Boost Fertility New Invention Ups Success Rates.pdf
True Cost of Data Breaches
1. Fraud and Data Breach Prevention Summit San Francisco
Matthew Rosenquist | Intel Corp
The True Cost of Data Breaches
Not Just a Dollar-per-Record
March 22-23, 2016 – San Francisco, CA
2. Fraud and Data Breach Prevention Summit San Francisco #ISMGFraudSummit2
About the Speaker
Matthew Rosenquist
Cybersecurity Strategist and Evangelist
Matthew Rosenquist is a cybersecurity strategist with a passion for his chosen
profession. Benefiting from 25 years of experience in Fortune 100 corporations, he
thrives at establishing strategic organizations and capabilities which deliver cost
effective security capabilities. As a cybersecurity strategist, he champions the
meaningfulness of security, advises on emerging opportunities and threats, and
advocates an optimal balance of cost, controls, and productivity throughout the industry.
Matthew is an outspoken evangelist of cybersecurity and strives to advance the
protection of technology and users. His voice can be heard at conferences, in security
whitepapers, videos, and numerous blogs. He specializes in strategic threat analysis,
security planning, solution optimization, measuring security value, policy and
compliance management, risk assessments, investigations, and crisis response.
3. Fraud and Data Breach Prevention Summit San Francisco #ISMGFraudSummit3
“Sony's own network
has been thoroughly
penetrated and turned
against it”
“TalkTalk has been
hacked, leaving thousands
of customers at risk”
It is a Data Breach World
4. Fraud and Data Breach Prevention Summit San Francisco #ISMGFraudSummit4
It is a Data Breach World
By 2020, 1.5+ billion people worldwide will be affected by data breaches
Source: IDC
5. Fraud and Data Breach Prevention Summit San Francisco #ISMGFraudSummit5
It is a Data Breach World
In 2015, overt 700 million
records were lost or stolen
(that is 80k per hour)
Source: Gemalto
6. Fraud and Data Breach Prevention Summit San Francisco #ISMGFraudSummit6
It is a Data Breach World
Top 10 Healthcare breaches of
2015, affected almost 35% of the
US population
Source: Office of Civil Rights
7. Fraud and Data Breach Prevention Summit San Francisco #ISMGFraudSummit7
It is a Data Breach World
Just for California…
171 breaches involving 24m
million records
(3 out of 5 Californians)
Source: https://oag.ca.gov/breachreport2016#summary
8. Fraud and Data Breach Prevention Summit San Francisco #ISMGFraudSummit8
Source: http://www.informationisbeautiful.net
$252M
$88M
Size of a Breach
Number of
Records Lost
Is only one aspect
9. Fraud and Data Breach Prevention Summit San Francisco #ISMGFraudSummit9
Source: http://www.informationisbeautiful.net
$252M
$88M
Severity
Sensitivity of
records lost
Is an important
consideration
10. Fraud and Data Breach Prevention Summit San Francisco #ISMGFraudSummit10
Impacts of Data Breaches
A number of aspects contribute to cascading impacts:
• Incident Response Costs
• Customer Satisfaction
• Tarnished Reputation
• Business Disruption
• Loss of Leadership
• Lower Stock Price
• Regulatory Hurdles
• Litigation
• Opportunity Costs
11. Fraud and Data Breach Prevention Summit San Francisco #ISMGFraudSummit11
Numbers and Models Vary Greatly
Ponemon linear calculation
Survey Data
Costs are flat per record
Year
Cost per
Record
2012 $130
2013 $136
2014 $145
2015 $154
Verizon DBIR variable calculation
Costs scale based upon quantity
Source: Ponemon
Source: Verizon
12. Fraud and Data Breach Prevention Summit San Francisco #ISMGFraudSummit12
Cost Estimates are Not Consistent
Rough estimation of some numbers…
The various cost models are not consistent or accurate for all cases
Breach Records
Ponemon
Per Record
Verizon
Scale Model
NetDilligence
Calculator
Reported or
Estimated Loss
Target 70000k $10800 million
$15 million
(.7m-$329m range)
$345 million
(IR & Cust Mgmt)
$252m
TalkTalk 150k $23 million $.7 million $3.2 million $88m
Anthem 80000k $12300 million $17 million $478 million $100-$200m est.
