“If we had $201 for every time someone asked us, ‘Do you have data on the cost of breaches?,’ we’d have $128,037,” announces the authors of Verizon’s annual Data Breach Investigations Report (DBIR) with unexpected irreverence.
Until now the firm has had to answer ‘no’ but for the first time since it appeared in 2008 the report has managed to shine some light on a contentious subject that has often been accused of being a sales pitch for security vendors to hawk expensive equipment.
Verizon reckons it now has something more concrete in the form of numbers taken from 191 real insurance claims analysed by DBIR contributor NetDiligence, which as far as I know is the cache of such data that is has been made available anywhere.
Contrary to the Ponemon methodology that estimates loss per record as being around the $200 (£140) mark, the NetDiligence figures show that the real figure is in fact 58 cents per record, a number so low Verizon believes it is almost as meaningless. The problem is that the costs associated with small, medium and large breach don’t scale in a linear way.
After some statistical debate, Verizon’s authors come up with a range of estimates that show a 100,000-record breach could cost anything from $21,000 at the lower end to $10.2 million at the upper end. Massive breaches – 100 million or so – range from $392,000 to $200 million, with an average around the $8 million mark.
This is based on the tangible costs breached organisations had insured themselves against such as IT costs, the expense of paying for customer credit checks and the bill for employing a forensics firm to work out how it happened. It doesn't include things like loss of reputation, which isn't usually insurable, but which is anyway intangible. How much brand damage costs depends on the brand and generalisations fail.
What does all this mean?
The model of cost-per-record is too limited and the actual cost of a breach will depend not only on the number of records involved but the type of organisation they were taken from. That is probably very industry-specific and individual firms will be affected to a greater or lesser extent.
Verizon’s figures include an ‘expected’ estimate of breach costs and these appear to be lower than the Ponemon model would predict. Breaches are not going to be cheap but in most cases they will not be calamitous. It is within the wit of individual organisations to estimate the costs with reasonable accuracy and insure themselves against the sums involved.
This makes sense. The costs of forensics, customer management and internal overtime should be known with some accuracy. It doesn't, by the way, necessarily mean that Ponemon's numbers are wrong simply that using cost-per-record is a blunt way of starting the estimation.
A deeper question is how much money organisations should throw at protection as against insurance. There is no simple answer to that. What this report does make clear is that cyber-insurance deserves to be taken seriously as a form of risk mitigation. Protection isn’t all about flashing lights on expensive security hardwareafter all