Well, the latest Ponemon report came out that reviews the costs of a data breach in the US in 2017. You’re right…this report came out in June and we’ve just been sitting on this hot data. My excuse is plain and simple procrastination; I didn’t want to write it. The topic seemed boring and limited. The cost is the cost, so what? Just give out the high number to scare everybody, link to the report and call it a day ¾ worth no more than a tweet or two at best, am I right?

Having made some initial notes and highlights in the report, some scribblings of ideas and insights into the margins here and there almost a month (or more?) ago, I let it sit on the corner of my desk and gladly let other projects take precedence. Determined one Sunday to tackle outstanding work projects that would help clear my week, I actually picked the report up again.

After an hour of re-reading my notes and making a few more, I paused a moment to look out the window on to my front yard and noticed that giant, menacing pile of bark mulch that never made it all the way to the flower garden in the spring (or summer, or fall). It seemed as though it was staring at me, taunting almost, saying, “yep, it’s December and I’ll be frozen soon and the snow plow guy is going to hit me dead on, sending him straight through the windshield.”

Image Source. 

If nothing else but to save my trusted snowplow man from a horrible death, I once again abandoned the titillating Ponemon report relaying the costs of a data breach in the US in 2017, and spent the rest of the afternoon transporting the nasty bark mulch pile to much smaller, harmless piles nearer the garden, and out of plow’s way. Through personal resolve, a steady sense of responsibility and the nagging guilt of stalling on a promised project now over a month late, my procrastination abated, and so here’s my summary on the costs of a data breach in the US in 2017.

It’s VERY expensive!

This year’s Ponemon report shows that companies with data breaches involving less than 10,000 records, spent an average of $4.5 million to resolve and those companies with the loss or theft of more than 50,000 records spent $10.3 million.

Total Cost by size of the data breach, taken from the Ponemon Institute 2017 Cost of Data Breach Study

That averages out to $7.35 million of total cost of a data breach, which is a 5% increase over last year.  Breaking it down further, $225 is the average cost per lost or stolen record and is a 2% increase in cost from last year. The number of breached records per incident this year ranged from 5,563 to 99,500 records. The average number of breached records was 28,512

Here are the various components taken in to account to total these costs.

1. Loss of customers or CHURN rate
2. The number of records lost or stolen (size of breach)
3. Detection and escalation of the incident
4. Time to resolution (time to identify and contain breach)
5. Post-breach costs, including victim notification

It’s also interesting (and obvious?) to note that an attack by a “malicious insider” or hacker criminal is costlier than system glitches and simple negligence (also called the human factor). One other salient point to highlight is that the more churning away of once loyal or potential customers, the higher the cost of the data breach, because it costs twice as much to replace the value of a single lost or potential customer.

Companies that experience less than 1% churn, or a loss of existing and potential customers, had an average total organizational cost of a breach of $5.3 million and those experiencing churn greater than 4% had an average total cost of $10.1 million.

Average total cost by abnormal churn rate, taken from the Ponemon Institute 2017 Cost of Data Breach Study

So, what should the average company do to shore up or minimize this kind of loss in a cyber-attack, if (when) it happens?  Well, the folks at Ponemon have figured that out too, but we could have told you. The next graph below maps out what steps help you save and what neglected steps cost you more.

Impact of 20 factors on the per capita cost of data breach, taken from the Ponemon Institute 2017 Cost of Data Breach Study

The top 3 precautions you should take or steps to put in place to lower attack costs include:

1. Implementing an Incident Response Team - a designated team of members each tasked with a specific responsibility once a breach occurs, including a pre-emptive warning system;
2. Extensive Use of Encryption - by employing encryption policies throughout the enterprise (email, servers, websites, software code, mobile and other devices) you are essentially locking down an inexpensive insurance policy against most kinds of attacks;
3. Employee Training - it is far cheaper to train employees to be diligent towards email, spear or other phishing attacks then it is to bring in a third-party after the fact to implement the same thing.

The Cost of Procrastination

Of all the data discussed in the report, the two points I keep focusing on is the cost of customer churn and the extensive use of encryption. It’s been said that, with marketers of technology solutions, a little piece of our heart breaks every time we lose a customer that we fought so hard to earn their trust, loyalty and respect, when it could so easily have been avoided. And of course the quickest, simplest and cheapest first-step in avoiding customer churn from a cyber-attack is implementing a heavy dose of PKI encryption everywhere.

Which brings me full circle back to how this blog topic was introduced - procrastination. Many security personnel put off using PKI due to the perception that provisioning and installing Digital Certificates throughout the IT infrastructure (encryption everywhere) is a daunting task, not to mention having to manage certificate renewals, revocation policies and basic inventory of all certificates.

Today, a trusted Certificate Authority should offer, at a minimum, a cloud-based certificate management platform that reduces the effort, cost and time associated with managing multiple enterprise Digital Certificates. A managed PKI platform should also provide support for multiple entities under one account and delegated user administrator offering complete, centralized control of certificate needs across an entire organization.

The platform you choose should offer automation, integration and management of enterprise-wide PKI, allowing you to automate certificate lifecycles and workflows with APIs, integration with enterprise systems like Active Directory and Mobile Device Management (MDM) platforms and support for protocols like ACME and SCEP.  This functionality allows you to leverage existing investments and automatically provision certificates to all types of endpoints – Windows, Macs, Linux servers, mobile devices, routers and more – without having to manage PKI in-house or maintain multiple accounts.

Our blog archives have many details on the background, use and methodologies of public key cryptography encryption for email, web sites, servers, code, mobile and other devices, and our recent blog on the encryption debate in the UK backs up the fact that it is critically important to any business enterprise or other IT infrastructure, no matter the industry.

GlobalSign’s classic mantra has always been “encrypt everything” and we’ve been working with customers worldwide on getting ecosystems fully encrypted, end to end. Our advice for 2018: don’t procrastinate on spreading the “encrypt everything” mentality throughout your company. PKI is the easiest cybersecurity tool to deploy and manage these days, and will save you a bundle when that cyber-attack occurs. And your snow plow driver will thank you as well.

For more information on how to best tackle encryption, feel free to contact any of the GlobalSign PKI experts.