SecureWorks - On the Radar Newsletter - October 2007
CSO Article Forrester Wave Cost of Breach

CSO Article

In its September 2007 issue, CSO Magazine published a detailed glimpse into the way today’s hackers operate. Following investigations conducted by SecureWorks Researcher Don Jackson and others, the report describes the evolution of cybercrime into a global service economy supporting identity theft.

View the Full CSO/CIO Magazine Article

Forrester Wave

After evaluating SecureWorks’ current offerings and strategy for managed security services against 56 criteria, Forrester Research named SecureWorks a “Strong Performer” and the “MSSP with the largest market share of customers in North America.” Forrester also described SecureWorks as “possessing a strong client base and a comprehensive and versatile MSS offering.” SecureWorks is one of ten MSS providers reviewed in Forrester’s first Managed Security Services Wave report.

Read more about Forrester’s MSS Wave

Security 101: Cost of a Breach

Introduction
Quantifying the cost of a security breach has been the subject of much debate as information security continues to mature as a business process. Security spending is justified by the reduction of risk and you can’t determine the risk a security breach poses without first assessing the potential costs to your business. Several high profile data breaches have also brought the issue to the forefront, as post-breach analyses have provided clarity as to hard and soft costs involved in a data breach.

That being said, assessing the cost of a breach has historically been difficult, with assumptions and results varying widely. But looking at the work done here can provide guidance and background for an organization in coming up with a method that supports their financial and other needs.

Cost Per Record
An analysis by the Ponemon Institute assessed the cost of a breach per record so that it can be easily applied across organizations. Ponemon’s survey results concluded that a security breach usually costs between $90 and $305 per record. The gap is a result of the many hard and soft costs that can vary from incident to incident. This means that if ten records are compromised, it can cost between $900 and $3,050; 1000 records can cost between $90,000 and $305,000.

The Ponemon method has the benefit of simplicity as well as a direct correlation to lost data, typically the crux of a breach. But it is also simplistic, treating many different kinds of data as equal. It also is likely to overstate a larger breach and understate a smaller breach due to the “fixed costs” of a breach. The following methodology is more complex, but addresses some of these issues.

Breakdown of Individual Breach Costs
In order to account for the different variable costs that can be incurred during a data breach, a survey conducted by Forrester Research provided averages in five major cost categories:  

1. Discovery, Response and Notification on average run about $50 per record. This cost includes “outside legal fees, notification costs, increased call center costs, marketing and PR costs, and discounted product offers.”
2. Lost employee productivity on average costs about $30 per record. Dealing with the bad press and legal responsibilities are the major distractions for employees after a breach.
3. Additional regulatory fines. This cost can vary greatly from $0.00 to $10 million, as ChoicePoint found out when paying civil penalties to settle the Federal Trade Commission case. Also, Visa increased the fine for mismanaging sensitive customer data from $3.4 million in 2005 to $4.6 million in 2006.
4. Opportunity costs average about $98 per record, but it significantly varies from industry to industry. Forrester estimates “10% - 20% of potential customers will be scared away by a security breach in a given year,” and Ponemon’s survey indicated that 74% of its respondents lost current customers due to the breach.
5. Indirect costs (for high profile breaches) often include:
   • Restitution costs - ChoicePoint is the first security breach victim to have to pay restitution costs, wherein they agreed to establish a $5 Million consumer restitution fund.
   • Additional security and audit requirements- For example, “DSW’s settlement with the FTC in its 2005 data breach of more than 1.4 million records requires DSW to establish and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards. It also requires DSW to obtain, every two years for 20 years, an audit from a qualified, independent, third-party professional to assure that its security program meets the standards of the order,” per Forrester Research. 
   • Other liabilities- Replacing credit cards is a substantial ‘other cost.’ For example, Sovereign Bank was hit twice by the BJ’s Wholesale Club breach, as the first set of 81,000 replacement cards was malfunctioned.

Conclusion
Security breaches cost businesses millions of dollars every year through obvious costs such as fines and lawsuits, and other costs such as lost productivity, brand damage and customer attrition. In extreme cases, the accumulated costs can put an organization out of business. For example, the infamous CardSystems Solutions breach involving the exposure of 40 million credit card account numbers ended with the company shutting down and closing its doors.

Ultimately, an organization will need to decide the cost of a breach. Understanding the industry and the impact of a breach to customers, partners, employees and others will something only the company can decide. But the methodologies presented above can help in making broad assessments of risk and in valuing new security expenditures.

All third-party brands and trademarks referenced in the text above belong to their respective owners. SecureWorks’ On the Radar Newsletter is not authorized by, associated with or sponsored by the respective trademark owners.