Embed Size (px)
Citation preview
© 2015 IBM Corporation
Key findings from the
2015 Cost of Data Breach Study:
Global Analysis
Benchmark research sponsored by IBM
Independently conducted by
Ponemon Institute
© 2015 IBM Corporation
Panelists
David Puzas, Director of Portfolio
Marketing, Security Services, IBM
Larry Ponemon, Chairman and
President, Ponemon Institute
2
© 2015 IBM Corporation
How did Ponemon Institute
conduct the study?
3
© 2015 IBM Corporation
The 2015 Cost of Data Breach Study: Global Analysis—definitions and key facts.
Data breach: An event in which an
individual’s name plus a medical record
or financial record or debit card is
potentially at risk
Data record: information that identifies
the natural person (individual) whose
information has been lost or stolen in a
data breach
Incident: For this study, a data breach
involving between 2,200 to slightly more
than 101,000 compromised records
Participants: Organizations that
experienced a data breach within the
target size range
Benchmark research: The unit of
analysis is the organization; in a survey,
the unit of analysis is the individual
A mega-breach of more than 100,000 records is not considered typical. The cost data in this study cannot
be used to calculate the financial impact of a mega-breach.
350 organizations
16 industries
11 countries
4
© 2015 IBM Corporation5
What are the key findings this year?
© 2015 IBM Corporation
Global and country-specific averages show that the cost of a data breach is on the rise.
Cost per record*
Cost per incident*
*Currencies converted to US dollars
$136$154Highest countries
Lowest countries
$217
$211
$78
$56in Brazil
in India
in the U.S.
in Germany
$136$3.8M $6.5M
$4.9M
$1.8M
$1.5Min Brazil
in India
in the U.S.
in Germany23%
Global average
12%
Global average
increase over two years
Highest countries
Lowest countries
increase over two years
6
© 2015 IBM Corporation
Per-record data breach costs vary widely across industries, with a significant year-to-year increase for retail.
Healthcare Financial
Consumer Energy
Retail
Technology
$363 $215
$136 $132
$165
$127Currencies converted to US dollars
Industrial
$155
Public$68
7
© 2015 IBM Corporation
Customer churn following a data breach—and the related impact on the organization’s reputation—is a key contributor to cost.
0.0%
1.9%
2.0%
2.1%
2.2%
2.5%
2.7%
3.0%
3.3%
3.5%
3.5%
4.4%
4.5%
5.6%
6.0%
6.1%
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
8
© 2015 IBM Corporation
Cost category Cost Typical components
Lost business $1.57MAbnormal turnover, increased customer
acquisition costs, reputation losses,
diminished goodwill
Post-data
breach costs$1.07M
Help desk, inbound communications,
investigations, remediation, legal costs,
product discounts and other special offers
Detection and
escalation$0.99M
Forensics, assessment, audit services,
crisis team management, internal
communications
Notification $0.17M
Contact databases, regulatory requirement
research, outside experts, postal
expenditures, inbound communications
setup
With lost business leading, other components of the cost of a data breach include post-event costs, detection and notification.
.
Currencies converted to US dollars9
© 2015 IBM Corporation
Malicious or criminal attacks are the leading root cause of a data breach…and result in the highest cost per record.
$134per record $170
per record
$142per record
Currencies converted to US dollars
Malicious or
criminal attack
47%
System glitch
26%
Human error
29%
10
© 2015 IBM Corporation
The incidence of malicious attack varies considerably by country.
57%
55%
54%
50%
48%
45%
45%
39%
36%
32%
30%
22%
23%
31%
24%
22%
27%
20%
23%
29%
35%
35%
21%
22%
15%
26%
30%
27%
35%
38%
35%
33%
35%
1
2
3
4
5
6
7
8
9
10
11
Malicious or criminal attack System glitch Human error
11
© 2015 IBM Corporation
Organizations in certain countries are more likely to experience a data breach.
16%
16%
17%
21%
22%
23%
23%
29%
30%
36%
37%
1
2
3
4
5
6
7
8
9
10
11
Overall likelihood of
experiencing a
breach of 10,000 or
more records over a
two-year period
22%
12
© 2015 IBM Corporation13
What factors can have a positive
impact on an organization’s security
posture?
© 2015 IBM Corporation
Having an incident response team and using encryption extensively can reduce the cost of a data breach.
Currencies converted to US dollars
$4.40
$5.50
$5.60
$7.10
$8.00
$12.00
$12.60
1
2
3
4
5
6
7
14
© 2015 IBM Corporation
Business Continuity Management involvement can also translate into faster identification and containment of data breaches.
178
234
0
50
100
150
200
250
1
Mean Time to Identify (MTTI) Data Breach
55
83
0
50
100
150
200
250
1
Mean Time to Contain (MTTC) Data Breach
No BCM involvement (days)BCM involvement (days)
27% Reduction in
time to identify
data breach
41% Reduction in
time to contain
a data breach
15
© 2015 IBM Corporation16
Based on the findings, what
recommendations do you have for
security leaders today?
© 2015 IBM Corporation
Win the battle of the breach
17
• Step 1: Prioritize your business objectives and set your
risk tolerance
• Step 2: Protect your organization with a proactive
security plan
• Step 3: Prepare your response to the inevitable: a
sophisticated attack
• Step 4: Promote and support a culture of security
awareness
© 2015 IBM Corporation
Next steps
Visit ibm.com/security/data-breach
and register to receive the global
study or a country-specific study
Visit ibm.com/services/security
to learn how IBM Security Services
can help protect your organization
Visit www.ponemon.org
to learn more about Ponemon
Institute research programs
18
© 2015 IBM Corporation
?
© 2015 IBM Corporation
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response
to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated
or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure
and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to
be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,
products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
© IBM Corporation 2015
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml
Not all offerings are available in every country in which IBM operates. This document is current as of the initial date of publication and may be changed by IBM at any time.
THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.
The client is responsible for ensuring compliance with laws and regulations applicable to it. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the client is in compliance with any law or regulation. Actual available storage capacity may be reported for both uncompressed and compressed data and will vary and may be less than stated.
Trademarks and notes
20
