Cutting the cost of a data breach

At the Black Hat USA 2019 cybersecurity conference in Las Vegas, CNET and CBS News Senior Producer Dan Patterson spoke with IBM’s Wendi Whitmore about why a data breach isn’t a one-time cost and recommends cost-saving tips, The following is an edited transcript of the interview.

Wendi Whitmore: I’ve been responding to these breaches for almost two decades at this point. There’s one thing that’s constant and that’s time is money, and in today’s world, data is money. That’s why these breaches continue to occur is because organizations, and people, in particular, attackers, can make money off them, right? The
dark web
is the world’s third-largest economy. It’s just under 6 trillion US dollars annually. So if a market’s that big and I stand to gain from it financially, these attacks are going to continue to occur. So to answer your question, I think that’s why they’re going on. We expect they’re going to continue.

An interesting fact that we just identified in the actual cost of a data breach study that we released this year, for the first time we tracked the fact that breaches are really not a one-time cost, right? They’re often thought of that way. We have teams on the ground today where we go into organizations, and they’re like, “Okay, great. I’m going to outlay this cost for the response, for the legal fees, for notification, maybe some credit monitoring,” but they kind of think it’s a one-time thing and done, and they report it that quarter and they move on.

The reality is only 66% of the actual total cost of a breach is even incurred in the first year. We’re seeing 33%, so 22% year two, 11% year three that’s incurred moving forward. So there’s a long tail of costs that are coming at this point with breaches.
Small to medium businesses are hit disproportionately large when it comes to the cost of a data breach. Right? So if the average cost is about 4 million US dollars, usually small to medium businesses are making $50 million or less in revenue annually, so right then and there, that’s a huge impact.

Things that we can see that all organizations can do more effectively cutting down the cost, one is having access to an incident response team. Not saying you have to have a full-time team of people that are doing that, but maybe you have an external partnership and agreement. I mentioned earlier that time is money. The reality is the less time we can give attackers in our environment the better, the less cost there is.

The second thing would be actually having a plan and practicing it. We see on average organizations that practice scenario testing more than one time per year, are going to save about $1.25 million off that average cost of $4 million for a data breach. So there’s definitely some testing and preparation. Having a plan doesn’t mean that you just have kind of a piece of paper that says hey, call this person, but it means you’re actually testing scenarios that are relevant to potentially hit your organization.

And then in the case of a destructive attack, which are unfortunately happening more often, do you know how to get ahold of your team members if you can’t email them? If you can’t use kind of the regular corporate infrastructure to contact your employees, how do you do it? Do you have a WhatsApp group that you set up? Do you have alternate infrastructure you can use? Those are the kind of things that we want organizations thinking about and that when they do, they can significantly reduce their cost.