The document outlines the financial impact of data breaches, highlighting that the average cost of a cyber attack cleanup is $5.85 million, with a cost of $201 per record. It cites the Ponemon Institute's 2014 study, which shows breaches often involve cybercriminal acts, human error, or system glitches, and discusses factors that increase or decrease costs. Real-world examples illustrate the significant expenses associated with breaches, including notification and legal costs, and emphasize the need for a robust security posture and incident response plans.

1. Using Real World Metrics to Calculate
Today’s Cost of a Data Breach

2. The Scary Truth
It now takes an average of 31 days at a cost of $20,000 per day to clean up
and remediate after a cyber attack
- Ponemon Institute, 2014
This presentation leverages metrics from the 2014 Ponemon Institute Study
• Conducted annually since 2005
• Analyzed 314 breaches in 16 industry sectors
• 61 of those breaches were in the United States
• Industries represented include financial, retail, healthcare, technology,
and pharmaceutical

3. Costs of a Data Breach
$201 Per Record*
• Direct Costs: $66
– Legal defense costs
– Audit and consulting services
– Public relations, communications with customers, etc.
• Indirect Costs: $135
– Lost business
– Increased costs to acquire new customers
– In-house investigations, etc.
• Financial Industry Costs: $236 average per record
*2005 Survey - $138, 2013 Survey - $188, 2005-2014 Average - $191

4. Costs of a Data Breach
• 44% involved malicious or criminal acts
– Malware, criminal insiders, phishing/social engineering, SQL
injection
– Cost per record of $246
• 31% involved “human error”
– Negligent or careless employees
– Cost per record of $171
• 25% involved system “glitches”
– Cost per record of $160

5. Costs of a Data Breach
• Average breach size: 29,087 records*
• Average notification costs: $509,000
• Average total cost: $5.85 million
• Abnormal customer churn increased 15% between 2013-2014
* By design the Ponemon survey excludes breaches greater than 100,000 records

6. What increases costs?
$10
$43
$37
$3
$18
$25
$15
($13)
($20)
($10)
$0
$10
$20
$30
$40
$50
Lost or stolen devices
Breaches involving third-
parties Notifying too quickly Engaging consultants
2013 2014

7. What decreases costs?
*2014 was the first year BCDR was included in this survey; therefore, there is no historical data.
($34)
($42)
($23)
($21)
($17)
($13)
($10)
($45)
($40)
($35)
($30)
($25)
($20)
($15)
($10)
($5)
$0
Having a strong security
posture
Having a formal incident
response plan in place
prior to the breach
Having a formal BCP in
place prior to the breach* Employment of a CISO
2013 2014

8. Real-World Example
Department of Veterans Affairs
• May 3, 2006, an employee copied data onto
a laptop and took it home without
authorization
• The data was neither encrypted nor
password protected
• The laptop was stolen
• The laptop was recovered a month after the
theft with no evidence that the data was
accessed or used

9. Real-World Example
Department of Veterans Affairs (cont’d)
• The data copied to the laptop included records on every American
veteran discharged since 1975
– 26,500,000 veterans exposed, including their names, dates of birth, and social
security numbers
– VA later revised estimate to include an additional 2.1 million active and reserve
service members
• $7 million in notification costs
• $7 million in call center costs
• $20 million class action settlement

10. Real-World Example
Ohio State University
• December 2010, “hackers” gained access to a university server
containing the personal information of over 760,000 current,
former, and prospective students and faculty
• The information included names, social security numbers, dates
of birth, etc.

11. Real-World Example
Ohio State University (cont’d)
• A year of free credit monitoring
• Dedicated call center for issue resolution
• Third-party forensic services were engaged to investigate
• All victims were notified in writing
• There was no evidence that access records were exploited
• The costs for the notification, investigation, and remediation
exceeded $4 million

12. References
• Ponemon Institute, “Cost of Data Breach Study”
• Zurich General Insurance, “Cost of a Data Breach”
• Kaspersky “Global Corporate IT Security Risks”
• American Bankers Association “Target Breach Impact Study”
• Verizon “Data Breach Investigations Report”
• Information Week “8 Most Common Causes of Data Breaches”
• Symantec “Internet Security Threat Report”
• PWC/CERT/CSO Magazine “US State of Cybercrime Survey”

13. For more educational content from TraceSecurity,
• Download thought leadership
• Watch webinars on-demand
• Read our blog, and
• Receive our monthly newsletter
• Follow us on social:
www.tracesecurity.com ©2014 TraceSecurity, Inc. All rights reserved worldwide.