[BreachExchange] Cost of a breach: Why some global industries are more expensive

Thu Sep 29 20:27:18 EDT 2016

http://www.csoonline.com/article/3124387/data-breach/
cost-of-a-breach-why-some-global-industries-are-more-expensive.html

Calculating the costs of data breaches to the organizations victimized is
no simple matter. Those costs can include everything from direct expenses
for mitigating the attack to lost customers to legal fees and regulatory
fines. Once all those variables are taken into account, it’s possible to
rank the cost of breaches by industry sector. Sitting at the top of the
“most-expensive” list worldwide are two somewhat surprising sectors:
healthcare and education.

This finding was recently published by the Ponemon Institute in a global
report on the cost of data breaches. While the average data breach cost
across all industries was $158 per lost or stolen record, the average cost
per lost healthcare record was $355, and was $246 for each education record
lost. At the other end of the spectrum, the average cost of a lost public
sector record was just $80, and that of a lost research industry record
just $112.

Why the big range in cost impacts? One reason is higher fines in heavily
regulated industries. Most people know about the Health Insurance
Portability and Accountability Act (HIPAA), which imposes strict controls
on protecting medical records and penalties for their exposure. Don’t
forget, though, that universities and other institutions store more than
just students’ academic records. They also hold financial information,
Social Security numbers, medical records and other sensitive data. As such,
these institutions can also face significant regulatory fines when they
suffer cyberbeaches.

Another key variable in Ponemon’s cost calculations is customer churn – the
loss of customers in the wake of a data breach. This factor isn’t
significant in the case of educational institutions, as it’s no simple
matter for a college student to change schools. On the flip side, the
health sector saw the second highest post-breach churn rate, second only to
the financial sector. (The financial sector, another heavily regulated
industry, ranked third highest in the average cost per lost record at $221.)

Some cost factors are far from obvious. For example, the factor that can
most increase the cost of a data breach is third-party involvement in the
breach, according to Ponemon. Breaches resulting from the loss or theft of
a mobile device are also more costly than other forms, which is likely an
issue in the healthcare sector. “The California Data Breach Report,”
published by the California Attorney General in February 2016, found that
nearly 40 percent of the health sector breaches reported in the state in
2015 resulted from lost or stolen electronic devices.

Understanding the particular industry challenges – and costs – associated
with cyberbreaches should be an important element of every organization’s
cybersecurity planning and strategizing. Organizations in relatively
low-cost sectors can’t afford to be complacent, of course. Even if the
average breach costs are low compared to other industries, a severe breach
can prove devastating for the organization, its employees and its customers.

Ultimately, every organizations can learn a lot by understanding the
sources of post-breach costs, and by building their defenses and strategies
with an eye toward minimizing those financial impacts.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160929/16889d44/attachment.html>