Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Average Cost of a Data Breach Is Now $4 Million (helpnetsecurity.com)

Posted by msmash on from the security-trend dept.

Reader Orome1 writes: The average data breach cost has grown to $4 million, representing a 29 percent increase since 2013, according to a report by Ponemon Institute. Cybersecurity incidents continue to grow in both volume and sophistication, with 64 percent more security incidents reported in 2015 than in 2014. As these threats become more complex, the cost to companies continues to rise. In fact, companies lose $158 per compromised record. Breaches in highly regulated industries like healthcare were even more costly, reaching $355 per record -- a full $100 more than in 2013.

51 comments

  1. Could this be slightly overestimated? by dmomo · · Score: 2

    Because of this:

    "Work with IT or outside security experts to quickly identify the source of the breach and stop any more data leakage"

    I imagine this includes doing a security audit, and fixing any holes, which should be done regardless of a breach. Perhaps the breach even made it easier to find certain holes.

    1. Re:Could this be slightly overestimated? by __aaclcg7560 · · Score: 1

      You work for the government, don't you?

      I work for government IT. Your point?

    2. Re:Could this be slightly overestimated? by Anonymous Coward · · Score: 0

      Wow, I would not admit to that in a million years.

    3. Re:Could this be slightly overestimated? by Anonymous Coward · · Score: 0

      Clearly the cost of installing locks after someone walks into an unlocked building and takes everything should be placed squarely on the burglar's shoulders.

    4. Re:Could this be slightly overestimated? by __aaclcg7560 · · Score: 1

      Wow, I would not admit to that in a million years.

      Again, what's the point?

    5. Re:Could this be slightly overestimated? by myowntrueself · · Score: 1

      Wow, I would not admit to that in a million years.

      Again, what's the point?

      Its like admitting you work for an organized crime syndicate.

      --
      In the free world the media isn't government run; the government is media run.
    6. Re:Could this be slightly overestimated? by __aaclcg7560 · · Score: 1

      Its like admitting you work for an organized crime syndicate.

      Tell that to my coworkers who are ex-military. I don't think you would like the response.

    7. Re:Could this be slightly overestimated? by Anonymous Coward · · Score: 0

      And corporations are any better?

    8. Re: Could this be slightly overestimated? by Anonymous Coward · · Score: 0

      Just like hit men?

    9. Re:Could this be slightly overestimated? by myowntrueself · · Score: 1

      And corporations are any better?

      Governments are organized crime syndicates, corporations are psychopaths.

      Like the old carnie saying goes "You pays your money and you takes your choice."

      --
      In the free world the media isn't government run; the government is media run.
    10. Re:Could this be slightly overestimated? by myowntrueself · · Score: 1

      Its like admitting you work for an organized crime syndicate.

      Tell that to my coworkers who are ex-military. I don't think you would like the response.

      Yeah I expect they are brutalized psycho's who enjoyed their time as hit men but wouldn't like to acknowledge, even to themselves, that this is what they really were. They probably hate themselves and take that self-hate out on others. Close to the mark? You can tell by how violently they respond.

      --
      In the free world the media isn't government run; the government is media run.
    11. Re:Could this be slightly overestimated? by __aaclcg7560 · · Score: 1

      You can tell by how violently they respond.

      One of my coworkers told me how he killed three women in Vietnam, walked off a plane three days later in the US, and threatened a woman peace protester who wanted to throw a can of paint at him. The woman was too shocked to respond. He spent the next year in the service painting and rearranging rocks to readjust after the war. Nice guy. Still doing his IT job despite undergoing chemo therapy.

    12. Re: Could this be slightly overestimated? by __aaclcg7560 · · Score: 1

      Just like hit men?

      Ex-military are, by definition, professional killers. Only one of my coworkers ever mentioned killing people in Vietnam. Most do not volunteer what they did in the services, especially in combat situations.

    13. Re:Could this be slightly overestimated? by myowntrueself · · Score: 1

      You can tell by how violently they respond.

