The 9th annual research report, conducted for IBM, shows that the cost of breaches, in most countries, is on the rise, a matter that should be of concern to top management, Ponemon, chairman of the eponymous research company, says in a May 5 interview with Information Security Media Group.
With each breach, an enterprise's reputation takes a hit, which erodes the bottom line. The adverse impact of that reputation hit is characterized by Ponemon as "abnormal churn rates," which reflects the loss of customers resulting from a breach. The study says organizations could reduce high churn rates significantly, and the cost of breaches, by putting greater emphasis on customer retention initiatives.
That, Ponemon says, could start with a change in attitude by CEOs. "A lot of CEOs still believe that a security breach [is] a technical glitch or a problem that middle management handled," he says.
Ponemon compares data breaches to recalls of automobiles, which often garner the attention of CEOs. He laments that CEOs generally don't get involved with breaches unless it's a massive, one like the attack on Target's point-of-sale system.
"Data breaches of 10,000 to 100,000 records are really significant events for the people who are, unfortunately, victims, but a lot of CEOs would say, 'Ah, that's small change,' relative to other things they have to worry about," Ponemon says. "And that's a mistake. Obviously, you want CEOs to be involved, at least to some extent, on dealing with the external consequences of the data breach."
In a feature debuting in the 2014 report, Ponemon says his company developed a formula to determine the likelihood for an organization to experience a data breach over the next two years. Ponemon surmises that the probability of a data breach involving at least 10,000 records is more than 22 percent.
In the interview, Ponemon explains:
- Why healthcare, at $359 a record, tops the list of industries with the highest per capita breach cost, far more than financial, at $206, and public (government), $100, which had the lowest cost. Ponemon describes medical records as the "crown jewel" for identity thieves.
- How the lack of a national breach notification law in the United States drives up costs for American enterprises (see Why U.S. Breach Notice Bill Won't Pass).
- Why organizations that provide early data breach notification to customers and stakeholders experience higher costs.
Ponemon in 2002 founded the Ponemon Institute, a research think tank dedicated to advancing privacy and data protection practices. He also is an adjunct professor for ethics and privacy at Carnegie Mellon University's CIO Institute.