What is your organization spending on data security? Odds are that the number is way, way up. Even with storage costs declining and more and more data being shifted from internal company devices, servers and entire data centers to the cloud, companies of all sizes, along with non-profits, health care institutions and government agencies, are spending ever more amounts to defeat both external attacks from hackers - and yet, it’s not nearly enough. Time Magazine ran a recent cover story (see The Code War: The Internet is a Battlefield, the Prize is Your Information, and Bugs are the Weapons) on the subject of hacking under the headline “World War Zero.” Despite billions being spent on this new data war, we collectively appear to be losing it.Recent, well-publicized hacking cases involving companies such as Target and P.F. Chang’s are but skirmishes in this fast-growing conflict that affects us all.
Taken together, the cost of such attacks on companies exacts a high cost on American firms - and the efforts - and the money spent - to prevent such unauthorized access to data takes a toll on both individual organizations and the economy as a whole. The Ponemon Institute recently released its annual report on the impact of data breaches (2014 Cost of Data Breach Study: United States), documenting the staggering costs of such data intrusions. For American companies, the average cost of a data breach for a company presently stands at $5.9 million, with the average per compromised record (meaning information that can identify an actual person) presently reaching $201.
The study also found, consistent with the findings of prior years, the per-record cost for compromised data was far higher ($246/record) than the costs attributable to system glitches ($171/record) and employee mistakes ($160/record). On average, companies that suffered a data compromise spent $417,700 to try to detect the breach and determine its root cause. Firms also incurred an average of $1.6 million in response costs (including legal fees, settlements, and payments to victims, along with marketing costs in response to the incident).
And all of this is noteworthy in the fact that their methodology specifically excluded catastrophic data breach incidents of over 100,000 lost or stolen records so as not to skew the overall results. Thus, major incidents such as the Target and P. F. Chang’s cases do not even factor into these costs. Including such major cases would likely heighten these already scary statistics. Finally, the above-cited study found that at present, companies have a 19-percent annual chance of seeing a data breach incident occur that would affect 10,000 records or more. And as for the public sector, unfortunately they have the highest documented vulnerability at 23.8 percent.
Yet what these data pirates want is not always financial, and companies aren’t the only ones vulnerable. In May, the St. Joseph Health System, the leader of a network of health care facilities in Texas, revealed a massive network intrusion that had taken place over three days in December 2013. This security breach compromised the medical and personal records of over 400,000 past and current patients in central Texas. The hackers also gained access to the facilities’ employee records.Earlier this summer, The New York Times detailed how Chinese hackers had broken into databases of the U.S. government’s Office of Personnel Management (OPM), gaining access to the records of tens of thousands of federal employees who had applied for top-secret security clearances. This comes on the heels of a well-publicized case where earlier in the year where digital intruders had gained access to personal data for employees and contractors for the Department of Energy (DOE).
Indeed, the Ponemon Institute report specifically highlighted the fact that healthcare organizations had the highest per-record cost ($316/capita) of any organizational type, while public sector agencies stood at the greatest risk of having a data breach occur (at 23.8 percent per year). And again, the Ponemon methodology would specifically exclude from these numbers these major incidents affecting the OPM and the DOE, as these researchers believed that cases involving more than 100,000 records would skew their data.
And so what is to be done? Organizations need to realize a simple truth. Today, there is simply no distinction between an organization’s IT strategy and its overall strategy. And as we have seen, when an organization experiences a major IT embarrassment, there are larger, strategic ramifications that must be dealt with, often with very expensive and long-lasting consequences. Protecting customer data is a requisite for retaining the trust and loyalty of customers. And as the Target case has proven in recent traffic numbers for the retail giant, shoppers will be slow to come back to spend both on your website and in your stores after a major data breach.
Thus, we need to change senior executives’ mindset when it comes to IT spending for security. There needs to be a renewed focus on the ROI of such spending. Too often, top execs fall into the “new car trap,” focusing on the bells and whistles that they can see. Yes, that may mean paying for new seals of approval on the corporate website. Yes, that may mean paying for “red team” hackers to try and find the vulnerabilities of your computer systems. And yes, firms are racing to impose new physical layers of security (think Visa’s moats or Google’s alligators). Finally, we have all grown accustomed to the “upgrade culture” of software of all types.
We need to ask tough questions about the utility - and in some cases, the futility - of what we are presently doing in regards to IT security. If we do not demand that executives start asking the tough questions when it comes to IT and make sure that we work to procure the “best” - i.e. the beneficial data protection infrastructure for our most important asset today - information, the consequences will be dire for all of us. The sooner, the better.