      One of my coworkers told me how he killed three women in Vietnam, walked off a plane three days later in the US, and threatened a woman peace protester who wanted to throw a can of paint at him. The woman was too shocked to respond. He spent the next year in the service painting and rearranging rocks to readjust after the war. Nice guy. Still doing his IT job despite undergoing chemo therapy.

      You are jeopardizing my well being with your violent refusal to agree.

      --
      In the free world the media isn't government run; the government is media run.
    14. Re:Could this be slightly overestimated? by __aaclcg7560 · · Score: 1

      You are jeopardizing my well being with your asshole refusal to agree.

      FTFY - Remember that I work in IT.

    15. Re:Could this be slightly overestimated? by myowntrueself · · Score: 1

      You are jeopardizing my well being with your asshole refusal to agree.

      FTFY - Remember that I work in IT.

      oooh you work in IT? Wasn't that a 1990's movie about a shape-changing alien?

      --
      In the free world the media isn't government run; the government is media run.
    16. Re:Could this be slightly overestimated? by __aaclcg7560 · · Score: 1

      oooh you work in IT? Wasn't that a 1990's movie about a shape-changing alien?

      I do work in IT. I'm also the guy who replaced your computer with box of crayons. ;)

    17. Re:Could this be slightly overestimated? by myowntrueself · · Score: 1

      oooh you work in IT? Wasn't that a 1990's movie about a shape-changing alien?

      I do work in IT. I'm also the guy who replaced your computer with box of crayons. ;)

      Yeah, I think you must have just pranked the wrong guy...

      --
      In the free world the media isn't government run; the government is media run.
    18. Re:Could this be slightly overestimated? by __aaclcg7560 · · Score: 1

      Yeah, I think you must have just pranked the wrong guy.

      If I give you a box of crayons, I'm not pranking you.

    19. Re:Could this be slightly overestimated? by myowntrueself · · Score: 1

      Yeah, I think you must have just pranked the wrong guy.

      If I give you a box of crayons, I'm not pranking you.

      Still not seeing crayons. Oh wait, do you mean this box of chalk?

      --
      In the free world the media isn't government run; the government is media run.
    20. Re:Could this be slightly overestimated? by __aaclcg7560 · · Score: 1

      Still not seeing crayons. Oh wait, do you mean this box of chalk?

      I wouldn't punish my users with chalk. Crayons tastes better.

  2. Way too high by Anonymous Coward · · Score: 0

    Most of data breaches come from very small companies and they are small, so it's extremely unlikely that they average cost would be that high even with high profile breaches costing $100m.

    1. Re:Way too high by Opportunist · · Score: 1

      Where does your data come from? In my experience, most data incidents happen with larger companies that have extensive data collections.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:Way too high by Anonymous Coward · · Score: 0

      Think about all of the small websites that run Drupal, Wordpress and similar services. When there is a new vulnerability in such a software, it will be exploited all around. The amount of the data that is breached is small, generally their user database and that tends to only contain some admin credentials, but it happens to hundreds or thousands of small sites.

      And also think of the trojans that people end up installing (or end up getting because of some Flash/Java exploit). Those usually affect 1 or at most couple users & their passwords.

      Those are not really things that get reported, but they happen a lot more frequently than the large breaches that are on headlines for days.

  3. Inflation by Frosty+Piss · · Score: 1

    The "cost" of a breach is certainly high, but a lot of the time, these numbers are inflated. For example, do you calculate in the time of your own IT staff that you would be paying anyway ? Yesterday, because of an auto accident that slowed down my commute home, I lost almost $14,000. You see, I value my personal time at $7,000 an hour.

    --
    If you want news from today, you have to come back tomorrow.
    1. Re:Inflation by fustakrakich · · Score: 1

      I value my personal time at $7,000 an hour.

      Oh well, small claims court can't help you collect then.

      --
      “He’s not deformed, he’s just drunk!”
    2. Re:Inflation by __aaclcg7560 · · Score: 1

      Yesterday, because of an auto accident that slowed down my commute home, I lost almost $14,000.

      My time is too valuable to waste driving on the freeway. I pay an extra $70 per month to take the express bus. Not only does it save me several hours of my time each day to have someone else drive, I get to read The Wall Street Journal in the morning and an ebook in the afternoon.

