true cost of data breaches
TRANSCRIPT
Fraud and Data Breach Prevention Summit San Francisco
Matthew Rosenquist | Intel Corp
The True Cost of Data Breaches
Not Just a Dollar-per-Record
March 22-23, 2016 – San Francisco, CA
Fraud and Data Breach Prevention Summit San Francisco #ISMGFraudSummit2
About the Speaker
Matthew Rosenquist
Cybersecurity Strategist and Evangelist
Matthew Rosenquist is a cybersecurity strategist with a passion for his chosen
profession. Benefiting from 25 years of experience in Fortune 100 corporations, he
thrives at establishing strategic organizations and capabilities which deliver cost
effective security capabilities. As a cybersecurity strategist, he champions the
meaningfulness of security, advises on emerging opportunities and threats, and
advocates an optimal balance of cost, controls, and productivity throughout the industry.
Matthew is an outspoken evangelist of cybersecurity and strives to advance the
protection of technology and users. His voice can be heard at conferences, in security
whitepapers, videos, and numerous blogs. He specializes in strategic threat analysis,
security planning, solution optimization, measuring security value, policy and
compliance management, risk assessments, investigations, and crisis response.
Fraud and Data Breach Prevention Summit San Francisco #ISMGFraudSummit3
“Sony's own network
has been thoroughly
penetrated and turned
against it”
“TalkTalk has been
hacked, leaving thousands
of customers at risk”
It is a Data Breach World
Fraud and Data Breach Prevention Summit San Francisco #ISMGFraudSummit4
It is a Data Breach World
By 2020, 1.5+ billion people worldwide will be affected by data breaches
Source: IDC
Fraud and Data Breach Prevention Summit San Francisco #ISMGFraudSummit5
It is a Data Breach World
In 2015, overt 700 million
records were lost or stolen
(that is 80k per hour)
Source: Gemalto
Fraud and Data Breach Prevention Summit San Francisco #ISMGFraudSummit6
It is a Data Breach World
Top 10 Healthcare breaches of
2015, affected almost 35% of the
US population
Source: Office of Civil Rights
Fraud and Data Breach Prevention Summit San Francisco #ISMGFraudSummit7
It is a Data Breach World
Just for California…
171 breaches involving 24m
million records
(3 out of 5 Californians)
Source: https://oag.ca.gov/breachreport2016#summary
Fraud and Data Breach Prevention Summit San Francisco #ISMGFraudSummit8
Source: http://www.informationisbeautiful.net
$252M
$88M
Size of a Breach
Number of
Records Lost
Is only one aspect
Fraud and Data Breach Prevention Summit San Francisco #ISMGFraudSummit9Source: http://www.informationisbeautiful.net
$252M
$88MSeverity
Sensitivity of
records lost
Is an important
consideration
Fraud and Data Breach Prevention Summit San Francisco #ISMGFraudSummit10
Impacts of Data Breaches
A number of aspects contribute to cascading impacts:
• Incident Response Costs
• Customer Satisfaction
• Tarnished Reputation
• Business Disruption
• Loss of Leadership
• Lower Stock Price
• Regulatory Hurdles
• Litigation
• Opportunity Costs
Fraud and Data Breach Prevention Summit San Francisco #ISMGFraudSummit11
Numbers and Models Vary Greatly
Ponemon linear calculation
Survey Data
Costs are flat per record
YearCost per
Record
2012 $130
2013 $136
2014 $145
2015 $154
Verizon DBIR variable calculation
Costs scale based upon quantity
Source: Ponemon
Source: Verizon
Fraud and Data Breach Prevention Summit San Francisco #ISMGFraudSummit12
Cost Estimates are Not Consistent
Rough estimation of some numbers…
The various cost models are not consistent or accurate for all cases
Breach RecordsPonemon
Per Record
Verizon
Scale Model
NetDilligence
Calculator
Reported or
Estimated Loss
Target 70000k $10800 million$15 million
(.7m-$329m range)
$345 million(IR & Cust Mgmt)
$252m
TalkTalk 150k $23 million $.7 million $3.2 million $88m
Anthem 80000k $12300 million $17 million $478 million $100-$200m est.
