When I was learning to fly, one of the many pearls of wisdom imparted to me by my instructor was, as I transitioned from pre-flight planning and considering a myriad of “what-if” scenarios to prevent problems, to actually going aloft was to mentally move to continually considering what to do “when” an event, such as an failure, eventually takes place. The primary objective remained constant: to ensure a safe outcome with minimal consequences (you may call it applied risk management). This shift in attitude appears to be apt for custodians of information systems, moving from planning services and incident prevention to operational preparedness in order to best ensure a successful outcome in the event of an unplanned incident. Sadly, even with sophisticated layers of defense, many organizations are facing similar thought processes of what to do “when” a data breach takes place rather than “if”. Staples looks like it is the next addition to the list of notable incidents that includes Target, Home Depot, Chase, Goodwill, Michaels and P.F. Chang’s.
The recent Ponemon Institute benchmark research “2014 Cost of Data Breach Study : United States” identified a number of factors that could materially affect the impact and cost of managing a data breach. Apart from the headline average cost of an incident of $5.4 million with a per record number rising to $201 there were some interesting observations relating to the root causes.
The involvement of a third party was one of the biggest contributors to the cost of managing a data breach, at 12.5% above the mean cost. There is ample indication that this is an extremely common situation that is developing rapidly with the adoption of computing and application services . As well as the HVAC issue that was a vector for the Target breach, incidents at Lowe’s, Goodwill and AutoNation earlier this year were attributed to third-party vendors (E-DriverFile, C&K Systems and Trademotion respectively). The need for third party diligence has been identified as necessary by financial and healthcare regulators. If we look at the potential for loss avoidance, effective vendor security management that includes incident management makes good sense as both preventative and response measures.
The maturity of breach response plan represented another interesting opportunity to either increase or reduce the cost of a breach. Typically organizations that provided quick, less coordinated announcements and response activities that did not follow a clear protocol experienced management costs 7% above the mean. On the other hand, those with a clear incident response plan reported average costs around 8.5% below the mean. The difference in response approach represents over $830,000 in a $5.4 million event. To return to the pilot analogy: preparedness training and the effective use of checklists have been proven to significantly improve the outcomes.