The Rising Cost of CyberSecurity

Since the early 2000's information security has always been mistaken for something you can buy or something you can do to prevent breaches and data compromises. The latest headlines have proven otherwise. The cost of data breaches are expected to reach 2.1 trillion by 2019, with the average cost of each breach exceeding $150 million by 2020.


Costly Attacks We know from past data breaches from Home Depot in 2014 that personal information from up to 60 million consumers was compromised. The Home Depot breach is still being calculated, but costs could reach $3 billion. Unfortunately, this type of attack had been seen before in an earlier Target attack Sony hack and could have been avoided all together.

The fallout from the 2013 Target compromise has cost the company $148 million for the breach, $100 million for better security and $86 million to settle with Visa and MasterCard for a total direct cost of $334 million. Indirect costs include the loss of their CEO, a class-action litigation filed against the board of directors for negligence, loss of an unknown number of customers, and making themselves a prime target for a hacker who wants to claim the trophy for breaking past their new defenses.


Is Human Error to Blame I have been monitoring and investigating various cyber-attacks since 2010 and I have found all compromises are the direct result of human failure at all levels. Not one data breach has ever been attributed to hardware, operating system, or application failures. In 2013 it took an average of 229 days to discover a breach, with only 33 percent of those finding the breach themselves, and 37 percent finding the breach with help from third parties. Here is my 5 second pitch to ensure you have proper logging in place. Ensure these logs are being monitored on a daily basis.


Always a Constant Process What most organizations fail to understand about information security is that defense is a process you must apply diligently with constant improvements over time. The process is a simple three-step focus of prevention, detection, and response. Every organization should continue to attempt to prevent attacks and compromises; just realize that history has proven that no matter what you do or spend to prevent a compromise, it will fail. When you compare the cost of data breaches to the cost to prevent a compromise, it is easy to understand that consumers and organizations both will have to find a way to cover or transfer those risks and costs. To do this, more effort and budget dollars must be put into the detection of attacks and data breaches.


In order to determine the best ways to cover or transfer cost, you must know exactly what happened. In the response phase of the process, knowing exactly what happened is imperative to making an informed decision. Of course, making an informed decision to do nothing can be acceptable. The information gathered during the detection or monitoring phase will be used to handle incidents internally through human resources, self-insure losses, dealings with authorities, or knowing which insurance policy could be used to transfer losses to. Regulatory compliance, potential litigation, and lost revenues all add unknown cost into your response.