2017年数据泄露成本报告.pdf

2017 Cost of Data Breach StudyGlobal OverviewBenchmark research sponsored by IBM SecurityIndependently conducted by Ponemon Institute LLCJune 2017Ponemon InstituteResearch Report Ponemon Institute Research Report Page 1 2017 Cost of Data Breach Study: Global Overview Ponemon Institute, June 2017 Part 1. Introduction IBM Security and Ponemon Institute are pleased to release the 2017 Cost of Data Breach Study: Global Overview1. According to our research, the average total cost of data breach for the 419 companies participating in this research decreased from $4.00 to $3.62 milion2. The average cost for each lost or stolen record containing sensitive and confidential information also significantly decreased from $158 in 2016 to $141 in this years study. However, despite the decline in the overall cost, companies in this years study are having larger breaches. The average size of the data breaches in this research increased 1.8 percent. This year, a strong U.S. dollar significantly influenced the global cost analysis and contributed to the decline in the cost. As shown above, the cost of data breach declined $17 and aproximately $8 (48 percent) of this decline can be attributed to currency rate fluctuation.3For purposes of consistency with prior years, we decided to continue to use the same accounting method rather than adjust the cost. It is important to note that this issue only afects the global analysis because all country-level results are shown in local curencies. This years study included the folowing 11 country and two regional samples: ! The United States ! The United Kingdom ! Germany ! Australia ! France ! Brazil ! Japan ! Italy ! India ! Canada ! South Africa ! The Midle East (including the United Arab Emirates and Saudi Arabia) ! ASEAN region (including Singapore, Indonesia, the Philipines and Malaysia) All participating organizations experienced a data breach ranging from aproximately 2,600 to slightly less than 10,00 compromised records.We define a comproised record as one that identifies the natural person whose information has ben lost or stolen in a data breach. The terms “cost per compromised record” and “per capita cost” have equivalent meaning in this report. In adition to presenting trends in the various components of the cost of data breach, the global study determines the likelihod that an organization wil have one or more data breaches in the next 24 months. Two factors were used to determine the probability of a future data breach: the curent data breach size and the organizations location. Based on this years research, we estimate an average probability of 27.7 percent that organizations in this study will have a material data breach in the next 24 months. Last year, the average probability was 25.6 percent. 1This report is dated in the year of publication rather than the year of fieldwork completion. Please note that the majority of data breach incidents studied in the current report happened in the 2016 calendar year. 2Local currencies were converted to U.S. dollars. 3The conversion from local currencies to the U.S. dollar deflated the per capita and average total cost estimates, especially for companies in the U.K., Germany, France and Italy (e.g., the Pound () and Euro (). Global study at a glance 419 companies in 13 country or regional samples $3.62 milion is the average total cost of data breach 10% one-year decrease in average total cost $141 is the average cost per lost or stolen records 11.4% one-year decrease in the per capita cost 27.7% is the likelihood of a recuring material data breach over the next two years 2.1% increase in the likelihood of a recurring material data breach Ponemon Institute Research Report Page 2 Organizations in South Africa, India and Brazil are those most likely to experience a material data breach involving 10,000 or more records over the next 24 months. At 41 percent, South Africa has the highest probability of experiencing a data breach in the next 24 months. At 14.5 percent, Canada has the lowest probability of having a future data breach. A material data breach is one that involves a minimum of 1,00 lost or stolen records containing personal information about consumers or customers. This research does not include data breaches involving high-value information asets such as intelectual property, trade secrets and business confidential information. Why the cost of data breach fluctuates acros countries What explains the significant increases in the cost of data breach this year for organizations in the Midle East, the United States and Japan? In contrast, how di organizations in Germany, France, Australia, and the United Kingdom suced in reducing the costs to respond to and remediate the data breach? Understanding how the cost of data breach is calculated wil explain the differences among the countries in this research. For the 2017 Cost of Data Breach Study: Global Overview, we recruited 419 organizations in 11 countries and two regions to participate in this years study. More than 1,90 individuals who are knowledgeable about the data breach incident in these 419 organizations were interviewed. The first data points we colected from these organizations were: (1) how many customer records were lost in the breach (i.e. the size of the breach) and (2) what percentage of their customer base did they lose following the data breach (i.e. customer churn). This information explains why the costs increase or decrease from the past year. In the course of our interviews, we also asked questions to determine what the organization spent on activities for the discovery of and the imediate response to the data breach, such as forensics and investigations, and those conducted in the aftermath of discovery, such as the notification of victims and legal fees. A list of these activities is shown in Part 3 of this report. Other isues covered that may have an influence on the cost are the root causes of the data breach (i.e. malicious or criminal attack, insider negligence or system glitch) and the time to detect and contain the incident. It is important to note that only events directly relevant to the data breach experience of the 419 organizations represented in this research and discussed above are used to calculate the cost. For example, new regulations, such as the General Data Protection Regulation (GDPR), ransomware and cyber atacks, such as Shamon, may encourage organizations to increase investments in their governance practices and security-enabling technologies but do not directly affect the cost of a data breach as presented in this research. The calculation of the components of the cost of data breach that afect the cost The folowing information presents the data that is used to calculate the cost and the factors that may increase or decrease these costs. We believe such information wil help organizations make better decisions about how to alocate resources to minimize the financial consequences when the inevitable data breach strikes. ! The unexpected and unplaned los of customers folowing a data breach (churn rate) Programs that preserve customer trust and loyalty in advance of the breach wil help reduce the number of lost business/customers. In this years research, more organizations worldwide lost customers as a result of their data breaches. However, as shown, having