When workers lose their laptops at conferences and airports or in taxis, rental cars or hotels, the cost to their employer can be steep.
How steep? Think almost $50,000.
That’s according to a new report by the Ponemon Institute, which looked at the costs to companies not just in terms of hardware, but also in lost data.
In its study, which was sponsored by Intel, Ponemon found that the average reported cost of a lost laptop came to $49,246.
While hardware costs ranged only from $913 to $2,500 among the 138 cases it examined, the total estimated expense — after factoring in lost data — ranged from $1,213 to $975,527.
Those figures might be even higher that companies are willing to admit, since they’re based on reported losses.
“We had to build the model based on what was reported to us,” said company chairman and founder Larry Ponemon, calling from the RSA conference. “It is unlikely in my experience that there are no other residual costs than replacement value.”
Even if they’re conservative, the figures are in keeping with other recent findings by Ponemon, which reported in earlier studies that in data lost in company breaches represents 80 percent of the breaches’ total cost to the business. Where there’s a loss of intellectual property (IP), the loss of IP represents 59 percent of the total cost.
Ponemon calculates the total cost of each stolen record in a breach by factoring in the loss of reputation, losses from future business, and a variety of additional costs.
In Ponemon’s most expensive example of a missing laptop, each lost record was estimated to have cost its owner $225. With 6,200 records were stolen, the data’s total price tag amounted to around $973,400 — almost all of the $975,527 cost Ponemon recorded for the incident, with the remainder likely to be primarily related to hardware.
In addition to the cost of hardware and data, a number of additional factors add to the expense of recovering from a missing laptop: detection, forensics, lost productivity and legal, consulting or regulatory expenses.
For detection and forensics, the report assumes that an IT organization’s best people are called in. It assumes they’re worth 2.5 times their hourly wage to the organization, so that if the employee is paid $36 per hour, the cost per hour to the organization of deploying vital employees in incident response is $82 or $90. Similar calculations are involved in the cost of lost productivity.
The report did not break down the components of its cost estimates for legal, consulting and regulatory expenses, but Ponemon pointed out that those costs can occur over a period of several years, and the report covers losses over a 12 month period.
“Lawsuits take years,” he said. “The FCC might issue a fine for data loss a couple of years after the breach.”
Recommendations
To help defray the costs associated with lost laptops, the report recommended wide deployment of anti-theft and data protection solutions.
“An understanding of how costly it is to lose a laptop can be used to make the case for purchasing enterprise-wide solutions,” Ponemon wrote in the study.
The report also recommended that laptops be encrypted as this reduces the average cost of a loss by almost $20,000. Ponemon explained that while encryption won’t thwart all thieves, but it will deter many of them.
“It won’t stop the super-brilliant cyber criminal … but the average bad guy stops when they see encryption,” he said. “It works 90 to 95 percent of the time, and that’s based not just on work we’ve done but also on conversations with the U.S. Secret Service.”
Page 2: Minimizing the damage
Page 2 of 2
Encryption can also save money by changing a company’s obligations under the law.
“In the event that data is encrypted — PGP is very good — the law does not necessarily require a company to notify customers,” Ponemon said. “Thus, they don’t have to incur the large data breach costs,” which includes the price of a loss of reputation.
Additionally, the report recommended backups — even though laptops without backups appeared to cost companies less: $68,899 for backed up laptops versus $39,253 on average for those for which there was no backup.
The difference might be that laptops without backups might have contained valuable data but that the business could not confirm the loss, which Ponemon called the “ignorance is bliss hypothesis.”
“We anticipated that having a backup would save time and reduce productivity loss,” he told InternetNews.com. “What we found was that it did not work that way, because a company was better able to determine that there was data at risk.”
In one case where there was a full backup, a consultant denied having any valuable data in a spreadsheet, claiming it contained only aggregate data. But when the company examined the backup of the file they noted that if you clicked beyond the first tab, the spreadsheet contained individual customer
data and even social security numbers.
“It was a huge problem for the company,” Ponemon said.
The report also recommended training and awareness programs to reduce the incidence of lost laptops and ensure that losses are reported in a timely manner.
“If a company discovers the loss in the same day, the average cost is $8,950. If it takes more than one week, the average cost rises significantly to approximately $115,849,” Ponemon wrote in the study.
Ponemon said that there are several ways that an IT organization might not learn of a loss for several days. In some cases, the employee will try to track down the laptop themselves. In others, the supervisor might not report the loss or might not listen to the voice mail in which the employee reports the loss. In one case, he said, the organization’s help desk failed to report a loss to their own IT department.
Training’s importance was highlighted by an embarrassing revelation from the British government last week, when a branch of its National Health Service reported having lost an encrypted USB drive.
The data, containing the personal health records of prisoners, is assumed compromised because the password had been written on a note attached to the USB drive — a clear violation of the agency’s data security procedures.