The true cost of a data leak

Comparing the true cost of a data breach vs. the cost to prevent it in the first place

High-profile data breaches have been making global headlines in recent years due to their breadth of impact and high cost to consumers, businesses and government agencies alike. The TJX breach reportedly affected up to 94 million consumer credit records, caused losses in excess of $83 million and brought numerous lawsuits upon the company. According to the Identity Theft Resource Center (ITRC), the number of publicly reported data breaches in the U.S. rose by more than 40 percent in 2007, with some 127 million data records exposed during the year. Data breaches involving credit card numbers, social security numbers or patient data receive much media attention but all organizations work with many types of valuable information that could be extremely costly if leaked. Consider personnel data, customer lists, valuable intellectual property, merger and acquisition plans, financial results and legal documents, just to name a few examples.

One data leak can result in continuous cost. After making affected customers whole, conducting an internal investigation, repairing any damage to internal systems and dealing with expected litigation, you can count on external audits, increased regulatory body oversight and a damaged reputation to stay with you for a while. One mistake can have far-reaching consequences, and a serious leak may mean that your business will never recover – or at least never return to “normal”.

For these reasons, leading organizations are taking the necessary steps to proactively protect their sensitive information from a potential breach. Advanced data loss prevention (DLP) technologies are available to help organizations identify sensitive data, monitor its use and protect it from unintentional misuse or malicious theft. DLP solutions act as a cornerstone of a company’s information security strategy and can significantly mitigate the threat of a data breach, providing a clear return on investment (ROI). These solutions provide a sound cost-avoidance strategy and can positively impact revenue – saving hundreds of millions of dollars with little upfront investment. In today’s information age, the risk of continuing business as usual is clear – as is the reward for implementing diligent data control and leak prevention measures.

Measured against the total cost of a data leak, the total cost of ownership of a DLP solution reflects a substantial financial savings in the short-term and an evident competitive advantage throughout the life of your company. Yet, the simple steps required to protect sensitive data are often overlooked.

Leakage of personally identifiable information and personal health information carries great potential for financial loss. The risk of damage extends beyond your company, ultimately affecting customers, business partners, and other stakeholders. In response to such a leak, you are likely to face pressure from regulatory bodies, consumer watchdog organizations, and even the press. The possibility of litigation is significant, resulting in legal fees, a settlement or verdict, and other remedies that can affect your business for many years.

The direct costs resulting from a data leak of this kind typically consist of:

• The average cost per record associated with a leak to make affected parties whole
• Fees for legal representation
• Engaging a PR firm to minimize damage and restore reputation to the extent possible
• Consumer credit monitoring for all customers (not necessarily only those affected by the leak)
• Up to five years of system and process audits conducted by an independent third party

Intellectual property is a second, often overlooked category of leaks. Whether you are a computer chip manufacturer creating the next great processor or a Wall Street investment firm creating the next investment package of high-growth funds, intellectual property is the greatest competitive advantage a company has toward sustainability and profitability. Most intellectual property data losses go unreported for two reasons: 1) there are no public disclosure laws, to date, that apply to intellectual property, and 2) the impact on corporate reputation and valuation from a publicized loss would likely be tremendous.

The direct costs of an intellectual property leak typically include:

• Fees for legal recourse to address who leaked the data and discover if it is being used inappropriately
• Short-term impact to R&D cost recuperation
• Long-term impact to profitability/revenue projections
• System and process audits to identify and correct the source of the leak

The cost of a leak can vary, especially as the far-reaching effects can be difficult to gauge.

Forrester Research estimates that the average data leak results in $1.5 million in economic damage, while The Ponemon Institute pegs the amount at $4.8 million. Ultimately, the cost of the leak is determined by the size and nature of the organization, the sensitivity of the data leaked, and the size of the leak itself.

DLP, as a percentage of the total financial risk a data breach can bring, is extremely cost-effective and provides a clear ROI. The most obvious and direct return on investment from a DLP solution is preventing data leaks; however additional benefits include adherence to regulatory compliance and improvement to business operations. Organizations that have implemented DLP solutions derive extra value from their investment by refining business processes and improving operational inefficiencies as a result of the increased visibility they have into their information flows. DLP solutions provide greater understanding of what sensitive data exists in an organization, who is accessing that data, where it is traveling and how. The key is to be able to understand how information is used within the organization and improve those processes that may be broken.

