For many companies who understand the risk of a breach of confidential information, the ability to quantify the risk can be elusive. Justifying the cost of implementing controls is difficult if the c-suite can’t be convinced of a problem, and the “c’s” are unlikely to understand arguments that don’t come with some dollars attached. The “risk” seems too nebulous, and easily dismissed as something that could happen but is more likely to happen to the other guy. As soon as dollars come into the picture however, it has a magical way of focusing the attention where it should be – the bottom line.
In a recent Ponemon Institute study, 79 percent of C-level US and UK executives surveyed say executive level involvement is necessary to achieving an effective incident response to a data breach and 70 percent believe board level oversight is critical.
Chances are you have some kind of perimeter control, and it’s not enough.
You have IT folks to handle security right? Well, most IT departments think in terms of putting big strong walls around data and making it very hard for anything to get in or out that isn't supposed to.
What might not be controlled is confidential, or private data and information in documents (content) that are shared via email, synced to cloud sharing applications and mobile devices and all manner of pathways. This data/information is extremely promiscuous in that, well, it “gets around”. There are apps that can read and map local network configurations, create porous membranes, allow access to devices where data can be read, or “vulnerability pathways” into what you might think are locked-down networks.
That’s not even getting started with permissions based loss. Documents, data and content can (and often is) leaked by folks who have the passwords and correct access who share documents by mistake or in ignorance of the governance policy controlling that document, or maliciously. These common and pernicious "insider" risks can be easily overlooked when calculating costs and risks.
So, what is the risk in $?
The 2015 Cost of Data Breach Study: Global Analysis reported that the average cost for each lost or stolen record was $154, the average cost of an incident is $3.79 million. Can your company absorb $3.79 million in losses? Plus, this may not even include legal costs.
Cost Breakdown – calculate how much would a small, medium or large incident cost your company.
A quick “guesstimate”:
- Loss of customers and/or revenue (assume 10% loss for small, 20% for medium, 30 – 50% loss for large)
- Loss of intellectual property, digital assets, or trade secrets (assume a .5% loss of market share for small, 1% for medium, and 2% for large).
- Investigative (forensic) services fees (assume $10K for small, 20 – 50K for medium, 100K+ for large)
- Legal costs (suits, counter-suits, class-action) (assume $0K for small, $30K for medium, 100K+ for large)
- Infrastructure repair and upgrades (base this on your own internal costs for small, medium and large)
- PR communications services - damage control (assume $10K for small, $30K for medium, $100K for large)
- Marketing - rebuilding brand reputation, trust, & sales pipeline (assume $10K for small, $30K for medium, $100K+ for large)
(Adjust these figures based on your own revenues and estimates. The above is just a rough guideline meant to stimulate your thinking and isn’t meant to be 100% accurate.)
Exercise: Estimate your potential costs in each of these areas
Assuming a small, medium, or large incident with your most valuable or sensitive documents. What would even a 10% loss of revenue mean? How much risk is your organization willing to assume in light of the potential top-to-bottom-line cost estimates? Use our Data Breach Calculatorto help you estimate these costs.
Do you know your risk? Find out how your company scores on our 1 Minute Risk Grader.