    3. Re:Inflation by Anonymous Coward · · Score: 0

      I get to read The Wall Street Journal in the morning

      Well la-de-da.

    4. Re:Inflation by __aaclcg7560 · · Score: 1

      Well la-de-da.

      A subscription to The Wall Street Journal separates the millionaires from the non-millionaires.

    5. Re:Inflation by DarkOx · · Score: 2

      do you calculate in the time of your own IT staff that you would be paying anyway

      and they answer should be 'yes'.

      Presumably your IT staff would be doing something else to facilitate the operation of the business that justifies the on going expense of having them on board, otherwise you would not be paying them anyway. So if they are taken away from those activities to respond to the breach either you are incurring losses at least equal to the cost of those employees elsewhere where they can no longer add value; or you have to incur probably greater costs hiring contractors to replace their other effort short term.

      Either way its correct to count the staff time spent responding to the breach as a cost of the breach. They only way it would not be correct to do so is if you knew or believed that staff was otherwise dead weight already.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    6. Re:Inflation by cbiltcliffe · · Score: 1

      You're paying the IT staff to clean up after a data breach, rather than doing something productive that they normally do. For that reason, including the labour costs of your own IT dept is the correct thing to do in calculating the costs of a breach.

      Think about it this way: You run a company that makes windows. You pay a couple of dozen guys to cut glass, cut frames, assemble the parts, etc. One morning, you come into your office and realize that overnight some hooligans have smashed all the windows in your admin building and factory. Since you already have glass onsite, and a bunch of people who make windows, by your logic, it would costs nothing at all for you to fix them, because you're just paying your regular employees to do it.
      Meanwhile, your orders get delayed, because your employees are making replacement windows for your own business, rather than filling customer orders; customers get annoyed by late deliveries, cancel and go to the competition, and you've got a week or two of no income while your employees fix your building.

      --
      "City hall" in German is "Rathaus" Kinda explains a few things......
    7. Re:Inflation by Frosty+Piss · · Score: 1

      You're paying the IT staff to clean up after a data breach, rather than doing something productive that they normally do.

      Like maintaining the company WoW server or surfing Slashdot?

      --
      If you want news from today, you have to come back tomorrow.
    8. Re:Inflation by fluffernutter · · Score: 1

      I subscribed to the Wall Street Journal once. It didn't work.

      --
      Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    9. Re:Inflation by __aaclcg7560 · · Score: 1

      I subscribed to the Wall Street Journal once. It didn't work.

      A subscription won't turn you into an instant millionaire. It's what you do with the information and how you invest your money that will make you a millionaire in time. Take Ronald Read who died with a $8M fortune that no knew about because he lived a modest lifestyle.

      http://www.businessinsider.com/ronald-read-secret-millionaire-2015-2

  4. Ponemon Institute? by Anonymous Coward · · Score: 0

    Gotta breach 'em all!

    1. Re:Ponemon Institute? by Chmarr · · Score: 1

      This. This needs a higher score. Where are my moderation points when I need them?

    2. Re:Ponemon Institute? by wardrich86 · · Score: 1

      Appreciate the thought, but I posted as AC, so it wouldn't let you mod it anyway. Thanks though.

  5. Should be higher by campuscodi · · Score: 2

    Should be higher. That way companies would fix their s***!

    1. Re:Should be higher by Sax+Russell+5449D29A · · Score: 1

      IT security budget is the first in line when execs start doing budget cuts. Pre-emptive security measures just don't seem to be on their agenda these days (and it never really was). It's hard to justify to investors why the company is spending money on 'non-productive' work. I've found countless serious security issues in IT systems over the years and the only place where they really cared about them was when I worked in government IT, believe it or not.

      --
      -SR
    2. Re:Should be higher by Anonymous Coward · · Score: 0

      Medical is extremely serious about data security. It can cost a company a massive fortune in fines, and lose them a huge number of clients.

      Government systems are safer, they're antiquated running on near obsolescent gear not connected to the Internet. Nothing wrong with that. It's the "must replace legacy systems with something running windows" mentality that causes the problems. If it works, leave it alone.

