This week heralded the release of the annual Ponemon Cost of Data Breach Study. For the first time in seven years, the study found that the cost of a breach of personal information went down—from $7.2 to $5.5 million per data breach incident.
Although $5.5 million is hardly a rounding error, this is ostensibly a good development for any enterprise responsible for customer data. However, the reason for the drop is discouraging. Of the $1.7 million drop per incident, $1.5 million was because companies lost fewer customers than before.
This change is attributed to breach fatigue—customers have finally received enough breach notifications that they have become inured to them. They accept the fact that breaches are a reality for most companies, and therefore taking their business elsewhere is a hassle that may not pay off in the long run.
While this reduction in customer churn has a positive impact on the price paid by a company experiencing a breach, it’s an alleviation of a symptom, not the disease. The fact that customers are less concerned about a breach of personal information than they have been in the past doesn’t mean those with the power to prevent breaches should follow suit.
Which begs the question: where is the mention of cost reduction because of improved security practices? Does breach fatigue extend beyond the customer to the larger infosec community? Between breach headlines and the continual FUD campaigns security vendors use to “educate” their audience and sell their products, perhaps IT security teams are resigning themselves to something that seems inevitable in its complexity and pervasiveness.
Whatever the cause, we can do better than this. Data from the report showed that companies with a CISO paid less per breach than companies without this position—in other words, those who took the threat seriously enough to take actions to prevent breaches fared better than those who did not. This is progress of a more encouraging kind than the reduction of cost through customer fatigue.
Take it a step beyond good reactions, then: Proactively encrypting data and creating secure audit logs to prove encryption can ensure you meet safe harbor requirements, and save you having to pay that $5.5 million in the first place. Yes, lost laptops and mobile devices are a fact of life; no, resulting exposure of sensitive data does not have to be.
The Ponemon study is a valuable resource, and hopefully next year we will see the declining trend in cost continue (maybe for more satisfying reasons than blasé customer attitudes toward exposure). In the meantime, let’s remember that just because the cut per breach is a little shallower is no justification for complacency or accepting breaches as unavoidable. Multiply $5.5 million by several breaches and see what you get. Breaches are not contagious diseases that you get once and are thereafter immune to, in true chickenpox style. Protect your data early and well.