What CEOs Can Learn From Target BreachPonemon on Getting Executives Involved in Breach Resolution
CEOs should become more involved in breach preparedness and response because of the financial consequences a breach could have on the enterprise, says Ponemon Institute Chairman Larry Ponemon.
The institute recently issued its 2014 Cost of Data Breach Study, conducted for IBM, which shows that the cost of breaches, in most countries, is on the rise, a matter that should be of concern to top management, Ponemon says in an interview with Information Security Media Group (transcript below).
Ponemon laments that CEOs generally don't get involved with breaches unless it's a massive, one like the attack on Target's point-of-sale system.
"Data breaches of 10,000 to 100,000 records are really significant events for the people who are, unfortunately, victims, but a lot of CEOs would say, 'Ah, that's small change,' relative to other things they have to worry about," Ponemon says. "And that's a mistake. Obviously, you want CEOs to be involved, at least to some extent, on dealing with the external consequences of the data breach."
In the interview, Ponemon explains:
- Why healthcare tops the list of industries with the highest per-capita breach cost.
- How the lack of a national breach notification law in the United States drives up costs for American enterprises (see Why U.S. Breach Notice Bill Won't Pass).
- Why organizations that provide early data breach notification to customers and stakeholders experience higher costs.
Ponemon in 2002 founded the Ponemon Institute, a research think tank dedicated to advancing privacy and data protection practices. He also is an adjunct professor for ethics and privacy at Carnegie Mellon University's CIO Institute.
ERIC CHABROW: Any new surprises found from this year's breach survey?
LARRY PONEMON: Really nothing that jumps out at you. It just shows that the cost of a data breach is still pretty significant. If you read between the lines, the cost has steadily increased. It's not an easy issue; we heard that the CEO of Target stepped down because of the data breach. There are real serious consequences to companies that are dealing with data loss or data theft.
CHABROW: Why do you suspect costs are going up?
PONEMON: Fundamentally, a data breach is a bad thing. Obviously when you lose data and it gets into the hands of a cybercriminal, it could be devastating, but there is also reputational impact. We measure that by the churn or turnover of customers that result from the notification of a data breach. This churn, which may be a small percentage when you look at the loss of a lifetime value of an individual a customer, could be an enormous loss. Even small percentages of churn are abnormal churn translated into big costs. I think people and organizations don't realize it's a trust factor.
When someone, an organization you do business with like your bank or healthcare provider, loses your data, or, even worse than that, [makes you] a victim of a cybercrime, you realize they didn't have the right security protocols in place. That is a meltdown. It is a trust relationship that basically goes sour pretty quickly, and we notice that [in] entrusted industries like financial services, churn rate tends to be a lot higher than in retail organizations.
CHABROW: What does the Target CEO leaving say about the responsibilities of CEOs and boards when it comes to data breaches?
PONEMON: That is something we probably need to study. I think a lot of CEOs still believe that a security breach is something that is [a] technical glitch or problem that middle management can handle. Now when you look at things like a product recall, like General Motors had on a safety issue, that became a CEO level issue. Then you see CEOs directly involved and maybe testifying before Congress. You don't necessarily see that in data breaches unless it's a mega data breach like the Target case, data breaches of 10,000 or 100,000 records are really significant events for the people who are unfortunately victims. But a lot of CEOs would say, "Oh, its small change," relative to other things that they have to worry about it, and that is a mistake. Obviously you want CEOs to be involved to some extent [in] dealing with the external consequences of the data breach.
CHABROW: Could the per-capita cost by industry classification add up for big organizations such as Target?
PONEMON: Oh yeah, sure. I want to warn people about our methodology, and sometimes this happens, where we'll be talking about our research in a per-capita number and someone takes that number and multiplies it by 10 or 50 million people who are data breach victims. Our model is specified for data breaches between about 5,000 to 100,000, and we do that deliberately. These mega-data breaches are rare events. They don't seem to be a rare event, but they are, [and would] basically require a different model. In fact, we've done that in some of the more notorious data breaches, like Sony and Wal-Mart. When you look at $100 per-compromised record and you can still multiply that by 50,000, 60,000 people, it's a big number. It's no longer chump change, and that's why we want to see C-level involvement in dealing with the consequences of a data breach.
CHABROW: But still it's a significant breach?
PONEMON: Right, the reason for [not multiplying] of course is you're spreading the fixed cost component over a much larger denominator, and as a result of that, the per-capita cost does go down pretty substantially. Still, when you add it all up it's a big number and there are a lot of companies in that range of 10,000 to 100,000. It's not an uncommon or rare event in that scale. That is why we look at it. We look at the more normal occurrence of a data breach.
CHABROW: When you define per-capita you mean what?
PONEMON: Per capita is per-compromised record and it's associated with an individual. So say you're an individual and you have an account with Chase, hypothetically. I don't want to pick on Chase, but you might have five accounts, savings, 401(k). We basically look at a per-compromised record, which could have all of these subsidiary accounts.
Healthcare Breach Costs
CHABROW: Why is healthcare higher than others per-capita?
PONEMON: We actually do quite a bit of research in the healthcare industry, and what we [found] is that the medical record is the crown jewel of information for identity thieves and medical identity thieves. I think one of the issues goes back to that trust story. If you're local retailer, Wal-Mart, K-Mart, they have a data breach [and] it's a big deal for many people. But if it's your healthcare provider, your beloved doctor or the clinic that you visit for treatment, and they lose your record, it is a very big deal. That results in a much larger trust meltdown, and we actually see that. We spend quite a bit of time trying to understand how patients of doctors and/or hospitals respond to data loss, and it's pretty significant.
Strong Security Postures
CHABROW: Define what you mean by a strong security posture and why does that reduce the cost of breaches?