a senior-level leader such as a chief privacy officer or chief information security officer who wil be able to direct initiatives that improve customers trust in how the organization safeguards their personal information will reduce churn and the cost of the breach. Organizations that ofer data breach Ponemon Institute Research Report Page 3 victims breach identity protection in the aftermath of the breach are also more sucesful in reducing churn. ! The size of the breach or the number of records lost or stolen It makes sense that the more records lost, the higher the cost of data breach. Therefore, data classification schema and retention programs are critical to having visibility into the sensitive and confidential information that is vulnerable to a breach and reducing the volume of such information. ! The time it takes identify and contain a data breach The faster the data breach can be identified and contained, the lower the costs. In this years study, organizations were able to reduce the days to identify the data breach from an average of approximately 201 in 2016 to 191 days and the average days to contain the data breach from 70 to 66 days. We attribute these improvements to investments in such enabling security technologies as security analytics, SIEM, enterprise wide encryption and threat inteligence sharing platforms. In contrast, security complexity and the deployment of disruptive technologies can afect the time to detect and contain a data breach. Although soe complexity in an IT security architecture is expected to deal with the many threats facing organizations, too much complexity can impact the ability to respond to data breaches. Disruptive technologies, access to cloud-based applications and data as well as the use of mobile devices (including BYOD and mobile apps) increase the complexity of dealing with IT security risks and data breaches. As shown in the research, cloud migration at the time of the data breach and mobile platforms were shown to increase the cost. ! The detection and escalation of the data breach incident Detection and escalation costs include forensic and investigative activities, asesment and audit services, crisis team anagement and comunications to executive management and board of directors. Investments in governance, risk management and compliance (GRC) programs that establish an internal framework for satisfying governance requirements, evaluating risk acros the enterprise and tracking compliance with governance requirements can improve an organizations ability to detect and escalate a data breach. ! Post data breach costs, including the cost to notify victims These costs include help desk activities, inbound comunications, special investigative activities, remediation, legal expenditures, product discounts, identity protection services and regulatory interventions. The United States had the highest notification costs. The purchase of cyber and data breach insurance can help manage the financial consequences of the incident. As shown in this years study, insurance protection and business continuity management reduced the cost of data breach folowing the discovery of the incident. In contrast, the rush to notify victims without understanding the scope of the breach, compliance failures and the engagement of consultants al increase post data breach costs. Expenditures to resolve lawsuits also increase post data breach costs. Ponemon Institute Research Report Page 4 ! An atack by a malicious insider or criminal is costlier than system glitches and negligence (human factor). Almost half of organizations represented in this research (47 percent) identified the rot cause of the data breach as a malicious or criminal attack and the average cost was aproximately $156. In contrast system glitches and human eror or negligence averaged aproximately $128 and $126, respectively. Factors that may decrease the cost are participation in threat sharing, use of security analytics and the recruitment and retention of knowledgeable personel. In conclusion, organizations in Australia, Germany, France and the United Kingdom were able to improve their ability to keep customers and, as a result, reduced the cost of data breach. Organizations in Australia, the United Kingdom and Germany also were able to limit the number of customer records lost or stolen and, as a result, had lower costs. Whereas, countries in the Midle East and the United States experienced a higher percentage of churn and had higher costs. Organizations in Brazil, India, the Midle East and South Africa had data breaches involving more lost or stolen records, which increased their costs. The individual country reports present in greater detail the cost components and factors that affected the cost. Ponemon Institute Research Report Page 5 The folowing are the most salient findings and implications for organizations: The global cost of data breach decreases. The average cost of data breach decreased 10 percent and the per capita cost decreased 2.9 percent. However, the average size of a data breach (number of records lost or stolen) increased 1.8 percent. Over the past year, there was no change in the abnormal churn rate, which is defined as the greater than expected los of customers. Last year the average total cost increased 5.4 percent, and the average size of a data breach increased 3.2 percent. Both abnormal churn and the per capita cost increased 2.9 percent. Data breaches are most expensive in the United States and Canada and least expensive in Brazil and India. The average per capita cost of data breach was $225 in the United States and $190 in Canada. The lowest cost was Brazil ($79) and India ($64). The average total organizational cost in the United States was $7.35 milion and $4.94 milion in the Midle East. The lowest average total organizational cost was in Brazil ($1.52 milion) and India ($1.68 milion). Trends in the cost of data breach vary among countries. The comparison of this years cost of data breach to the four-year average reveals that the cost increased for organizations in five countries and decreased in seven countries. Germany had the biggest decrease in average total cost (-.91) folowed by France (-.68), Australia (-.48) and the United Kingdom (-.45). The most significant increase in average total cost occurred in the Middle East (+.83), the United States (+.6) and Japan (+.52). Certain industries have more costly data breaches. The average global cost of data breach per lost or stolen record was $141. However, health care organizations had an average cost of $380 and in financial services the average cost was $245. Media ($119), research ($101) and public sector ($71) had the lowest average cost per lost or stolen record. Organizations in certain countries are more likely to have a data breach. Throughout the past four years, this research has studied the likelihood of one or more data breaches over a 24-month period. South Africa and India have the highest estimated probability of ocurence. Germany and Canada have the lowest probability of a data breach in the next 24 months. Detection and escalation costs are highest in Canada and lowest in Brazil. Data breach costs to detect and escalate the incident are forensic and investigative activities, assessment and audit services, crisis team management and communications to