While the average cost of a data breach in a public agency is less than in the private sector, governments that release people’s personal identifying information also risk losing the public’s trust, which could result in more subtle long-term consequences. This was one of the takeaways of a government-focused review this week of the Ponemon Institute’s 2018 Cost of a Data Breach Study.
The report, which has been conducted annually by the Michigan-based think tank for the last 13 years, was published in July , but given a detailed review in a webinar hosted by the National Association of State Chief Information Officers on Tuesday. The session was hosted by New York Chief Information Security Officer Deborah Snyder, while the institute’s founder, Larry Ponemon, provided an overview of its results with a keen eye for its relevance to the public sector.
The webinar’s theme followed an introductory message from Snyder, who recommended state officials find ways to make news stories and new data, like those found in the study, relatable on an individual basis for government officials. When talking to a financial officer about a recent data breach, for example, she recommended tailoring the story around finance.
“Take the time to relate the story to your business customers,” Snyder advised.
The big story told by Ponemon’s 2018 study, which takes from 2,200 interviews of 477 organizations in 13 countries and two geographic regions, is a global rise in frequency and cost of data breaches. Globally, organizations run a 28 percent chance that they’ll be hit with a data breach, suffering an average cost of $3.86 million, up 6.4 percent from the year before.
Data breaches in the United States are almost as common as the worldwide rate — a U.S. organizations run a 27 percent risk that they’ll be hit — but far more expensive. The average U.S. data breach costs $7.91 million, including $4.2 million in lost customer revenue, with an average cost per compromised record of $233.
Government agencies face lower penalties from data breaches than the private sector, paying just an average of just $75 per exposed record, but Ponemon said this figure is deceiving because government monopolies on many services means that while a data breach won’t necessarily result in lost customers, it often encourages behavior government agencies are trying to curb. People affected by a data breach are less likely to continue using online services, instead opting to revert to traditional in-person services, he said, and these costs for government are hard to account for. This was found anecdotally, he added, after South Carolina’s 2012 data breach that exposed the Social Security and credit card numbers of approximately 3.6 million people.
“Just because you’re talking about a monopoly like in government, it doesn’t mean there isn’t a reputation hit,” Ponemon said.
While common factors across all sectors were identified as either decreasing or increasing costs, government was found to have a unique risk profile.The top factors making data breaches more expensive are compliance failure, extensive cloud migration and third-party involvement. Ponemon also said newer technologies like cloud computing and the “internet of things,” while useful, have a proven association with higher data breach costs and will continue to pose a “really big” risk.
One of the biggest ways organizations can reduce the costs of data breaches is reducing the amount of time it takes to contain and detect them, Ponemon found. Across all sectors, the mean time to identify a breach is 190 days, and the mean time to contain a breach is 57 days after that.
Ponemon found that both timeframes are critical because the average cost of a breach that takes less than 100 days to identify is $3.11 million, while the average cost of a breach that takes more than 100 days to spot is $4.21 million. Similar figures are seen for containment timeframes.
“So if you want to reduce data breach costs, it starts with being better at identifying an incident and obviously containing the incident,” he said. “Some of these go on for years and you don’t want to be in that situation.”
Artificial intelligence and machine learning are emerging technologies that some organizations are using to reduce time to response, but few have adopted those technologies so far — just 15 percent of organizations across all sectors reported full deployment of AI for information security. This is expected to change quickly, however, as 38 percent of the survey’s respondents said they plan to deploy over the next two years, while 24 percent said they have already partially adopted AI.
The cost benefit of AI for security is already being realized. Ponemon’s data shows that those organizations that have AI fully deployed paid an average of $2.88 million following a data breach, compared to $4.43 million by those that haven’t.
A recording of NASCIO’s webinar can be found here .