Counting stars

The 2016 Cost of a Data Breach Study conducted by Ponemon Institute and sponsored by IBM was released in mid-June. Some interesting information about how companies in different countries and industries are experiencing data breaches was included, but one thing the report fails to do is focus on how organizations, either by geographic region or by industry, are improving or declining year over year. Luckily, past reports are still available, enabling a side-by-side look at a few of the key findings.

Lately I’ve been, I’ve been losing sleep

Each year, the first finding of the report is the average per capita cost of data breach over the past three years. For this chart, Ponemon does provide an historical view, but doesn’t specifically call out the year-on-year changes. The U.S. and Germany, the report notes, continue to show the highest per capita costs, with India and Brazil reporting the lowest. The difference in the year-on-year costs, however, also says a lot about how companies (by region) are handling data breaches and the value of the data lost. Even though the U.S. and Germany have the highest average per capita cost of data breach, the increase from 2015 for companies in both geographies was only $4 (all costs in USD), which is also the “grand average” increase from FY15 to FY16.

Looking at the 2016 report, it appears that Canada saw a huge jump in its average per capita costs. With a quick review of the 2015 report, however, it seems that there was a reporting error and the real increase from 2015 to 2016 was only $4 (an average of $207 in FY15 vs. an average of $211 in FY16, though the 2016 report illustrates a difference of +$22). Depending on which report’s numbers are accurate, Canadian companies can either sweat it out or breathe a sigh of relief, but not much can be concluded unless exact costs are confirmed.

The biggest increases in average per capita cost from 2015 to 2016 were experienced by companies in Brazil (+$22), the Arabian Cluster (+$18), Japan (+12), and France (+$10). While Brazilian companies pay a low average per capita cost of data breach compared to other nations currently, the steep percent increase is notable and could mean future woes for companies in that region.

The average per capita cost of data breach in the U.K. actually decreased by $4 from 2015 to 2016, and by $2 in Japan, which may indicate improvements by companies in these regions. Delving into this data, most increases are modest—especially given the higher numbers of reported breaches assessed in this and other surveys—and some organizations are managing to keep breach costs under control or even improve upon past years’ efforts.

Ponemon 2016 Cost of a Data Breach Study

*The 2015 Ponemon Cost of a Data Breach Study showed Canada’s FY2015 average per capita cost as $207

Dreaming about the things that we could be

The average per capita cost of breach means a lot more if we look at the average number of breached records by country alongside it. Doing so shows whether the increase was due to a corresponding increase in number of records breached, or if some other factor was in play. The Ponemon study doesn’t explore the latter, but we can reasonably assume that if the cost and number of records breached didn’t increase or decrease at compatible rates, other ingredients were thrown into the mix, such as breach prevention or detection methods.

In 9 of 11 countries, the average number of breached records grew (N.B., a year-on-year comparison for South Africa was not available in 2016, as it was the first year the country was included in the report). The biggest gain was seen by companies in France; French companies reported an average of 23,870 records breached in 2016, a 15.59% increase over FY15. French companies also reported a greater-than-“grand average” per capita cost, which may indicate that companies in France have a problem not only warding off breaches, but also containing costs when a breach hits—a potential future “perfect storm” for companies in that region.

The biggest combined “winner” is Brazil, with an 8.42% increase in the average number of records breached in 2016 versus 2015—the second highest percent gain in the data set. If combined with the region’s remarkable increase in year-on-year average cost per capita of data breach, companies in that region might conclude a need for extra focus on breach prevention, encryption, and monitoring. Attacks are sure to rise if adversaries learn that companies in that region are more prone to data theft than other countries, which may be concluded by the year-over-year increase in records stolen.

India, at the bottom of the average per capita cost, is at the very top of the list when it comes to average size of a breach, 31,225 breached records in 2016 as compared to 28,798 in 2015, a 7.75% gain. While the percent increase from FY15 to FY16 is smaller than in France or Brazil, the total number of breached records in India is 31% higher than the global average, indicating a serious problem in prevention and protection methods by companies in that region.

The biggest “losers,” or in this case, really, winners, were Australia (a -.63% change from FY15 to FY16) and Germany (a -.84% change from FY15 to FY16). So while German companies’ average cost per capita are high, they are generally doing better than last year at driving down the number of data breach incidents.

Ponemon 2016 Cost of a Data Breach Study

Take that money and watch it burn

It should come as no surprise to security practitioners reading this post that when it comes to targeted industries, healthcare “wins” for highest costs ($355 per capita in FY16) the second year in a row. Education ranked second ($246 per capita in FY16), but interestingly, pharmaceuticals dropped off the list entirely in 2016, even though it was included in the ranking in years 2014 and 2015 as one of the mostly costly breached industries. Even though the per capita costs of their data breaches are highest compared to other industries surveyed (in FY15 and FY16), healthcare and education saw a decrease in per capita costs versus last year ($363 and $300 FY15 respectively). Thus, we can assume companies in these industries are figuring out how to rein in costs, which is good because, by most accounts, healthcare, in particular, is going to be the sweet spot for attackers. Other industries that experienced large increases in per capita breach costs from 2015 include “services” (left undefined, 51%), public sector (17.65%), technology (14.17%), and energy (12.12%).

Financial services, the third highest ranked industry (excepting pharma), saw only a $6 per capita increase in 2016, a mere 2.8%.

Sing in the river the lessons I’ve learned

While some of the sections listed in the report show tumultuous changes, one area that remained consistent from 2015 is how the bad guys are getting in.

Ponemon 2016 Cost of a Data Breach Study

These numbers were fairly static from 2015: malicious or criminal attacks in 2015 represented 47%, system glitches constituted 29%, and good ol’ humans took third place with 25%.

One can assume some rounding took place in 2015, as well, but suffice it to say, the idea that “humans are the weakest link” can’t be determined based solely on this report. Of course, malicious and criminal attacks target weak passwords and loose admin policies (which are appropriated by humans), so the buckets blur a little, if you care to get into the weeds.

No more counting dollars, we’ll be counting stars

Ponemon and IBM provide good data each year, but as an industry it’s important to look at how we’re improving or declining: benchmark our efforts and consider where the attackers might turn their attention next. A standalone value doesn’t say as much as that which can be measured. As the old saying goes, “You can’t manage that which you cannot measure,” and if companies can't manage data protection, they might was well be counting stars.