As you may have already heard, the Ponemon Institute’s 2015 Global Cost of Data Breach Study has been released and it confirmed what we all sensed—the average cost of a data breach has increased … significantly … again. According the study, the average cost of a breach has reached $3.79 million dollars, a 23% increase in the past two years. The average cost per lost or stolen record has also increased, this time up 12% to $154 per record.
If you’re curious as to how that $3.79 million breaks out, we were as well. Thankfully, we were all treated to a great visual during a recent webinar on the study’s findings led by Dr. Larry Ponemon himself.
Of course, those are just the averages. Your true cost of being hit by a breach largely depends on your industry and your location. Healthcare and education sectors incur the highest breach costs of all industries, and Germany- and U.S.-based organizations are hit more than anywhere else in the world.
Why are these numbers rising at such a rapid rate? Dr. Ponemon shared three main reasons:
- Cyberattacks are increasing both in frequency and the cost it requires to resolve these security incidents.
- The financial consequences of losing customers in the aftermath of a breach are having a greater impact on the cost (it’s that whole true cost of a data breach thing).
- More companies are incurring higher costs in their forensic and investigative activities, assessments, and crisis team management.
It sounds dire, but the news isn’t all bad.
The bright spot in all these increased numbers is that there are things you can do to not only lessen the likelihood you’ll experience a breach, but to also lessen the cost on your organization should the worst happen.
Much of it starts with employee awareness training.
Take a look at the slide below, which breaks out the cause of data breaches. Malicious or criminal attacks are currently leading the way, but human error (good people doing stupid things) is close behind at 29%.
Don’t discount that 29%—it’s something your organization can actively fight against simply by adopting a security-aware culture and educating your employees to not do dumb things.
The study found employee training to be the top factor impacting the per capita cost of a data breach, creating the third highest per capita cost savings (giving you back $8 per record—not exactly chump change when we’re talking about thousands of records.).
Dr. Ponemon also called out employee awareness training as being “extremely important,” encouraging organizations to look into options that tailor security training to specific needs or vulnerabilities identified within the organization. For example, if you survey employees and find they’re likely to click on phishing emails, then you’ll want to invest in training in this specific area. This kind of training is incredibly effective.
Having an incident response team and using encryption extensively were also found to reduce the cost of a data breach.
So where should organizations focus their efforts—on better technology or better training?
Dr. Ponemon noted that the solution to better security is not better technology alone. Sure, that’s part of the equation, but you also need other things. He shared some “common sensical” steps all organizations should take:
- Prioritize your business objectives and set your risk tolerance: Sometimes organizations go overboard catering to certain features of security and end up ignoring other factors that may actually be more important to the organization’s overall security. Don’t do this. Look at your objectives and be deliberate.
- Protect your organization with a proactive security plan: Take the time to assess the different things that could go wrong (understanding that this list will never be exhaustive…) and be proactive about how you’ll defend against them.
- Prepare your response to the inevitable: a sophisticated attack : Have a response ready to roll for those identified risks. Understand your response to the attack.
- Promote and support a culture of security awareness : People are rushing around, using all sorts of unsecure devices for business communication. Work on changing that culture to one that is more security aware. Continuous training and education can help change that mindset and get people to take security seriously.
We want to thank Ponemom and IBM for once again pairing up to do this research and sharing these insights. If you are the security expert within your organization, we encourage you to use this data internally to help build out budget justification for new solutions and new security training programs that protect your organization.