Malicious or criminal attacks are most often the cause of a data breach globally. According to IBM Report on Security Breach cost (IBM and Pnemon Institute, 2015) Forty-seven percent of incidents involve a malicious or criminal attack, 25 percent concern a negligent employee or contractor (human factor), and 29 percent involve system glitches that includes both IT and business process failures.
Figure 1 Distribution of the benchmark sample by root cause of the data breach (IBM and Pnemon Institute, 2015)
Security breaches can harm an organization in several form. In the past, senior executives and boards of directors may have been complacent about the risks posed by data breaches and cyber attacks. However, there is a growing concern about the potential damage to reputation, class action lawsuits and costly downtime that is motivating executives to pay greater attention to the security practices of their organizations. According to IBM research on Cost of Data Breach, the average total cost of a data breach for the 350 companies participating in this research increased from 3.52 to $3.79 million (IBM and Pnemon Institute, 2015). The average cost paid for each lost or stolen record containing sensitive and confidential information increased from $145 in 2014 to $154 in 2015. There are three reasons contributing to a higher cost of data breach in recent years:
- Cyber attacks have increased in frequency and in the cost to remediate the consequences.
- The consequences of lost business are having a greater impact on the cost of data breach. Lost business has potentially the most severe financial consequences for an organization. This cost component includes the abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill. The growing awareness of identity theft and consumers’ concerns about the security of their personal data following a breach has contributed to the increase in lost business.
- Data breach costs associated with detection and escalation increased.
Damaged Intellectual Property: During a data breach intellectual property of an organization like Blue prints, designs and source codes can get compromised.
Revenue Lost: As a result of a computer attack company might face business downtime which will result in revenue lost.
Theft: Bank Information, Transfer codes or Customer credit cards can be stolen as a result of a security breach.
Vandalism: False or discrediting information can be injected during a security breach.
Loss of customers: Customers more have awareness about Identity theft and Such incident can damage the company reputation and it is possible that customer don’t trust the organization as before.
Damage to business reputation: A major part of the brand experience for most customers comes through the technology that delivers or supports the business. When that technology doesn’t work, it’s not just a problem for the tech team; an organization’s reputation can suffer. (Forbes, 2014)
Compliance obligations: State or Federal governments have their own regulations to control and imply the necessary data security standard levels.
Government investigations: According to state or federal government regulations, in case of data breaches company should use external investigation team to measure and record the incident, and it is company’s liability to cover those investigations cost.
Civil Litigation: Companies are facing big legal cases after data breaches.
Adobe, which had 38 million passwords and the source code to several programs stolen in 2013, was praised by cybersecurity experts for its quick and honest response to the attack. Adobe, being a Silicon Valley-based tech company, was clearly ready to contain the damage even though its security measures had failed.
On the other hand, Target’s response to the theft of approximately 40 million credit card records and 110 million personal data records in 2013 was sluggish and disorganized. Target waited for a week before announcing the data breach, and after it did so, it was unprepared to handle the deluge of incoming calls and emails from panicked customers. That poor crisis response ultimately led to the resignation of its CEO.
The 2014 JPMorgan Chase data breach was a cyber-attack against American bank JPMorgan Chase that is believed to have compromised data associated with over 83 million accounts – 76 million households (approximately two out of three households in the country) and 7 million small businesses. The data breach is considered one of the most serious intrusions into an American corporation’s information system and one of the largest data breaches in history.
Time to Identify the Breach: Time to identify and contain a data breach affects the cost. Company should prepare the necessary infrastructure and software and skillful personnel to be able to identify the breach as soon as possible.
Confidentiality, integrity and availability, also known as the CIA triad, is a model designed to guide policies for information security within an organization.
- Notify the incident internally
- Assemble a response team
- Investigate the incident
- Determine whether the incident constitutes a reportable breach
- Contain the breach and mitigate harm, to the extent possible
- Notify affected persons, Law enforcement, Government and Media
- Respond to inquiries
- Improve processes to avoid future data breaches
Full Powerpoint Presentation:Cost-of-IT-security-breach
Forbes. (2014). The Reputational Impact of IT Risk.
IBM and Pnemon Institute. (2015). IBM report on 20151 Cost of Data Breach Study: Global Analysis.