Developing a cost-effective budget for security expenditures is a tricky task. The costs of a data breach are nebulous and often unclear until after the fact, making it difficult to gauge just how much a business should be spending on security. The fact that the real benefits of a security solution are not apparent after an attack only further adds to the uncertainty.
How is a clinic or hospital to know how much a recent data breach would have cost them had they not had an Incident Response Plan? A recent study done by the Ponemon Institute, sponsored by Symantec, intends to answer that.
The Cost of Data Breaches
The study is the eighth in a series of studies done by Ponemon, examining the costs of actual data breaches from 54 companies across 14 industrial sectors. In it is valuable information for any business looking to find concrete justification for the implementation of security measures, as well as gauge which expenditures to prioritize.
For example, the healthcare industry suffers from a very high per capita cost of $305 per record lost. That is well above the $184 average provided by Ponemon, mainly due to the large amount of regulation in the healthcare industry. When considering that 41% of the data breaches recorded by Ponemon were due to malicious or criminal attacks, it only makes sense to invest in security solutions.
How to Reduce the Cost of a Data Breach
With it clear that data breaches are a very serious financial concern, steps must be taken by every responsible business to lessen these costs with the most practical and efficient methods available to them. Luckily, the Ponemon report provides a great deal of information on just this. Using the average cost provided earlier, Ponemon created a handy chart shown below.
Having an Incident Response Plan reduced the average cost of a data breach from $184 to $142. That is a 23% reduction in cost alone. Paired with a strong security posture and the appointment of a C-level information security professional that is a 54% reduction in the costs. Granted, none of these methods are without their costs. A clinic, hospital, or network must carefully examine the value of their data, as well as the potential cost of a breach and weigh them against of the cost of implementing these methods. Utilizing the information provided by Ponemon’s report will make this a much easier task.
The full report is available at http://www.symantec.com/content/en/us/about/media/pdfs/b-cost-of-a-data-breach-us-report-2013.en-us.pdf.
Director’s Comment: What I see here is the ongoing trend that breaches in healthcare consistently cost more per record than other industries. The reasons are many, so let’s translate some items from the table above into healthcare terms.
- Third party errors– Do your Business Associate Agreements clearly define responsibility for determining if a breach occurred, and is the business associate or the covered entity going to contact the affected individuals? As a covered entity, you’ll have plenty to do without spending valuable time arguing these items.
- Quick notification–The rules are specific. There must be no unreasonable delay, and in no case can notification of affected individuals be later than 60 days of discovery. This doesn’t mean that you have to authorize unlimited overtime for all staff starting the day of the discovery, although you might have to do just that depending on the size and severity of the breach. This is where planning ahead is most valuable. It is well worth your time as an organization to run thru multiple scenarios on the table top to determine when and how to deploy resources for a range of breach sizes. This should be part of your incident response plan
- Incident response plan—Having an accurate and updated plan for when the stuff hits the fan is by far the biggest cost saver after a breach. Not only is it required, but it will help everyone from the FCO to the janitor sleep better at night. It’s not just having a plan, it’s the act of creating the plan that provides the peace of mind.
Dwight D Eisenhower said “In preparing for battle I have always found that plans are useless, but planning is indispensable.”
Not sure how much you should be spending on a security solution or ready to get started with one? Sign up for a free consultation with us today.