Home > Risk > New reports on the cost and incidence of cyber breaches

New reports on the cost and incidence of cyber breaches

We have two new reports to review and discuss today:

Here are a few highlights from the Verizon report:

  • 69% of the breaches were perpetrated by outsiders. To that you need to add 2% by partners and 5% by multiple partners. 34% involved internal actors.
  • 43% of the breaches involved small business victims, while 16% were of public sector entities, 15% in Healthcare, and 10% of financial industry organizations.
  • 23% involved nation-state or affiliated actors.
  • Only 71% were financially motivated while 25% were espionage.
  • 56% took months to discover.

Ponemon told us:

  • Information theft is the most expensive and fastest rising consequence of cybercrime—but data is not the only target. Core systems, such as industrial control systems, are being hacked in a powerful move to disrupt and destroy.
  • Cybercriminals are adapting their attack methods. They are using the human layer—the weakest link—as a path to attacks, through increased phishing and malicious insiders. Other techniques, such as those employed by nation-state attacks to target commercial businesses, are changing the nature of recovery, with insurance companies trying to classify cyberattacks as an “act of war” issue.
  • Cyberattackers have slowly shifted their attack patterns to exploit third- and fourth-party supply chain partner environments to gain entry to target systems—including industries with mature cybersecurity standards, frameworks, and regulations.
  • Almost 80 percent of organizations are introducing digitally fueled innovation faster than their ability to secure it against cyberattackers.
  • Organizations are seeing a steady rise in the number of security breaches—from 130 in 2017 to 145 this year.
  • The total cost of cybercrime for each company increased from US$11.7 million in 2017 to a new high of US$13.0 million—a rise of 12 percent. In the US, the average cost was $27.4 million.
  • Banking and Utilities industries continue to have the highest cost of cybercrime across our sample with an increase of 11 percent and 16 percent respectively. The Energy sector remained fairly flat over the year with a small increase of four percent, but the Health industry experienced a slight drop in cybercrime costs of eight percent.
  • Our clients tell us that one of the most difficult questions when assessing their investments in cybersecurity is: How much is enough?

But what does this mean for your business? How does it affect either strategic or tactical decisions?

Let’s consider that last point. How much is enough?

Unfortunately, neither report tells us how much organizations are currently spending on the cyber and information security budget, nor how they assess the likelihood of a significant breach that threatens the achievement of their objectives. So we cannot (even if we wanted to) rely on a benchmark of what others are doing.

I can’t find it now, but I recall a survey that said that the average cyber budget was around $12 million.  That seems a little low to me and Forbes reports that Bank of America and Chase each spend about $500 million.

But if organizations are experiencing damages from breaches of $13 million, on average, are they spending enough, the right amount, or too much?

How much would they suffer if they had not spent the $12 million (assuming that is correct)? How much could they reduce the level of risk should they spend another $12 million?

Again, how much is enough?

That is a business decision that needs to take into account the risk posed by cyber to business objectives, as well as the fact that any funds invested in cyber cannot be invested in other initiatives.

In Making Business Sense of Technology Risk, I point out that assessing cyber risk based on the potential out-of-pocket cost is hardly the best measure. Most organizations can accept the risk if the potential for out-of-pocket cost is $10 million or less.

But, as the surveys tell us, very often the hackers are trying to disrupt or even destroy the organization and the services or products it provides. If a cyber breach prevents an organization from achieving its goals, the damage is generally seen by leaders as greater than pure out-of-pocket costs. They would be willing to spend substantial sums to prevent such a result.

Certainly, saying that the risk is “high” is meaningless. How does that inform the decision of how much to spend?

Leaders need to know how much to invest of their scarce resources into cyber. Should they spend more, what is the return on any additional investment, and even if there is a positive return, is it better that they would obtain on other investments?

They need to know whether to invest $5 million in cyber or that same amount into new product development, a marketing initiative, the deployment of new technology, etc. They rarely have the funds to spend on every source of risk – so they have to make intelligent and informed decisions.

A breach can affect the organization in many ways, from trivial to devastating. There is a range of potential effects, each with its own likelihood.