Many organizations have documented processes clearly but lack a monitoring and control mechanism to regulate written policy. Others have processes that restrict business but are required to mitigate risks. Without a control mechanism, once efficient processes often fall victim to employee vices (e.g., laziness, absent-mindedness, apathy, carelessness, ignorance, inconsistency, indecision, indifference, impatience, irresponsibility, poor judgment, presumptuousness, shortsightedness, and stupidity).

There are two primary benefits to maximizing affirmative business processes and remediating those that are broken: 1) efficiency, and 2) effectiveness. By focusing on a core set of critical affirmative business processes, you can audit and enforce your processes with a DLP solution, helping to ensure that the organization is following the most efficient workflow possible and working toward maximum operational efficiency and increased transactions/volume. In addition, DLP solutions give you situational awareness to identify who is sending what data, where, and how, providing actionable intelligence to identify and remediate broken business processes. A more efficient business is a more capable and competitive enterprise. The second benefit, increased effectiveness, most closely translates to reduced operating margin – net savings, increased profits, etc. By increasing the effectiveness of affirmative business processes, you can decrease such variables as cost of sale, sales cycle, margin cost, cost per transaction, and thus guarantee an increase in rate of return, return on investment, etc. This is best illustrated in the following example of a fictitious Wall Street investment brokerage firm:

The firm has a policy that encourages employees to use the Internet to research and gather investment and market information. The Internet is a key tool for analysts to keep track of investments, trends, and market-changing events. However, the policy has a specific parameter that prohibits employees from visiting social networking Web sites (e.g., blogs, chat boards, etc.) during work hours. The reason: the risk of employees posting confidential data on customers/investments is too great for the firm to accept. As a result, its financial analysts are barred from a great source of real-time investment/market information, and are either forced to uncover the information by other means (inefficient) or go without it, at a disadvantage to other analysts (ineffective). However, with a DLP solution that includes awareness and controls for users, data, and their destinations, the firm can set a control for an affirmative business policy that says, “A financial analyst can visit any blog or chat board, but cannot post confidential data to the site.” The policy can be applied to specific users, data types, destinations, and even categorically (e.g., all financial analysts, all chat boards, all confidential data). Thus, the affirmative business process is enabled, yet secured, making the employees both more efficient and effective for their customers, and potentially having a marked influence on revenue.

The loss of data has the potential to alter a business completely, especially in a business climate characterized by increasing competition and rapid product obsolescence. Most leaks are preventable, through the implementation of DLP solutions and corresponding governance models, which can be used as the backbone of improved operations that reduce risk while delivering a competitive advantage.

DLP, as a percentage of the total risk of a data leak, is extremely cost-effective. For less than a half a percent of the cost of a leak a company can protect itself. A few hundred thousand dollars in security can translate into hundreds of millions of dollars in savings, every year.

Learn how DLP technology can help your organization. Download this whitepaper on the ROI of DLP.

About David Meizlik
David Meizlik is the sr. product marketing manager for Data Security Solutions at Websense, Inc., the leading provider of Web and content security solutions based in San Diego, California. His responsibilities include product positioning, go-to-market strategy and development, market and competitive analysis, and program development for Websense security products. Meizlik earned a bachelors degree from the Marshall School of Business at the University of Southern California, and went on to receive a graduate degree in communications management and technology from the USC Annenberg School for Communication. He has authored several technology papers, including The ROI of Data Loss prevention (DLP), Justifying Data Security: An Investment in Competitive Advantage, Deep Content Control™ Keeps Data in the Enterprise, There’s More to HIPAA than Compliance, Prevent Leaks and Comply with PCI, E-Discovery Leaves No Stone Unturned, Protecting the Crown Jewels: Securing Intellectual Property, and GLBA Compliance Requires that Leaks be Sealed.

About Websense
Websense, Inc. a global leader in integrated Web, messaging and data protection technologies, provides Essential Information Protection™ for more than 42 million employees at more than 50,000 organizations worldwide. Distributed through its global network of channel partners, Websense software and hosted security solutions help organizations block malicious code, prevent the loss of confidential information and enforce Internet use and security policies. For more information, visit www.websense.com.