A study released Wednesday shows the cost of a data breach is becoming increasingly expensive for firms—not so much because of the technological steps needed to fix the problem—but because the increasingly savvy public bails on the victim of the breach and takes their business with them.
The study was conducted by privacy and information management research firm Ponemon Institute along with Vontu, the data loss prevention software developer recently acquired by Symantec, and PGP, makers of the Pretty Good Privacy security software.
The study found that data breach incidents cost companies $197 per compromised customer record in 2007, compared to $182 in 2006. For a financial services firm, the cost was even more expensive at $239 per lost record. Most of the cost, $128 out of the $197, is from lost business and having to acquire new customers.
This data, according to the study and some security experts, is starting to affect how companies operate.
“A few years ago, you wouldn’t have a marketing officer concerned with a data breach. That was an IT problem. Nowadays all the execs around a boardroom table are concerned about it,” John Dasher, director of product management for PGP told InternetNews.com. “If I’m a marketing officer, the last thing I want to do is spend marketing money doing brand damage repair because of a breach.”
The report, called “The 2007 Annual Study: Cost of a Data Breach,” comes from a detailed analysis of 35 data breach incidents involving fewer than 4,000 records to more than 125,000 records.
The TJX breach, initially believed to be a small deal, has grown enormously expensive for the retailer. TJX in August announced it would take a $118 million charge related to the costs and potential liability resulting from the theft of more than 45 million credit and debit accounts. “This is one of the first widely publicized examples of how a data breach can affect you, your shareholders, and your stock price,” said Dasher.
But Peter Firstbrook, security research analyst for Gartner, disputes this scale of impact. “How do they know how much revenue would have accrued before the breach? Our research shows that most consumers do not actually change business after a breach. Check out TJMax’s sales before and after their incident,” he said in an e-mail to InternetNews.com.
Firstbrook appears to make a valid point. TJX may have gotten a black eye but sales rose 8 percent in the third quarter of 2007 compared to the same quarter last year, and the company plans to add more than 1,000 new stores in the next few years.
The report also claims that the average total per-incident costs in 2007 were $6.3 million, a 31 percent increase from the 2006 average per-incident cost of $4.8 million. On the bright side, if there is such a thing, the cost of notification fell 40 percent because firms got better at notifying their customers when a breach occurred.
One of the biggest vulnerabilities is found when data is stored, disseminated and shared with third parties. Outsourcers, contractors, consultants and business partners accounted for 40 percent of breaches, up from 29 percent in 2006. External breaches also cost more, averaging $231 compared to $171 per record.
The Real Point Of Vulnerability?
While outsourcing and third parties are a weakness, the notion of the nefarious hacker sniffing traffic coming into Amazon and Overstock may be overblown. Instead, it’s brick-and-mortar retail outlets like TJX stores that are the weak link.
This past Sunday, the TV news magazine 60 Minutes showed how many retail outlets don’t secure the wireless networks of their stores. Sitting in a car with some computer experts with a laptop, correspondent Leslie Stahl showed how easy it was to pick up on wireless transmissions in the stores.
“It makes sense because companies like Amazon that are born and bred of technology have a good security model from the beginning,” said Dasher. “A lot of brick-and-mortar companies don’t have this. They have conflicting setups. Some of them are still using a DOS-based point-of-sale system.”
This disparity may prove retail’s real challenge compared to its online counterparts. Beyond the convenience and the chance to avoid paying sales tax, if an Amazon purchase is viewed as safer than an in-store purchase, it poses a real problem for traditional retail stores.
“Retail is going to have to spend more effort on this issue, but it may prove harder for them,” Dasher said. “[Retailers] are starting off with a poorer hand they have been dealt with, since many of them use a custom point-of-sale system, so they can’t bolt on a quick aftermarket security fix.”
For some financial services firms, security breaches can often be the unfortunate result of living in the past. Many firms come from a background of mainframes connected via leased lines, so they have a history of doing insecure transactions over secured networks. With the advent of the Internet, they now have to do secure transactions over a very insecure network. “So it’s not surprising they may have had a false sense of security over their position,” said Dasher.
Firstbook thinks more emphasis needs to be placed on the human element rather than focusing on the security products sold by the two companies that sponsored the report.
“Besides technology, minimizing the risk of data breaches will involve lots of manual processes like data identification and classification data clean up and changes to procedures—as well as a health dose of user education,” he said. “Some technologies can help but they are not solutions.”