The bigger the better is a worn old chestnut of an expression that has distinct applicability to certain professional sports, say basketball for example, and clear downsides when applied to adverse events. In the latter example one might more readily turn to the admonition bequeathed to us by E.F. Schumaker — “Small Is Beautiful”, or at least preferable to big. This abstract notion comes in better focus when applied to the latest compilation of the latest costs of data breaches, brought to us by the Ponemon Institute.

For the past 13 years the Ponemon Institute has been studying and calculating the cost of data breaches around the world. The recently released 13th Annual Cost of Data Breach Study, sponsored by IBM Security, is chock full of data. For those who are interested in going directly to the bottom line, the likelihood of being breached is rising, and so are the costs of dealing with a breach.

Here’s one way to look at the situation as offered by the Institute’s Chairman and Founder, Larry Ponemon. “You’re more likely to experience a data breach of at least 10,000 records (27.9 percent) than you are to catch the flu this winter (5–20 percent, according to WebMD). While the analogy might not be spot on, the thought is arresting.

Not surprisingly, bigger is more bitter than better. The really big breaches, so called mega breaches, those involving more than a million records, nearly doubled over the past five years, increasing from nine in 2013 to 16 in 2017. Using statistical modeling based on analysis of 11 companies experiencing a mega breach over the past 2 years, the reports projected the cost of breaches ranging from 1 million to 50 million compromised records. Interestingly, nearly all of these breaches (10 out of 11) stemmed from malicious and criminal attacks rather than human error.

The average time to detect and contain a mega breach was 365 days – almost 100 days longer than a smaller scale breach. Costs ranged from $40 million (11 million records) to $350 million (50 million records). The biggest expense from these breaches stemmed from costs associated with lost business, estimated at nearly $118 million for breaches of 50 million records, roughly a third of the total cost. In comparison the average cost of a data breach was $3.86 million. Here is an instance in which simply being average has its advantages.

The full report is available here. One has to sign up to download the report, but the read is worthwhile.

By Tom Davis, SDI Cyber Risk Practice

August 28, 2018