With the release in June 2017 of the newest IBM “Cost of Data Breach Study,” conducted by Ponemon Institute, the web is buzzing with discussions of what a breach costs. As a result, now is a good time to provide a more nuanced analysis of this report through an examination of the assertions of a variety of recent breach cost reports that attempt to answer similar questions.
If you’re like me, a few things stand out with this set of reports:
The goal is not to chastise these reports for attempting to answer the questions about what a breach generally costs. Instead, it’s to emphasize that the cost of a breach is a highly dynamic figure that should be rooted in the risk profile of your organization. For any given organization, the question, "What is the average cost of a breach?" is far less valuable than questions such as:
These types of questions can be difficult to answer and will require constant re-evaluation because of the changing landscape of the business as well as the evolution of cyberthreats. That said, a functional understanding of cost factors can greatly increase the effectiveness of your cybersecurity program.
All organizations should consider performing cross-departmental analyses of such costs to tune cybersecurity budgets and spending accordingly. Key players would likely include finance, IT operations, revenue-generation business units, compliance, customer service, and, of course, risk management. Additionally, this analysis doesn’t necessarily need to be built from scratch, and it could leverage similar analyses such as a business impact analysis (BIA) or true downtime cost (TDC) analysis. Incident or breach cost analysis should also be baked into post-mortem reviews to continue to refine cost models.
The more your organization is able to reduce the uncertainty of cost due to a breach, the more the board, investors, and business partners will be able to see that you are taking a measured approach to keeping your data and business secure.
In accordance with applicable professional standards, some firm services may not be available to attest clients.
© 2018 Crowe Horwath LLP, an independent member of Crowe Horwath International.
As of June 1, 2016, the professionals of AbleBridge have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on Microsoft Dynamics® CRM (now Dynamics 365) sales and implementation as well as innovative add-on products.
The personnel of SDGblue have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm with a global risk consulting practice and offices around the world. This move provides SDGblue clients access to a broader range of products, services, and solutions, while expanding the Crowe cybersecurity risk management capabilities with a deeply specialized team.
Looking for the Client Login?
Access the SDGblue Client Portal
As of Oct. 30, 2017, the professionals of Rowbotham International have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on domestic and international tax and audit compliance services, as well as advisory services.
The personnel of Tru8 Solutions LLC have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm with a global risk consulting practice and offices around the world. This move provides Tru8 clients access to a broad range of products, services, and solutions, while deepening the Crowe GRC technology expertise to manage risk by better leveraging data and gaining more predictive insight.