Download presentation
Presentation is loading. Please wait.
1
2017 Cost of Data Breach Study
Impact of Business Continuity Management Benchmark research conducted by Ponemon Institute and sponsored by IBM June 2017
2
Announcing: Ponemon Institute 2017 Cost of a Data Breach Reports
Impact of Business Continuity Management Global Report
3
4/23/2019 The 2017 Ponemon Cost of Data Breach Study covered 1,900 individuals across 419 companies in 13 countries or regions and 17 industries Industries Countries/regions Health, 1% Education, 1% Media, 1% Research, <1% ASEAN, 5% Communications, 2% Entertainment, <1% South Africa, 5% United States, 15% Life science, 4% Financial, 15% Hospitality, 4% Italy, 6% United Kingdom, 10% Energy, 5% Australia, 6% Industrial, 15% Consumer,5% Canada, 6% Transportation, 5% This year 419 companies participated in the study. They are located across 13 countries and regions: The United States, United Kingdom, India, Brazil, Germany, France, Japan, Middle East, Canada, Australia, Italy, South Africa and new this year, ASEAN. The Middle East region combines companies in Saudi Arabia and United Arab Emirates. This is the first year that the ASEAN region has been included in the study. ASEAN is a cluster sample of companies located in Singapore, Indonesia, Philippines and Malaysia. In this Global report, all currencies have been converted to US dollars. On our website you can get country-level reports for all 13 countries/regions. In these reports, data is in the local currency. India, 9% Middle East, 6% Public, 7% Services, 14% Japan 7% Brazil, 9% Retail, 8% Technology, 12% France 8% Germany 8%
4
Understanding these will help you understand the report findings
4/23/2019 Understanding these will help you understand the report findings Data breach Participants An event in which an individual’s name plus a medical record or financial record or debit card is potentially at risk Organizations that experienced a data breach within the target size range Data record Benchmark research Information that identifies the natural person (individual) whose information has been lost or stolen in a data breach The unit of analysis is the organization; in a survey, the unit of analysis is the individual Incident For this study, a data breach involving between approximately 3,000 to 100,000 compromised records I want to spend just a few minutes on this “housekeeping slide.” For the context of this report, a data breach is an event in which some personally identifiable information (PII) is at risk — a person’s name plus a medical record, a financial record or a debit card. So we did not include, for example, a data breach that exposed intellectual property. When we refer to a data record, we mean the information that identifies that individual. For this study, organizations that participated had experienced a data breach involving between approximately 3,000 to 100,000 compromised records. The cost data in this study does not apply to calculating the impact of data breaches over 100,000 records. And a question we get frequently is, “What makes benchmark research different from survey research?” In the case of this study, which is benchmark research, the unit of analysis is the organization, not an individual person. In fact, Ponemon Institute interviewed more than 1,500 people in order to get a comprehensive picture of the cost of a data breach. A mega-breach of more than 100,000 records is not considered typical. The cost data in this study should not be used to calculate the financial impact of a mega-breach. The model in this report is built for analysis of data breaches up to but not over 100,000 records. If you apply the data from this study to a mega-breach the results can be skewed to be higher than they actually would be when spread across that many stolen data records. A mega-breach of more than 100,000 records is not considered typical. The cost data in this study should not be used to calculate the financial impact of a mega-breach over 100,000 records.
5
What are the key cost of a data breach findings?
6
4/23/2019 For the first time in 4 years, we are seeing a decrease in the cost of a data breach, although the average size of breaches is up Why the decrease? 48% of the per-record 11.4% decrease over last year is due to the US dollar exchange rate Companies are making investments in IT security technologies and seeing results The average size of a data breach increased 1.8% to 24,089 records Global average cost per record in US dollars Global average cost per incident in millions of US dollars $4.00M $158 Our lead key finding is that this year, the global average cost of a data breach is down over previous years. The global average cost per record for this year’s report is $141. That is a decrease of 11.4% over last year. The global average cost per incident is $3.62 million, a decrease of 10% over last year. But those are averages. From country to country there is a lot of variability. The highest country for both cost per record and cost per incident is the United States. The lowest countries for cost per record and cost per incident are Brazil and India. The strong U.S. dollar was responsible for half of the 10% decrease in the average total cost of a data breach reported in this study. The effect was strongest in conversions from the pound and the euro to U.S. dollars for the global study. Despite the decrease in cost, the average size of a data breach increased 1.8% to 24,089 records $154 – 11.4% $3.79M – 10% $145 $3.62M $141 $3.50M
7
Costs and trends vary widely across countries in the study
4/23/2019 Costs and trends vary widely across countries in the study Canada $190/$4.31M Germany $160/$3.68M France $146/$3.51M Italy $128/$2.80M UK $123/$3.10M US $225/$7.35M Japan $140/ $3.47M Middle East $155/$4.94M India $64/$1.68M As you can see on this chart, not all countries experienced a downward trend. Average costs for a data breach were up in the U.S., Middle East, India, Japan and South Africa. There is no trend data for ASEAN because this is the first year the region is included in the study. These up/down trends hold true for countries in their local currencies except for Italy, which did see a year-to-year increase in costs. The country reports, available on ibm.com/security/databreach, provide a detailed review of study findings in local currencies. ASEAN $112/$2.29M Brazil $79/$1.52M Australia $106 $1.92M South Africa $128/ $2.53M Currencies converted to US dollars; no comparison data for ASEAN
8
The per-record cost of a data breach also varies widely by industry
4/23/2019 The per-record cost of a data breach also varies widely by industry +7% +10.9% +7.2% -18.7% -3.6% +13.8% -10.5% -8.5% -4.5% Percent change over 2016: Increase Decrease -7.4% -0.8% The cost per record varies widely across industries. At the high end we have $380 for healthcare, $245 for financial and $223 for services. The numbers steadily decline until we get to the bottom with public sector at $71. The chart also shows the percentage change over last year’s findings. Healthcare and financial services are highly regulated industries, which increases the cost of a data breach. Financial services faces the added problem of low switching costs for its customers, so abnormal customer churn can also be a larger than average cost issue. The top four industries have switched positions since last year, when the rankings (high to low) were: Healthcare, education, financial and services. Financial, services and technology show up consistently in the top four at the country level (see country reports for details). Why is the public sector cost so low? Most public sector organizations don’t have to worry about things like lost business and lost customers. Large federal agencies like Bureau of Land Management, for example, don’t in the traditional sense have customers to lose. Even those that have “customers” — for example, the Veterans Affairs organization — have a customer set that really doesn’t have much in the way of choice for an alternative service provider. Same holds true with governments or public agencies at the state or local level. * -10.8% -4.7% -9.1% -9.8% -11.3% *Comparative y-t-y data not available Currencies converted to US dollars
9
Components of the $3.62 million cost per data breach
4/23/2019 The largest component of the total cost of a data breach is lost business Components of the $3.62 million cost per data breach Detection and escalation $0.99 million Lost business cost $1.51 million Forensics, root cause determination, organizing incident response team, identifying victims Abnormal turnover of customers, increased customer acquisition cost, reputation losses, diminished goodwill $3.62 million So when we say the total cost of a data breach has gone down, what are we including in that? The largest single cost component of a data breach is lost business. This component includes abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill. For this component we are using customer turnover and the loss of the lifetime value of a customer as our metrics. The number is large because if you lose even two percent of your customers as a result of a data breach, that results in a big loss…how big depends on what industry you are in. Also included are customer acquisition cost, which tends to go up about 170 days following a data breach, as well as reputational losses and diminished goodwill. To determine the remaining costs, Ponemon uses activity-based costing. In doing so, we capture costs around key activities. Essentially, we divide these activities into the four “buckets” shown on this chart. Detection