13. Fraud and Data Breach Prevention Summit San Francisco #ISMGFraudSummit13
Costs walkthrough
• Every breach is different!
• Big Costs:
– Incident Response and customer risk mitigation
(ex. credit monitoring)
– Litigation, lawsuits, regulatory reviews, etc.
– New security controls, insurance, auditing
– Business impacts (customer loyalty, stock price, etc.)
• Insurance coverage can offset some costs
• Effective Incident Response can limit damages
• Improved security can reduce recurrence risks
Typical SMB Incident Response1:
• Incident Response $25-$30k
(A few days work for the pro’s)
• Root cause analysis with
infrastructure and policy
recommendations: $100k
(~10 weeks)
• Does not include other costs…
Source: Foundstone
1 Many factors at play, this is just a ballpark figure
based on actual cases worked. Mileage will vary.
14. Fraud and Data Breach Prevention Summit San Francisco #ISMGFraudSummit14
The Real Costs AspectsBreachImpacts&Recovery
• Incident Response &
Forensics
• User Notification
• Public Relations & brand
protection
• Crisis Management
• Customer risk mitigation
measures (new cards,
password resets, credit
watch, etc.)
SecurityImprovement
Investments
• Prevention controls
• Product/Service design &
test (including vendors &
3rd parties)
• Breach Insurance, audit,
& certification
• Management, staffing,
oversight, and reporting
BusinessDisruption&
OpportunityCosts
• Customer goodwill, trust
• 3rd party (vendors and
suppliers) relationships
• Design for security costs
and product-to-market
delays
• Security assurance
overhead
• Impacts to innovation
• Leadership disruption
• Marketing & new
message campaigns
15. Fraud and Data Breach Prevention Summit San Francisco #ISMGFraudSummit15
Response of Breach Victims Vary
Risk
Mitigation
Crisis
Management
Incident
Response
Breach
Discovery
Management
Oversight
and
Ownership
Risk
Assurance &
Transfer
Product &
Service
production
Broader Risk
Assessment
Optimize
security
posture &
costs
Offset
impacts to
innovation
and product
delivery
Plan &
Prepare for
future
security
incidents
BASIC
MATURE
PROFESSIONAL
16. Fraud and Data Breach Prevention Summit San Francisco #ISMGFraudSummit16
Recommendations
• Secure the environment & data with industry best practices
• Align/pre-stage resources (ex. legal, CERT, PR, management, etc.)
• Plan for a breach, test response annually
• Implement/tune Disaster Recovery and Business Continuity (DRBC)
• Tighten data policies (retention, access, storage, oversight, etc.)
• Evaluate cyber data-breach insurance
• Risk assessment for vendor and suppliers weaknesses
17. Fraud and Data Breach Prevention Summit San Francisco #ISMGFraudSummit17
Future data security challenges
• More data breaches!
(both indirect targeting and directed attacks)
• Secondary attacks against previous
victims, who have not taken proper
steps to secure their environment
• Tuning of insurance rates and coverage
• Integrity attacks gain momentum
(ex. ransomware, CEO email fraud, transaction
tampering, etc.)
18. Fraud and Data Breach Prevention Summit San Francisco #ISMGFraudSummit18
Conclusions
• The risks of Data Breaches are real and broadening
• Actual costs of Data Breaches are more complex than the perception
• Eventually everyone will experience a loss…
• Manage your Risks! (this greatly determines the amount of loss)
• Common sense applies:
– Follow industry best-known-methods to secure data to reduce risks
– Organize and prepare. Be proactive!
– React quickly with professionals (organic or external) to limit losses
– Apply learnings to protect from recurrence
…Yes, this
means you!