Data breaches are here to stay and becoming more frequent and larger scale (see this infographic for examples). Data breaches are so front of mind that we risk becoming desensitized to it – we’ve seen this firsthand. Privacy compliance issues can be on such a massive scale that organizations fail to take action because they don’t know where to start and worry that they will have a breach regardless of their efforts to defend data. That mindset is not only legally dangerous (ignorance is not a compliance control) but also naïve. The good news is conducting a quantitative risk analysis is far easier than you think. In fact, you can do one in less time than it will take for you to read this blog.
A data breach can encompass many types of sensitive and regulated data including cardholder data (PCI DSS), healthcare data (HIPAA, PHIPA), personally identifiable and financial data (GLBA, GDPR, state breach notification laws), and intellectual property (EAR, ITAR). We will use PII for this exercise since every organization has employee information such as tax identifiers, contact information, banking information, etc.
The Risk (R) of a data breach is the financial Impact (I) of a breach multiplied by the Probability (P) that a breach will occur.
R = P x I
Minimally, the Impact of a PII data breach is the cost of credit monitoring at $240 per person per year. So Impact (I) is $240 times the number of people whose PII would be exposed in a breach. There will be additional costs of the associated forensics investigation, legal work, and public relations but we’ll leave those out for now.
The Probability of a breach is 100% when calculated over a longer enough time period but we need something more practical. The 2017 Cost of a Data Breach Study by Ponemon determined that the average probability of a breach is 27.7% “in the next 24 months.” Let’s divide that by two years to get an annual probability of 13.85%.
R = .1385 x ($240 x number of people)
We recently worked with an organization that is storing in SharePoint and a file server, PII related to about 1,200 employees, 800 contractors, and (conservatively) 24 investors. It’s important to note that storing PII in multiple places does not necessarily increase the impact of a breach (if PII of the same individual is exposed twice the costs for credit monitoring don’t double) but it does increase the probability. It’s difficult to account for this – doubling the probability seems aggressive but that is the easiest way to reflect that risk increases when there are multiple repositories of sensitive data. Simply put, more ways to have a breach means more chances that a breach will happen. With that, we’ll adjust the probability to 27.7%.
Their annual risk is calculated as:
R = P X I
R = .277 * ($240 *2024)
R = $134,553 per year
This organization needs to be spending some percentage of $134,553 a year to reduce their risk of a PII data breach in the two environments. How much to spend in order to reduce risk is based on risk tolerance. This organizations is a regulated financial services organization so risk tolerance for their industry dictates that they should be spending a fair amount since they also risk of compliance fines. How much more is more art than science.
Of course you can never reduce risk to zero. Part of the calculus that goes into figuring out how much to spend on risk reduction includes cyber insurance premiums. Cyber insurance is a viable option for covering risks that are impossible or impractical to eliminate.
Finally, the risk calculation and examples above do not include “fixed” costs of a data breach such as the costs for computer forensics consultants, outside counsel, public relations, etc. We think the minimum for this organization is $200,000. Adding that amount increases the risk to $334,553. This is a big number considering many organizations of a similar size have yet to properly secure PII associated with their Human Resources file shares and SharePoint sites.
September 13, 2017