CHAPTER 9
Monetary Considerations: Strategy & Collaboration
IT security budgets have not yet clearly defined the line item for social media security. And trying to retrofit the IT security budget by assuming that tools already purchased for data loss prevention will also cover all your social media security concerns won’t give you enough coverage. According to the 2010 Ponemon Institute Cost of a Data Breach study,1 data breach incidents cost U.S. companies, on average, $6.75 million per-incident and $204 per-compromised-customer record (Australia has the lowest cost per data breach incident, but even that’s $1.83 million). The most expensive data breach event cost a company nearly $31 million to resolve. Several other interesting findings from the study include:
1Ponemon Institute, Five Counties, Cost of Data Breach (April 19, 2010), http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2010%20Global%20CODB.pdf.
The annual U.S. Cost of Data Breach Study tracks a wide range of cost factors, including expensive outlays for detection, escalation, notification, and response along with legal, investigative, and administrative expenses, customer defections, opportunity loss, reputation management, and costs associated with customer support such as information hotlines and credit monitoring subscriptions.
Negligent insider breaches have decreased in number and cost, most likely resulting from training and awareness programs having a positive effect on employees’ sensitivity to and awareness of the importance of protecting personal information. Additionally, 58 percent of companies have expanded their use of encryption—up from 44 percent last year.
Organizations are spending more on legal defense costs, which can be attributed to increasing fears of successful class action suits, resulting from customer, consumer, or employee data loss.
Third-party organizations accounted for 42 percent of all breach cases, dropping from 44 percent of all cases in 2008. These remain the most costly form of data breaches because of the additional investigation and consulting fees.
The least expensive data breach event for a company included in the study was $750,000. The result of these breaches is the “churn” rate of customers due to data loss; the study found abnormally high churn rates in pharmaceuticals, communications, and healthcare followed by financial services.
As we’ve been discussing, a company’s social media engagement can impact multiple vectors that impact cost, as verified by the Ponemon study’s specific mentions of detection, escalation, notification, response, opportunity loss, and reputation management. If you are not managing social networks and potential data loss through social networks, you will incur costs in these areas. Legal actions will become a more significant cost as social media cases make it through the courts. Figure 9-1 shows the total cost of data breaches as found in the Ponemon study.
Figure 9-1 Total data breach cost
The healthcare industry leads all industries in data breaches. Some of the key findings in the Ponemon Institute Cost of a Data Breach study regarding the healthcare industry include:
Data breaches cost the healthcare industry $6 billion per year.
Data breaches cost healthcare organizations an average of $1 million per year.
Lack of staff and preparation (policies and processes) are blamed for most data breaches.
Organizations have little or no confidence in their ability to secure patient records appropriately (58 percent).
Healthcare organizations have inadequate resources (71 percent) and insufficient policies and procedures in place (69 percent) to prevent and quickly detect patient data loss.
70 percent of hospitals stated that protecting patient data is not a top priority.
Patient billing (35 percent) and medical records (26 percent) are the most susceptible to data loss or theft.
Are companies dedicating the right monetary resources to the real problems they face? This chapter focuses on your social media security monetary strategy. Specifically, we look at
Determining the cost of implementing—and not implementing—controls
Determining the cost of threats