and escalation takes up $0.99 million out of the $3.62 million total cost. Activities in this category include forensics, root cause determination, organizing incident response team and identifying individual victims. Also included in this category are assessment and audit services, crisis team management and communications to executive management and board of directors. Notification-related activities include IT activities associated with the creation of a contact database, determination of all regulatory requirements, engagement of outside experts, postal expenditures, bounce-backs and inbound communication setup. Post data breach response costs include help desk activities, inbound communications, special investigative activities, remediation, legal expenditures, product discounts and identity protection services for victims, and regulatory interventions. Ex-post response $0.93 million Notification $0.19 million Help desk, inbound communications, special investigations, remediation, legal expenditures, product discounts, identity protection service, regulatory interventions Disclosure of data breach to victims and regulators Currencies converted to US dollars
10
Hackers and criminal insiders cause the most data breaches
4/23/2019 Hackers and criminal insiders cause the most data breaches $126 Human error 28% per record to resolve $156 Malicious or criminal attack 47% per record to resolve System glitch 25% This chart represents a summary of the main root causes of a data breach on a consolidated basis for all 12 countries represented in this research. The largest category is the malicious or criminal attack, which represents 47% of all data breaches, at the highest per-record cost to resolve the breach. Malicious or criminal attacks are on the rise and are the most costly to resolve, which is another factor behind the rising cost of data breach. You might ask what the difference is between a system glitch—25% of the total—and human error. The definition that Ponemon uses for this research is that human error is a problem that can be traced to an individual or a group of people. One example is a person who unwittingly opens a phishing and introduces malware into the network. A system glitch, by comparison, is something that breaks down in an IT system or business process that can’t be linked back to an individual or a group. $128 per record to resolve Currencies converted to US dollars
11
What you can do to help reduce the cost of a data breach
4/23/2019 What you can do to help reduce the cost of a data breach Amount by which the cost-per-record was lowered $262,570 savings per avg breach * Savings are higher than 2016 The research found a number of factors that reduced the average $141 per-record cost of a data breach. For starters, having an incident response team—either an in-house team, or a team that is provided by a security services provider, or a combination of both—can shave off $19.30 per record. For even a breach of 10,000 records that’s a savings of $193,000—or $1.9 million for a breach of 100,000 records. Extensive use of encryption can bring a payback of $16.10 per record, while employee training can reduce the cost by $12.50 per record. We are talking in particular about training in data protection and privacy issues—things like how to recognize phishing s and how to create effective passwords. Business continuity management impact is important. Organizations that have business continuity management programs have people who are skilled in dealing with catastrophic events. Making them part of the data breach prevention and response process can produce a savings of almost $11 per record. Participation in threat sharing can reduce cost by $8 a record. Use of security analytics and extensive data leak protection produce savings of $6.80 and $6.20 per record respectively. If you go to our website and download the report, you’ll see additional factors that produce savings. And you’ll find several factors, such as third party involvement, extensive cloud migration, compliance failures and extensive use of mobile platforms, that can increase the cost per record. NOTE TO SPEAKERS: A common question is, “If I have an incident response team AND I use encryption, for example, will that produce a savings of $35.40?” The answer is “No.” The benefits are not additive…that’s not how the research was done. Ponemon ran an individual analysis for each factor. * No comparative data * * Currencies converted to US dollars
12
How does Business Continuity Management help mitigate
the impact of a data breach?
13
How deep is the Business Continuity Management (BCM) contribution to the data breach incident response process? BCM’s contribution to incident response planning. This chart shows a summary of BCM involvement in the data breach incident response planning and execution. Of the 419 companies in this global study, 226 or 52 percent had BCM involvement. The remaining 193 companies did not involve their BCM team or only involved BCM on an ad hoc basis. Last year’s analysis showed 51 percent of companies involved BCM in the data breach incident response.
14
How significant is BCM’s contribution to the data breach incident response?
This chart shows the level of BCM involvement in incident response planning and execution. For this year’s study, 65 percent of companies rate this involvement as very significant. Another 30 percent rate BCM involvement as significant. Last year’s study showed that 66 and 29 percent rated BCM involvement as very significant or significant, respectively.
