Quantifying The Enterprise Cost Of A Cyber Security Data Breach

Impact To Organization Goes Years Beyond The Incident

Add bookmark

Jeff Orr

Quantifying The Enterprise Cost Of A Cyber Security Data Breach

Financial services provider Capital One appears to be the latest mega-breach of personal data in a growing number of large incidents where more than 1 million records are compromised. Upwards of 100 million individuals were impacted by the data breach, which included social security numbers and linked bank accounts for credit card customers and applicants across the U.S. and Canada.

The root cause appears to be a firewall vulnerability exploited in a Capital One web application that interfaces with its AWS cloud. The theft of data had been occurring for a few months before it was detected and federal authorities were called in to investigate.

No industry sector can claim immunity from data breaches. Vertical markets with large customer bases, including healthcare and financial services, tend to lead in terms of the number of customer records exposed. Government agencies also fall into this group of potentially attractive targets with large amounts of personally identifiable information (PII).

Readers of Cyber Security Hub are well-aware of the risk management practices to mitigate an enterprise attack, including:

An increasingly important metric to understand is the cost of an enterprise data breach. More and more research is being done to help illuminate this emerging subject. According to the annual Cost of a Data Breach Report by the Ponemon Institute and sponsored by IBM Research, the cost per lost record for a company in the United States averages $242.

Capital One estimates its 2019 losses from this data breach to be in the $100-150 million range, below the average in the Ponemon research. The study further concluded that while data breaches are a global concern, U.S. enterprise organizations lead all nations in total cost of data breaches with an average impact to the business of nearly $8.2 million.

Governments are also moving quickly in an effort to penalize organizations that compromise personal data. The European Union (EU), which recently implemented a data protection law to fine companies for data mismanagement, is expected to levy Bulgaria’s tax agency up to $22.5 million over the breach of PII for more than 4 million Bulgarian citizens. Stateside, New York has expanded its data breach laws and requires businesses to implement data security programs. The SHIELD (Stop Hacks and Improve Electronic Data Security) Act broadens the definition of PII and adds new requirements for breach disclosures. Businesses collecting PII about New York residents must implement security measures and develop employee awareness programs among other administrative safeguards to ensure cyber hygiene.

While 100% security is not a practical objective, getting back to the fundamentals of understanding data movement, identifying sensitive PII and company data, and enforcing third-party risk management (even in the cloud) can not be overstated as a reminder to “get the house in order” with the number of mega-breaches occurring weekly.