Is Data Breach Fatigue Setting In?

Data Breach Fatigue

This week heralded the release of the annual Ponemon Cost of Data Breach Study. For the first time in seven years, the study found that the cost of a breach of personal information went down—from $7.2 to $5.5 million per data breach incident.

Although $5.5 million is hardly a rounding error, this is ostensibly a good development for any enterprise responsible for customer data. However, the reason for the drop is discouraging. Of the $1.7 million drop per incident, $1.5 million was because companies lost fewer customers than before.

This change is attributed to breach fatigue—customers have finally received enough breach notifications that they have become inured to them. They accept the fact that breaches are a reality for most companies, and therefore taking their business elsewhere is a hassle that may not pay off in the long run.

While this reduction in customer churn has a positive impact on the price paid by a company experiencing a breach, it’s an alleviation of a symptom, not the disease. The fact that customers are less concerned about a breach of personal information than they have been in the past doesn’t mean those with the power to prevent breaches should follow suit.

Which begs the question: where is the mention of cost reduction because of improved security practices? Does breach fatigue extend beyond the customer to the larger infosec community? Between breach headlines and the continual FUD campaigns security vendors use to “educate” their audience and sell their products, perhaps IT security teams are resigning themselves to something that seems inevitable in its complexity and pervasiveness.

Whatever the cause, we can do better than this. Data from the report showed that companies with a CISO paid less per breach than companies without this position—in other words, those who took the threat seriously enough to take actions to prevent breaches fared better than those who did not. This is progress of a more encouraging kind than the reduction of cost through customer fatigue.

Take it a step beyond good reactions, then: Proactively encrypting data and creating secure audit logs to prove encryption can ensure you meet safe harbor requirements, and save you having to pay that $5.5 million in the first place. Yes, lost laptops and mobile devices are a fact of life; no, resulting exposure of sensitive data does not have to be.

The Ponemon study is a valuable resource, and hopefully next year we will see the declining trend in cost continue (maybe for more satisfying reasons than blasé customer attitudes toward exposure). In the meantime, let’s remember that just because the cut per breach is a little shallower is no justification for complacency or accepting breaches as unavoidable. Multiply $5.5 million by several breaches and see what you get. Breaches are not contagious diseases that you get once and are thereafter immune to, in true chickenpox style. Protect your data early and well.

Lark Allen is responsible for Wave’s business and corporate development, specifically creating strategic technology relationships and evaluating opportunities that have potential to achieve Wave’s strategic goals. Additionally, Lark oversees the development of a core set of markets and strategies related to security products, thereby furthering the company’s competitive positioning. Lark plays an active role in a number of industry standards organisations, including the Trusted Computing Group where he is a member of the Storage Work Group, which builds upon existing TCG technologies and focuses on developing open standards around secure data storage. Lark has more than 30 years of industry IT experience with large enterprises and has held executive management positions in sales, marketing, development and consulting. Before coming to Wave, Lark worked for many years with IBM. He graduated from Brigham Young University with a BS in Physics and earned an MS in Industrial Administration from Purdue University.

  • The final point you make that businesses need to ‘protect your data early and well’ is essential advice to avoid incidents of data breach. As you say, regardless of the overall expense reducing, they are still a very serious matter. In the UK there has been an upsurge in mobile working devices being stolen , which is a concern as theft and loss is the biggest cause of data breach.