IBM and Ponemon Institute’s 2015 Cost of Data Breach Study: United States – the tenth annual study on the cost of data breaches for US companies – has just been released. Among its key findings, the report notes that:
- The total average cost paid by breached organizations has increased from $5.4 million to $6.5 million. The average cost for a stolen record has increased from $201 to $217, of which $74 represents direct costs and $143 indirect costs. According to the 2014 study, $134 was spent on indirect costs.
As data breaches and stories of identity theft feature more frequently in the news, customers are, understandably, becoming increasingly demanding about the security of their personal information. The IBM/Ponemon study notes that the greater the abnormal customer turnover, the higher the data breach cost – demonstrating how far reputational damage can affect a breached organization as customers take their business elsewhere. This goes some way to explaining why, according to a recent study, 20% of security professionals claimed that their organization had concealed a data breach.
- Costs associated with data breach notification increased slightly from $0.51 million in 2014 to $0.56 million this year.
It’s often illegal – as well as unethical – to conceal breaches. In the absence of a federal data breach notification law, organizations are bound by state legislation as well as relevant industry regulations. If your organization is obliged to notify affected customers, district attorneys, or consumer reporting agencies of a data breach, your costs will rise significantly.
The Ponemon study found that the cost of a data breach is reduced by having:
- An incident response plan and team.
- Extensive use of encryption.
- BCM involvement.
- CISO leadership.
- Employee training.
- Board-level involvement.
- Insurance protection.
With the likelihood, impact, and cost of data breaches increasing, it is sensible to focus on this list. ISO 27001, the international standard for information security management, can provide a framework for all but the last of those points, while reducing the cost of cyber insurance premiums.
International information security best practice
ISO 27001 sets out the requirements of a best-practice information security management system (ISMS), a risk-based approach to data security that can be applied throughout the supply chain. Once your ISMS has been registered to the Standard, you can insist that third-party contractors and suppliers also achieve registration. Registration provides evidence to all stakeholders that international best practice is being followed, allows you to meet legal and regulatory obligations, and reduces the risks your business faces.
For more on the business benefits of ISO 27001, click here >>
To see how IT Governance’s fixed-price ISO 27001 Packaged Solutions can help you implement an ISMS in your organization and achieve registration to the Standard whatever your budget or the timescale of your project, click here >>