The cost of a typical cyber breach to an American company is much
less than has been generally estimated, providing one possible
explanation for why companies do not invest more to improve computer
security, according to a new RAND Corp. study.
The typical cost of a breach is about $200,000 and most cyber events
cost companies less than 0.4 percent of their annual revenues, the study
found. The $200,000 cost is roughly equivalent to a typical company’s
annual information security budget.
“Relative to all the other risks companies face, the cyber risks
often aren’t as big a deal as we think,” said Sasha Romanosky, author of
the study and a policy researcher at RAND, a nonprofit research
organization. “It may be bad for you if you are the victim, but it
doesn’t change the behavior or strategy of a company. Like you and me,
companies are self-interested and operate in ways that minimize their
costs. You can’t begrudge them for working that way.”
The RAND study estimate is a lot less than the estimate in a May 2014
report by the Ponemon Institute at the University of Michigan. The
Ponemon report put a $3.5 million pricetag on an individual data breach.
Ponemon surveyed 314 companies in 10 countries.
The RAND study, which is published in the Journal of Cybersecurity,
is based on a private dataset of 12,000 cyber incidents compiled by
Advisen, which provides information on corporate losses to the insurance
industry.
A 2015 study of 160 cyber liability insurance claims by NetDiligence,
a data breach services company, found that the average total claim for a
breach was $673,767. But the cost varied greatly by company. The
average claim for a large company was $4.8 million, while the average
claim in the healthcare sector was $1.3 million.
Cyber breaches at American companies have made headlines in recent
years and put the personal information of millions of consumers at risk.
The most recent and biggest was reported last month at Yahoo.
Romanosky said he undertook his study in part because of an executive
order issued by President Obama in 2013 directing the National
Institute for Standards and Technology to develop voluntary guidelines
for improving information security.
The policy was put in place as public concern about cyber attacks
began to rise with disclosures of major breaches at Target and other
prominent companies, but Romanosky wondered whether the corporate world
would be willing to adopt tougher measures.
Romanosky examined incidents across four categories: data breaches
involving the disclosure of personal information, security incidents
that resulted in the theft of intellectual property or disrupted
business services, malicious harvesting of account information through
phishing or skimming attacks, and privacy violations through the
unauthorized collection, use or sharing of personal information from
cell phones, web tracking and other means.
He found that security breaches were on the upswing, from 64 reported
incidents in 2012 to nearly 250 reported incidents by 2014. The sectors
with the highest number of reported hacks were finance and insurance,
health care and government entities.
In analyzing the financial impact of such incursions, Romanosky
considered factors such as the cost of investigating the causes of a
breach, notifying consumers, increasing customer support, paying for
identity theft insurance or credit monitoring, and dealing with legal
actions.
Yet those costs, the RAND researcher found, generally were not
onerous and were lower than losses companies face because of fraud,
theft, corruption or bad debt.
“If it is true that on average that businesses lose 5 percent of
their annual revenue to fraud, and that the cost of a cyber event
represents only 0.4 percent of a firm’s revenues, then one may conclude
that these hacks, attacks and careless behaviors represent a small
fraction of the costs that firms face, and therefore only a small
portion of the cost of doing business,” Romanosky said.
Given that finding — and surveys that indicate consumers are mostly
satisfied with the ways companies respond to data breaches — he says
that businesses “lack a strong incentive to increase their investment in
data security and privacy protection.” Moreover, if their losses are
not out of line with other costs, he said, “maybe the firms are already
doing the right thing,” making government policies to induce more
precautions unnecessary.
Romanosky said a more effective strategy might involve cyber
insurance programs that offer reduced premiums in exchange for companies
taking certain steps to beef up data security.
He also urges consumers to “stay vigilant and take precautions in sharing their information with just anyone.”
Credit: http://www.mynewmarkets.com
- Blogger Comment
- Facebook Comment
Subscribe to:
Post Comments
(
Atom
)
0 comments:
Post a Comment