Data Breach Costs Overstated, Verizon Suggests

Cost-per-record may not be the best metric to use when calculating how much a cyber-security failure could cost your company.
Matthew HellerApril 15, 2015
Data Breach Costs Overstated, Verizon Suggests

Data security breaches may not be as expensive for companies as has previously been thought, according to a new report from Verizon.

In its eighth annual Data Breach Investigations Report, Verizon for the first time offers predicted data breach cost ranges, casting doubt on an older formula that derives a cost-per-record by dividing the sum of loss estimates by the total number of records lost.

seucrity moneyUsing that formula, the annual Ponemon Institute Cost of a Data Breach study has estimated that breaches cost companies $201 per lost record in 2014. But Verizon came up with a cost-per-record of only 58 cents based on its estimate of $400 million in losses and 700 million compromised records in 2014.

“The 58 cents number is an example of why we don’t want to focus on numbers like that,” Jay Jacobs, a Verizon data scientist and one of the report’s co-authors, told Threat Post.

Verizon used cyber-liability insurance claim data from cyber insurance carriers to take a fresh look at data breach cost impact. Through this analysis, it found, among other things, that a small data breach where only 100 records are lost would most likely cost an organization anywhere from $18,120 to $35,730. Meanwhile, a mammoth breach of 100 million records would have an average cost between $5 million and $15.6 million.

Bob Rudis, another Verizon data scientist, cautioned that even this approach doesn’t tell the whole story. “We’re as disappointed as anyone to say that there are a lot of things contributing to the cost of breaches that we can’t account for yet,” he told TechTarget.

Elsewhere in the report, Verizon said confirmed data breaches rose 55% in 2014 to 2,122, and security incidents (defined as any event that compromises the confidentiality, integrity, or availability of an information asset) increased almost 26% to 79,790.

The report also confirmed human frailties, finding that two-thirds of electronic espionage cases can be traced back to phishing attacks in which internal staffers hand over their credentials or access to protected systems.

A study of 150,000 phishing emails by Verizon partners found that 23% of recipients open phishing messages, and 11% open attachments.

Image: Thinkstock