15
Manual versus automated disaster recovery (DR) processes: manual processes are most prevalent, resiliency orchestration emerges as an innovative and cost-effective approach to reducing the cost of a data breach 16% Manual vs. automated disaster recovery (DR) processes. As shown here, nearly half (49 percent) of our sample of benchmarked companies deploys manual DR procedures. Another 35 percent said their company was deploying a DR process that is primarily automated. Only 16 percent of companies’ DR process are automated and provides resiliency orchestration. 35%
16
Companies who utilize DR automation and orchestration reduced the cost per day of a data breach significantly compared to companies with no BCM/DR. On this slide let’s start on the left, and look at how having a BCM group involved with your IT Security data breach response impacts to average cost per day of a data breach. You can see that do not involve BCM experienced an average cost per day of $6.050… close to a thousand dollars higher than the overall average of $5,064. Those companies that do involve BCM achieve almost a thousand dollars a day in savings. So it pays off to involve BCM. On the right we take a closer look at the BCM group itself to see how DR automation and orchestration can affect the cost of a data breach. We’ve taken that BCM group and broken it into three segments: those with totally manual DR processes; those who have automated DR; and those who have gone farther with automation by addidn the capability to provide resiliency orchestration. We know that the overall average data breach cost per day is estimated at $5,064. Companies that have a manually operated DR process experienced an estimated average cost of $5,015 per day. In contrast, companies with an automated DR process gain significant savings, experiencing a cost per day of $3,500. And those that in addition provide resiliency orchestration experienced a much lower average cost per day of $3,360. Currencies converted to US dollars
17
Likelihood of involving BCM in dealing with a data breach, by country
Germany and Japan are most likely to involve BCMs when dealing with data breaches. This chart shows the percentage of BCM team involvement in incident planning and execution for country and regional samples. Similar to the last three years, Germany had the highest rate of BCM involvement with 75 percent of German companies reporting they had a BCM or DR team in place. Germany also experienced a decrease in the cost of data breach. In contrast, only 30 percent of Brazilian companies had BCM involvement. Brazil saw its cost of data breach go up in this year’s study. *Costs went down **Costs went up
18
Average cost of a data breach with or without BCM involvement
Per-record cost Total cost (in millions AVG $141 AVG $3.62 BCM reduces the per capita cost of data breach. The chart on the left reports the average per capita cost of data breach for companies that involved the BCM team in incident response planning and execution, and those that did not. Those companies involving BCM experienced a lower per capita cost than those that did not involve BCM. In percentage terms over the past year, per capita cost decreased by 14 percent for companies in the BCM group and 9 percent for the non-BCM group. The chart on the right reports the total cost of data breach companies that involved the BCM team in incident response planning and execution and those that did not. Similar to the above, those companies involving BCM experienced a lower total cost of data breach than those that did not involve BCM. Currencies converted to US dollars
19
4/23/2019 BCM reduces both mean time to identify and mean time to contain a data breach to deliver a significant cost savings Mean time to identify (MTTI) Mean time to contain (MTTC) (The time it takes to detect that an incident has occurred) (The time it takes to resolve a situation and ultimately restore service) 43 days Total average 78 days for a total savings of $394,922 214 171 35 days The cost of data breach is linearly related to the mean time it takes to identify and the mean time to contain the data breach incident. The days to identify the data breach are lower for organizations that involved BCM; namely, a time saving of 43 days in FY 2017. Days to contain the data breach incident were substantially lower for organizations that involved BCM, or a time saving of 35 days (85 minus 50 days) in FY 2017. The combined total average of 78 days faster to identify and contain a breach for the BCM group produced a total average savings of $394,922 (that is 78 days x average cost of $5,064 per day) 85 50 With BCM Without BCM With BCM Without BCM Days Days
20
MTTI and MTTC days vary widely by industry
The MTTI and MTTC vary across industries. In this year’s study, for the consolicated sample of 419 companies, the MTTI averaged 191 days. The MTTC averaged 66 days, with a range of 10 to 154 days. Companies in the education industry had the longest MTTI at 221 days. Companies in the Entertainment industry had the longest MTTI at 22 days. In contrast, companies in the research sector had the shortest MTTI at 152 days, and financial services companies had the shortest MTTC at 34 days.