Fraud and Data Breach Prevention Summit San Francisco #ISMGFraudSummit13
Costs walkthrough
• Every breach is different!
• Big Costs:
– Incident Response and customer risk mitigation
(ex. credit monitoring)
– Litigation, lawsuits, regulatory reviews, etc.
– New security controls, insurance, auditing
– Business impacts (customer loyalty, stock price, etc.)
• Insurance coverage can offset some costs
• Effective Incident Response can limit damages
• Improved security can reduce recurrence risks
Typical SMB Incident Response1:• Incident Response $25-$30k
(A few days work for the pro’s)
• Root cause analysis with
infrastructure and policy
recommendations: $100k
(~10 weeks)
• Does not include other costs…
Source: Foundstone1 Many factors at play, this is just a ballpark figure
based on actual cases worked. Mileage will vary.
Fraud and Data Breach Prevention Summit San Francisco #ISMGFraudSummit14
The Real Costs AspectsB
rea
ch
Im
pa
cts
& R
eco
ve
ry
• Incident Response &
Forensics
• User Notification
• Public Relations & brand
protection
• Crisis Management
• Customer risk mitigation
measures (new cards,
password resets, credit
watch, etc.)
Se
cu
rity
Im
pro
ve
me
nt
Investm
ents
• Prevention controls
• Product/Service design &
test (including vendors &
3rd parties)
• Breach Insurance, audit,
& certification
• Management, staffing,
oversight, and reporting
Busin
ess D
isru
ption &
O
pp
ort
un
ity C
osts
• Customer goodwill, trust
• 3rd party (vendors and
suppliers) relationships
• Design for security costs
and product-to-market
delays
• Security assurance
overhead
• Impacts to innovation
• Leadership disruption
• Marketing & new
message campaigns
Fraud and Data Breach Prevention Summit San Francisco #ISMGFraudSummit15
Response of Breach Victims Vary
Risk Mitigation
Crisis Management
Incident Response
Breach Discovery
Management Oversight
and Ownership
Risk Assurance &
Transfer
Product & Service
production
Broader Risk Assessment
Optimize security
posture & costs
Offset impacts to innovation
and product delivery
Plan & Prepare for
future security incidents
BASIC
MATURE
PROFESSIONAL
Fraud and Data Breach Prevention Summit San Francisco #ISMGFraudSummit16
Recommendations
• Secure the environment & data with industry best practices
• Align/pre-stage resources (ex. legal, CERT, PR, management, etc.)
• Plan for a breach, test response annually
• Implement/tune Disaster Recovery and Business Continuity (DRBC)
• Tighten data policies (retention, access, storage, oversight, etc.)
• Evaluate cyber data-breach insurance
• Risk assessment for vendor and suppliers weaknesses
Fraud and Data Breach Prevention Summit San Francisco #ISMGFraudSummit17
Future data security challenges
• More data breaches!
(both indirect targeting and directed attacks)
• Secondary attacks against previous
victims, who have not taken proper
steps to secure their environment
• Tuning of insurance rates and coverage
• Integrity attacks gain momentum
(ex. ransomware, CEO email fraud, transaction
tampering, etc.)
Fraud and Data Breach Prevention Summit San Francisco #ISMGFraudSummit18
Conclusions
• The risks of Data Breaches are real and broadening
• Actual costs of Data Breaches are more complex than the perception
• Eventually everyone will experience a loss…
• Manage your Risks! (this greatly determines the amount of loss)
• Common sense applies:
– Follow industry best-known-methods to secure data to reduce risks
– Organize and prepare. Be proactive!
– React quickly with professionals (organic or external) to limit losses
– Apply learnings to protect from recurrence
…Yes, this
means you!
Thank You for Attending!