  6. Verticalscope... by Anonymous Coward · · Score: 0

    "In fact, the study found that companies lose $158 per compromised record."

    So this may cost Verticalscope something on the order of $6.5B... Good.
    To help pay the bills, I'm quite willing to take one particular forum off of their hands. They've only owned it since December 2014, and the following massive onslaught of generic advertising there is driving me bonkers.
    (The "Targeted" Advertising there previously has entirely disappeared. I didn't like that much either, but at least it was related to the forum.)

  7. Translation by Anonymous Coward · · Score: 0

    the average hacker only gets away with about 15 mp3's

  8. Can't They Fix This? by TechyImmigrant · · Score: 1

    > representing a 29 percent increase since 2013, according to a report by Pokemon Institute.

    In they past they would have sent out Pikachu and a Sqirtle to destroy the hackers. These days they sit around in an institute writing studies. Sad.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    1. Re:Can't They Fix This? by cerberusss · · Score: 1

      > representing a 29 percent increase since 2013, according to a report by Pokemon Institute (...) to destroy the hackers

      Catch. Gotta catch them all. Not destroy them!

      --
      8 of 13 people found this answer helpful. Did you?
    2. Re:Can't They Fix This? by TechyImmigrant · · Score: 1

      > representing a 29 percent increase since 2013, according to a report by Pokemon Institute (...) to destroy the hackers

      Catch. Gotta catch them all. Not destroy them!

      Times change.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  9. There's a cost to warehousing data. by wierd_w · · Score: 1

    The more data you warehouse, and the more valuable that data is, the more interested in breaching your security the hackers of the world are.

    But of course, these businesses will never consider this risk as an itemized business cost, and will just greedily sequester more and more data, while continuing to pay lipservice to network security.

    And then, when the hackers clean them out, they pout about needing more onerous antihacking laws.

    Better idea: Don't mass warehouse data, or, if you decide to do so, keep that data isolated from your internet facing network, and pay for proper security featuring penetration testing and security auditing.

    1. Re:There's a cost to warehousing data. by DarkOx · · Score: 1

      The more data you warehouse, and the more valuable that data is, the more interested in breaching your security the hackers of the world are.

      Yes to some degree. I do thing data obeys the lows of entropy in that it flows from high concentration to lower concentration, the more data you have the greater the effort required to store, and control access to it.

      Better idea: Don't mass warehouse data, or, if you decide to do so, keep that data isolated from your internet facing network, and pay for proper security featuring penetration testing and security auditing.

      The latter part but not the first part. The data is only useful if the right people can access it. Availability is part of the security triad. If your analysts have to take a bus to a special building on your campus and provide a blood sample to look at the database: they won't. You won't get the value out of it. There is a compromise here, the answer is use proper protection and make the correct investment in security. Have two factor (real two factor) access controls on your network, use technology like 802.1x, IDS all the things, have a good SEIM solution in place and people who know how to tune and are actively monitoring it 24x7 on staff! Do a pentest, do red-team pentests where there are no rules, the pentest team can make phone calls, social engineer, phish etc. Have a solid awareness program with real consequences for employees who don't participate and fail when audited.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  10. make international borders NOW by FudRucker · · Score: 1

    make each nation an isolated internet, and if a foreign country wants to make their content available to another country they can pay for the service in that other country to host content, that will stop those hacks from foreign country's dead in their tracks, and cyber-security can focus on domestic cyber crime

    --
    Politics is Treachery, Religion is Brainwashing
  11. A secure computer is a non-networked one. by Brannon · · Score: 1

    Modern computer security is the equivalent of implementing bank security by distributing all the money from the vault into the cash registers of every store in a mall, and then hiring an army of mall cops to patrol all the cash registers.

    IT professionals are the "mall cops" in this scenario, and unsurprisingly they keep telling us that we need to hire more mall cops and buy them all really nice Segways.

  12. in American dollars... by Anonymous Coward · · Score: 0

    How much is the current American debt? Something like 20 trillion dollars? How much was their dollar worth 100 years ago compared to now?