Marc Van Zadelhoof, VP of IBM Security Strategy was interviewed on CNBC about these latest findings:
If you develop mobile applications and you've got that queasy feeling in your stomach that you're not doing enough to make sure your app is secure, you are not alone. IBM and The Ponemon Institute have just released a ne
You can download and read "The
How much does a data breach cost your company? That's one of the toughest questions an IT security professional can be asked. The effects of a data breach are potentially catastrophic for a company, but it's a difficult task to quantify the risk.
That's why IBM has sponsored the Ponemon Institute's 2014 Study on the Cost of Data Breaches. This far reaching study is based on 1690 interviews across 10 countries and 16 sectors and is based on actual experiences of companies instead of could-have-happened theoretical discussions.
The Ponemon Institute has released both a global report and 10 country specific reports:
One of the most eye-popping charts in the report analyzes the reported data to show the clear relationship between the size of the breach and its cost: Keep in mind that this is not some hypothetical computer model. This is a regression based on the actual interviews and their reported data.
The 2014 Ponemon Cost Of Data Breach study is must reading for anyone needing to build a business case for protecting against data breaches.
IBM Global Technology Services has released a follow on study to its Global Study on the Economic Impact of IT Risk which was done with the Ponemon Institute. The follow on study is called "Mak
"Ponemon Institute surveyed 1,069 business continuity specialists and 1,247 IT security practitioners representing 20 industries and 37 countries. Most of the combined group of 2,316 respondents are in the IT organization and report directly to the CIO or head of corporate IT. Respondents at the manager level represent the largest segment (33 percent), followed by directors (23 percent) and supervisors (19 percent). More than half of the respondents are in larger-sized organizations with more than 5,000 full-time equivalent employees.
Participation was limited to IT professionals whose job focus is either business continuity, IT security or both, with decision-making or performance-related responsibilities. Although most participants are focused on only one of the IT disciplines, their survey responses were remarkably similar—with only a few instances of statistically relevant differences."
In order to get down to dollars and cents, the survey respondents were asked to estimate the number of minutes of down time related to "minor," "moderate," and "substantial" events, estimate the total costs of that down time and the apportion those minutes across various categories of costs to the company.
There is a lot of detail in the report. One of the more interesting findings was that "minor" events had higher costs per minute of disruption than even major disruptions. But the bottom line summary from the report is from Figure 2:
The absolute numbers are huge!. You can quibble with the absolute numbers, arguing for instance, that a small business's costs form IT incidents is going to be smaller that thos incurred by a major enterprise. But I think the percentage breakdown is very interesting and probably holds across enterprises of all sizes. By far, the costs associated IT disruptions impact the business more than the IT organization. A staggering 75% of costs from IT incidents are business oriented losses, not technical costs to the IT organization. And the biggest of the business costs is damage to reputation and brand.
If that's not enough to make line of business owners stand up and take notice, I don't know what will.