costs an average $1000 per laptop user in your organisation to remove the ransom. So, if you’re a school and you have fifty users it will cost $50,000 to pay the ransom to get the system unblocked. It’s a realistic estimate.”
The real costs of data breaches may not have made their impact felt in Australia yet. Until organisations face serious damage to something intangible and difficult to attach financial value to, they may continue to drag their feet when it comes to driving improved behaviour in how security measures are practiced daily.
“Organisations need to do two important things,” advises Harper. “One is to drive improved behaviour among people by training them in data security best practices. The other is to look at cyber insurance.”
He also explains cyber insurance in the context of competitive advantage, and estimates that while $1,000 of cyber insurance may be able to provide $1million in cover, the reality is that premiums will start to multiply exponentially in the next five years.
“The trigger point arrives when we have greater transparency from clear case studies that emerge through mandatory reporting. Everyone accepts it’s a topic to discuss right now. When a situation occurs where a school has had reputational damage that can’t be recovered, because of a data breach in which a student’s private information has been compromised, only then will schools tackle the issue of cyber security as a collective. As more cases come to light, we’ll see schools and hospitals reallocating funds to cyber security and cyber insurance and they will accept it as a cost of doing business. There is a litany of examples of data breach damage already, and sadly schools will have the most to lose I think because we are talking about children, we’re talking about very private matters from healthcare records, to Alumni and their donations. The incentive of attackers will be to go after the top end of town and private schools.”
About Ben Harper
Ben is a cyber security specialist and industry thought leader at HalGroup. He tackles the subject of cyber security from a commercial perspective understanding the pressures of boards and directors through to NGO’s and SMB’s. He provides education and training to build improved cyber security cultures led by people, in an entertaining & educational way by sharing key industry case studies and insights that draw greater relevance to the topic.
*2017 Ponemon Cost of Data Breach Study (IBM sponsored)