PONEMON: The security posture variable is something that we spend a lot of time thinking and worrying about. We actually spend quite a bit of time measuring security posture using a technique or methodology that we developed with PTP Corp. back in 2005, and we call it the Security Effectiveness Score. It's an index that basically looks at what an organization does to achieve a reasonably strong security posture. There are a total of 83 items that we look at, and based on that response we are able to say that the index is X and that index could be a positive or a negative infected. You basically operate somewhere between [positive two and negative two] with a theoretical mean of about zero. What we find is, in general, organizations that have a higher security effectiveness score, which we are using as a surrogate of the security posture, tend to do a lot of things better. It doesn't mean that they're able to withstand a data breach, because if they were perfect, they wouldn't have any data breaches at all. The reality is that those organizations that have the stronger security posture seem to do a better job remediating from the data breach and taking the appropriate steps to be prepared for data loss or theft. That's why we find that the costs are pretty significant between those organizations that have a strong security posture using our index and those that do not.
Lost or Stolen Devices
CHABROW: When you're talking about lost or stolen devices, this means the stolen laptop is more of a threat in the sense of a cost of a breach than any other kind of breach?
PONEMON: We find that in general when the device is lost or stolen, ... it creates a much, much more challenging environment for the forensic experts and people who are trying to understand the root cause of the data loss or breach. Is it, in fact, something that falls under the category of just negligence, or is there any kind of criminal involvement, and did this information ultimately end up in the hands of a bad guy? So you can predict that a lot of your victims are going to become identity theft victims, not just the victim of the data breach itself. That's why I think we see organizations that just don't have the wherewithal to do security very well if they don't have the CISO; having a leader who is in charge of the process I think is very important.
It was interesting this year, too, as we looked at that business continuity management issue, and we noticed from a couple of other studies that we've done there seems to be this trend of bringing together BCM, otherwise called the disaster recovery team, and placing that organization within the security domain. It makes sense because these are people who are about fighting all sorts of disasters from floods, to hurricanes and tornadoes, as well as man-made disasters including cyber-related incidents that might bring down a data center. These people are trained in fire drills and preparedness. That level of rigor needs to be on the security side, and the security team's readiness to cyber-attack or a big data breach, and so I think that is why there are savings there.
The consulting variable is kind of an interesting one. In some of the countries, bringing in a consultant is actually a cost-savings measure, but in other countries it's not. You actually have a net loss and consultants can be expensive, but I suppose if consultants are doing a good job they are paying for themselves. They are helping the organization from having to pay the largest possible amount on these different data breach cost categories.
CHABROW: Is it the type of a consultant that you have that adds cost?
PONEMON: Right, some consultants are better than others obviously.
CHABROW: What do you mean by quick notification?
PONEMON: This sometimes ticks off some of the regulators that we know and love. They will look at our study and say, "Wait a second. When you say quick notification, isn't that the obligation of the company? Isn't that a sign of trustworthiness because they've reported quickly?" What we find is that there is a high correlation between reporting early and an incompetent job in producing the necessary stats. A lot of organizations might just want to report it, get it over with. It may be 3 million or it may be 300,000. Let's just say it's 3 million and move forward. By doing that, you get a lot of people, in this case millions, who have received the notification that they've been a victim of a data breach incident and they didn't need to get it. They [are] worried for nothing or canceled their credit cards or did something extreme as a result of being notified, when they really should not have been notified. A lot of organizations need to be a balancing act. You need to be as smart as you can, learn as much as you can, be as surgical as you can in determining who is affected, how the incident occurred, whether there is potential harm, [do] all of the good stuff as quickly as possible. You know not to linger, because the other extreme, reporting slowly, probably does result in a trust meltdown. It's a balance. What we find is that organizations [who] are pushing to report this early, sometimes make big mistakes, and ultimately that leads to even a larger trust meltdown among data breach victims.
National Breach Notification Law
CHABROW: Why does the U.S. having no national data breach notification law result in higher costs?
PONEMON: One of the reasons why the notification cost is so high in the U.S., relative to other countries, is that we've had this notification requirement. It is at the state level, which creates a lot of confusion, a lot of mistakes are made. It could be very costly for an organization just trying to understand [what] needs to be reported and to which organizations, who are the functional regulators that also need to be notified, and what's the timeline. Because if you miss the timeline, you could get into big trouble. In general, I think that explains why the cost is so high, and it is kind of weird. We've been talking about having [a federal breach notification] as law that makes it standardized. What constitutes a reasonable response, what are the procedures, and all of that good stuff. But it hasn't happened and it really should at this stage.
Material Data Breach
CHABROW: Your report states that the probability of a material data breach involving a minimum of 10,000 records is more than 22 percent. How should that finding be interpreted?
PONEMON: We have the amount of the data breach. Now the question is, what's the likelihood that something like this is going to happen again for that organization over the next 24 months? It may seem like a small percentage, but when you look at the potential cost consequences, we came up with a total average cost of $6 million, that is a pretty hefty cost and the likelihood is certainly not zero. I can move up to the larger data breach [and] the lower the probability of occurrence, but basically at 10,000 records, we are predicting about a 20 percent chance over 24 months that it's going to happen again.
A CEO's Take
CHABROW: How should a CISO or CEO take that finding and what should they do about it?
PONEMON: There are really two controllable measures. It's the cost. When this bad thing happens, be prepared. Make sure you have the processes in place to deal with it effectively, that is part one. Number two is, get that probability of occurrence lower. Do things like use encryption, DLP technologies, just build a better governance process to make sure that the probability of occurrence is not 20 percent, but is a lot less than that. You'll never get it to zero, but can probably do quite a bit to get that probability of occurrence down.