21
Business continuity management can reduce the likelihood of experiencing a data breach over a two-year period 28% 31.8% Average likelihood of experiencing a breach of 10,000 or more records over a two-year period 23.9% BCM reduces the likelihood of a data breach. This chart reports the average likelihood of databreach involving a minimum of 10,000 or more records over the next 24 months for companies that involve the BCM team and those that do not. Over the past four years, we found that organizations that involved the BCM team experienced a lower likelihood of incurrence than those that did not involve BCM. In this years study, the difference in the likelihood of a future data breach between companies that did and did not involve BCM is 7.9 percent. In percentage terms over the past year, the probability of data breach increased by 8.7 percent for companies in the BCM group and 8.2 percent for the non-BCM group. With BCM Without BCM Likelihood
22
BCM can also reduce the overall impact of a data breach
Data breach disrupted business processes Data breach disrupted IT processes Data breach negatively affected reputation 76% 72% 62% 55% 56% 52% BCM can also reduce the overall impact of a data breach. Companies with BCM experienced lower rates of disruption to business and IT processes, and less negative impact on reputation. With BCM Without BCM With BCM Without BCM With BCM Without BCM
23
Interviews have provided these insights into why BCM has such a significant, positive impact on data breach response 1 BCM provides: An orientation to rigorous planning and testing A communication channel in times of crisis A structure that helps simplify incident response Compliance with BCM standards raises awareness about crisis events BCM personnel provide leadership to support proactive risk management BCM advances proactive monitoring and vigilance 2 3 4
24
What can your organization do to coordinate BCM and security operations’ response to a data breach and boost your cyber resiliency? 1 Confirm your organization has a robust BCM governance and execution Establish cross-representation on business continuity and cyber security teams and appoint crisis management representatives to coordinate respective and joint efforts 2 Conduct joint cyber-simulation testing regularly 3 Communicate on this slide that BCM acts as an umbrella and builds resiliency to support your strategy and infrastructure. To get started in developing a BCM + Security response team, business should: 1. Confirm your organization has a robust BCM governance and execution 2. Establish cross-representation on business continuity and cyber security teams and appoint crisis management representatives to coordinate respective & joint efforts 3. Conduct joint cyber-attack simulation testing – Increase the testing activities. 4. Align budget to risk posture 5. Consider implementing and/or expanding resiliency orchestration, that is “application aware” and embraces any type of hybrid infrastructure & cloud. Align budget to risk posture 4 Consider implementing and/or expanding resiliency orchestration that is “application aware” and embraces any type of hybrid infrastructure and cloud 5
25
Resiliency is essential in today’s always-on world
End-to-end resiliency that is embedded into the enterprise, can prevent disruptions, reduce complexity and risk and protect your brand reputation, enabling you to innovate and reinvent the way you do business. It can: Mitigate risk Protect brand and revenue Protect capital Reduce costs Improve service It’s important to note that business resiliency provides a number of cost efficiencies that help you save money immediately as well as provide long-term returns on your investments. Mitigate risk: You can avoid the costs of downtime, including brand damage and market share lost to competitors as well as the financial impact of business disruptions. Protect brand and revenue: Properly assessing the threats to your IT infrastructure, their potential business impact and your tolerance for risk helps you plan a realistic strategy. Protect capital: Analyzing cost trade-offs helps you reduce unnecessary investment. Reduce costs: Resiliency solutions can protect you from failed restores and lost data. Taking advantage of sophisticated implementation services can help you avoid technical staff training or retraining costs, test and implement a robust solution—instead, your staff can focus on core business. Improve service: You can better align a resilient infrastructure to the needs of your business to maintain SLAs based on your tolerance for risk.
26
Key questions to consider
What risks is your company most worried about and do you understand the impact if the risk disrupted the operations of your business? In the event of an IT disruption that resulted in an outage, how confident are you that you can run your business from your DR platform? What percentage of your mission-critical applications are included in your DR strategy/program? When was the last application outage and how long did you take to recover IT applications? Is your Business Continuity Management function aligned with IT Security Operations, including Incident Management teams? Do you have the resources to do DR drills for all your applications under your DR plan? When doing a DR drill, have you found out the run book to be out of sync with the current configuration? Do you conduct cyber-simulation testing between BCM and IT Security? If your business has, or is planning to move to a hybrid cloud environment, have you made any corresponding changes to your Business Continuity Management strategy?
27
IBM Resiliency Services
IBM Resiliency Services mission is to help clients develop an enterprise-wide resiliency strategy GTS Resiliency Solutions IBM Resiliency Services 7-Layer Framework Strategy and Vision Organization Processes Applications Data IT Infrastructure Facilities Software, Consulting, Implementation, Managed Services and as-a-Service Strategy, governance, planning and communications High availability Resiliency Orchestration The world is always on. Can your business compete? Disaster Recovery as a Service Backup as a Service State of the art facilities and data center design, build, and management Resiliency Communications
28
ibm.com./security/data-breach
Next steps Download your copy of the Report: ibm.biz/PonemonBCM Visit ibm.com/services/resiliency to learn how IBM Resiliency Services can help protect your organization For country-level 2017 Cost of Data Breach reports, go to: ibm.com./security/data-breach Visit to learn more about Ponemon Institute research programs
29
Thank you! © Copyright IBM Corporation All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. BUP03278USEN-00
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.