I prefer to assess cyber-related risk based on how the likelihood of achieving enterprise objectives is affected. Cost is one factor and not necessarily the most significant one.

Answering the question of how much to invest requires considering the likelihood of achieving objectives given all sources of risk, not just cyber. For example, if a cyber breach might affect customer satisfaction and thereby revenue goals, so might product quality issues and other factors. Assessing cyber risk to objectives in isolation is missing the big picture.

Aggregating disparate sources of risk to a single objective is a challenge, as is comparing the risk from cyber to the risk from changes in the economy, or deciding whether it makes more business sense to invest in cyber than in marketing. That’s why I wrote the book – it’s too much to cover in a blog.

Other matters to consider include:

  • The range of possible adverse effects of a breach and their likelihoods (based on how it might affect the likelihood of achieving enterprise objectives not just the cost).
  • Is the level of risk, given the above, acceptable? Is there an acceptable likelihood of achieving objectives? Consider both the potential effects of cyber and how other sources of risk might affect the same objectives.
  • How will an investment in cyber change the level of risk (the range)?
  • What it would take to reduce the level of risk to acceptable levels? Is an investment in cyber the best way to reduce the overall level of risk?
  • Is the reduction in risk worth spending the money?
  • Are there better ways to spend the money?

This is not a technical issue. It’s a business one. Those responsible for IT and cyber need to work collaboratively with operating management to assess the potential harm to the business (not to information assets) and how the likelihood of achieving enterprise objectives might be affected.

Those making both strategic and tactical decisions regarding cyber need useful, actionable information. They need help figuring out how much to spend. I hope my book helps.

I welcome your comments.

  1. David
    May 12, 2019 at 5:05 PM

    It would seem to flow from what protections or capabilities you want to establish. A short list includes:

    1. Data retention procedures delete unneeded data timely, to limit cost of a breach.
    2. Backups are robust enough to limit impact of ransomware.
    3. Penetration testing of applications and infrastructure finds few/minor vulnerabilities.
    4. Log and vulnerability management programs are keeping up as tickets are generated.
    5. Patches are applied to all systems timely; older infrastructure that cannot be patched is replaced.
    6. Unauthorized data exfiltration is detected timely.
    7. Security rating service scores meet goals.
    8. Third parties connected to your systems meet robust security standards and higher risk suppliers are individually reviewed.
    9. Encryption standards are applied to all systems at rest, in use and in motion.
    10. Effective risk management (e.g., IT managers are encouraged to report risks in monthly technology risk meeting; remediation tracked to resolution).

    There are probably a few dozen more of these; once the organization decides what they are, puts metrics on them, and monitors regularly, then you know you’re spending enough.

    • Norman Marks
      May 12, 2019 at 5:08 PM

      But how much are you willing to invest in these? That should depend on the level of risk, right?

  2. Eng Hwa Lim
    May 13, 2019 at 6:25 AM

    Norman, personally I would NOT consider the risk matrix which takes into consideration of the likelihood. I would focus on the consequence IF there is a breach of cyber security of the company’s IT systems. Each system to be evaluated by IT EXPERTS not by RM EXPERTS and the controls to be put in place until it hurts the pocket. We are in an integrated world and connected via IT systems hence we cannot be out of it for a duration, its end of the company’s business, reputation, etc. Gary

    • Norman Marks
      May 13, 2019 at 7:14 AM

      But how much money does it make business sense to invest? How do you decide? Resources are limited.

      • Gary Lim
        May 15, 2019 at 7:20 AM

        I have done once with the BOD where I presented the cost to install a system at the “warm” site in the event of a IT system failure as part of the BCM, it is up to the members of the BOD to decide, they are learned and well paid positions. I am not in the position to make a decision because of the financial implications, I present the pros and cons only.
        If the IT Experts present the cost to implement certain measures, the BOD must decide otherwise get a second opinion, they have to spend resources and disclose some “confidential” info to another company, again it’s the BOD decision.

  1. May 15, 2019 at 1:31 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: