To obtain approval and funding for security improvements, technologists often have to make their case by pointing to losses from recent security breaches. But, calculating those losses can be tricky. TraceSecurity has scoured the most recent statistics and studies to help you best estimate the direct and indirect costs of a data breach and justify your 2015 budget request. We will also provide some real world examples to put the costs into perspective.

1. Using Real World Metrics to Calculate
Today’s Cost of a Data Breach

2. The Scary Truth
It now takes an average of 31 days at a cost of $20,000 per day to clean up
and remediate after a cyber attack
- Ponemon Institute, 2014
This presentation leverages metrics from the 2014 Ponemon Institute Study
• Conducted annually since 2005
• Analyzed 314 breaches in 16 industry sectors
• 61 of those breaches were in the United States
• Industries represented include financial, retail, healthcare, technology,
and pharmaceutical

3. Costs of a Data Breach
$201 Per Record*
• Direct Costs: $66
– Legal defense costs
– Audit and consulting services
– Public relations, communications with customers, etc.
• Indirect Costs: $135
– Lost business
– Increased costs to acquire new customers
– In-house investigations, etc.
• Financial Industry Costs: $236 average per record
*2005 Survey - $138, 2013 Survey - $188, 2005-2014 Average - $191

4. Costs of a Data Breach
• 44% involved malicious or criminal acts
– Malware, criminal insiders, phishing/social engineering, SQL
injection
– Cost per record of $246
• 31% involved “human error”
– Negligent or careless employees
– Cost per record of $171
• 25% involved system “glitches”
– Cost per record of $160

5. Costs of a Data Breach
• Average breach size: 29,087 records*
• Average notification costs: $509,000
• Average total cost: $5.85 million
• Abnormal customer churn increased 15% between 2013-2014
* By design the Ponemon survey excludes breaches greater than 100,000 records

6. What increases costs?
$10
$43
$37
$3
$18
$25
$15
($13)
($20)
($10)
$0
$10
$20
$30
$40
$50
Lost or stolen devices
Breaches involving third-
parties Notifying too quickly Engaging consultants
2013 2014

7. What decreases costs?
*2014 was the first year BCDR was included in this survey; therefore, there is no historical data.
($34)
($42)
($23)
($21)
($17)
($13)
($10)
($45)
($40)
($35)
($30)
($25)
($20)
($15)
($10)
($5)
$0
Having a strong security
posture
Having a formal incident
response plan in place
prior to the breach
Having a formal BCP in
place prior to the breach* Employment of a CISO
2013 2014

8. Real-World Example
Department of Veterans Affairs
• May 3, 2006, an employee copied data onto
a laptop and took it home without
authorization
• The data was neither encrypted nor
password protected
• The laptop was stolen
• The laptop was recovered a month after the
theft with no evidence that the data was
accessed or used

9. Real-World Example
Department of Veterans Affairs (cont’d)
• The data copied to the laptop included records on every American
veteran discharged since 1975
– 26,500,000 veterans exposed, including their names, dates of birth, and social
security numbers
– VA later revised estimate to include an additional 2.1 million active and reserve
service members
• $7 million in notification costs
• $7 million in call center costs
• $20 million class action settlement

10. Real-World Example
Ohio State University
• December 2010, “hackers” gained access to a university server
containing the personal information of over 760,000 current,
former, and prospective students and faculty
• The information included names, social security numbers, dates
of birth, etc.

11. Real-World Example
Ohio State University (cont’d)
• A year of free credit monitoring
• Dedicated call center for issue resolution
• Third-party forensic services were engaged to investigate
• All victims were notified in writing
• There was no evidence that access records were exploited
• The costs for the notification, investigation, and remediation
exceeded $4 million

12. References
• Ponemon Institute, “Cost of Data Breach Study”
• Zurich General Insurance, “Cost of a Data Breach”
• Kaspersky “Global Corporate IT Security Risks”
• American Bankers Association “Target Breach Impact Study”
• Verizon “Data Breach Investigations Report”
• Information Week “8 Most Common Causes of Data Breaches”
• Symantec “Internet Security Threat Report”
• PWC/CERT/CSO Magazine “US State of Cybercrime Survey”

13. For more educational content from TraceSecurity,
• Download thought leadership
• Watch webinars on-demand
• Read our blog, and
• Receive our monthly newsletter
• Follow us on social:
www.tracesecurity.com ©2014 TraceSecurity, Inc. All rights reserved worldwide.