An Interview with the Experts on the Cost of Ensuring Security of Data
Featuring: Avivah Litan, Vice President and distinguished analyst at Gartner Group, with a fifteen-year professional background at the World Bank as a senior manager. She was a consultant for two years at Booz, Allen Hamilton and also spent a year as a systems analyst at Sperry Univac; she also has 26 years of experience in the IT industry, specifically in security and privacy issues.
Litan recently authored a Gartner report on the cost of data encryption. In that report, Avivah noticed that a "company with at least 10,000 accounts to protect can spend in the first year as little as $6 per customer account for just data encryption or as much as $16 per customer account for data encryption, host-based intrusion prevention and strong security audits combined. Compare that with the expenditure of at least $90 per customer account when data is compromised or exposed during a breach."
Litan also recently testified on identity theft at a Senate hearing that was held after the recent Department of Veteran's Affairs data loss of 26.5 million veteran identifies.
Moderated by Peter Rabinowitz, a privacy consultant with PricewaterhouseCoopers LLP in Philadelphia and a co-chair of the IAPP's Financial Services Industry Working Group, this interview explores the costs and ramifications of ensuring the security of data.
Peter: Avivah, I personally found your research both very timely and very important. Can you give us more background about how you and Gartner arrived at the data you recently published?
Avivah: We first looked at the cost of failure to protect customer data and then we looked at the cost of protecting data. There are a number of data points that provide indicators of failures. We specifically looked at the publicly reported information by ChoicePoint as the 'poster child' for a data breach or unauthorized access to their records. Over the first and second quarter of 2005, that firm reported about 11.4 million dollars in charges directly related to that incident. That worked out to about $79 per account in direct charges which included legal expenses, professional fees and communications to respective customers. We then added in the embedded cost of clean up and recovery system modifications that provide after-the-fact security improvements and other related indirect costs. When we added those other costs, we came out to about $90 per exposed account for about 145,000 customer records. That does not include the effect of the FTC fines against ChoicePoint which was something like $11 million plus another $4 million penalty, but it did include some basic costs that we think other firms will have to go through. Again, it excludes lawsuits, FTC fines (and we all know that those add up much more quickly). DSW and BJs, for example, have lawsuits and fines against them that quickly add up. The costs we included are the ones we just mentioned: legal expenses, professional fees, communications and system clean-up after the fact.
Then we looked at the cost of protecting data and we looked at what it would cost on average for about 100,000 accounts. There are many ways you can protect data; we thought it made sense to look at three basic straw man scenarios: data encryption, host-based intrusion prevention, vigorous and continuous security audits. When we looked at encryption, we looked at some of the technologies that are evolving: network-based encryption appliances and media-level encryption appliances. We estimated an expenditure of about half a million dollars would be feasible for protecting 100,000 or more customer record systems. That translates into about $5 per customer account in the first year and about $1 per account per year in recurring costs.
Similarly, we looked at host-based intrusion prevention systems (systems that are sitting out on servers with sensors to look at attacks and to detect attacks - and at the software agents and labor required to configure, tune and monitor those activities to ensure business operations are not impacted by false blocking actions.) For large processing systems, there may be as many as 1,000 servers that need to be protected. With those environments you can negotiate annual prices of about $350 to $500 per server depending on the operating system.
Then we looked at what the labor would be for a 6-month expenditure or about $200,000 at the high end. An overall host intrusion prevention expenditure of about $600,000 could have prevented some of these large-scale attacks. Much less needs to be spent where fewer servers are involved. For 100,000 accounts, that works out to be about $6 per customer account with recurring costs on the order of $2 per account per year.
Finally, we looked at the cost of vigorous and continuous security audits. We just looked at the cost of the audit which would be about $3 - $4 per account as a recurring cost.
These strategies are not mutually inclusive. You don't have to do all of them. You may just want to do encryption and not do strong security audits on a continuous basis. You may not want to have host-intrusion prevention expenditures if you've got encryption or vice versa. If you did all three, it would add up to about $16 per account. If you only did encryption, it could add up to abut $6 per customer account and that compares to what we got from the public record of about $90 per customer account for data breaches. Again, those data breach costs do not include any fines that may be exposed, any impending legislative costs, so it was minimal based on the public records.
Peter: Clearly those costs can add up, however, one thing you haven't mentioned is the intangible cost to businesses of the risk of a significant security breach. Can you comment on that as well?
Avivah: We did not get into trying to estimate the intangible costs because we tried to stick to the hard numbers, but there are many intangible costs. For example, in
the case of ChoicePoint, their market cap dropped by about $720 million immediately after the disclosure. You will find that stock values go down, which is a tangible cost, but it could be temporary. More importantly, reputation suffers tremendously. ChoicePoint is a really good example of that. When you mention the name ChoicePoint, it conjures up this big data breach. They suffered a lot for that. I think what people do not know is that ChoicePoint has one of the best security programs out there today as a result of the FTC order. They put in what could be considered model security and data privacy programs, but unfortunately, people don't know that. They just remember the breach. When you mention other names in the industry, whether it's BJ's or DSW or the Veterans Affairs Administration, the data breaches are the first thing people think about. The VA case is a really good example - they suffered tremendous negative publicity. It couldn't have happened to a less deserving group of people, so it looks like it was particularly unfair.
Peter: Are customers voting to do business more and more with companies that have strong security programs that will protect their personal information? Are they choosing to go elsewhere in the marketplace if they find that a company does not have adequate security in place?
Avivah: It's too early to say if consumers per se are jumping ship with companies that have breached data. I have a survey out in the field looking at just that. To see, for example, if they are going to buy fewer shoes at a company that may have had a breach. Frankly, I don't know if that is true. I think from the consumer's viewpoint, it is out of their control and I am not sure they are going to base their shopping decisions on security, but they might. I will know better in a few months.
Peter: When you were talking about the costs of remediation and also the preventive costs for data security, were you looking at companies that have both domestic and international operations? Are the costs significantly higher for complying with the international data security laws?
Avivah: We may have taken the easy way out, but we looked at this from an IT perspective, so it didn't matter if they had an international business or domestic business because we did not add up the cost of regulatory compliance. We just looked at the cost of the data breach and what U.S. companies spent in responding for that is the public data for which we had access. Then we looked at IT costs at the data level. We didn't look at the significant cost of compliance given the different state laws. We just looked at IT cost of protection vs. data breach.
Peter: There has been a lot of discussion about the issue of encrypting specific data on systems, particularly on laptops out in the mobile workforce, as well as the issue of encrypting hard drives themselves. I have heard some say that if many of the laptops that went missing had encrypted hard drives, many companies wouldn't be in the situation they find themselves in now. What are your thoughts on this, particularly from an IT cost perspective?
Avivah: Encrypting data on laptops and hard drives can be really cost effective. Frankly, there is no excuse anymore not to encrypt data on laptops or mobile devices. The cost has come down dramatically. The cost for laptop encryption is $40 or less per laptop. It gets much more complicated with regard to encrypting fields on a server. For example, if you choose to encrypt just the Social Security field in your database, it could be very costly depending on the application and how they use that data. It might end up with a company having to rewrite the applicationâ€¦much easier said that done. There are certain areas of encryption that are very complicated and difficult if you are not starting from scratch. There are other areas, notably laptops and mobile data protection that are very easy to do, as well as back-up tape encryption. There are also some compensating controls if you can't encrypt on a server, for example, database activity monitoring. When you talk about mobile media, there is no excuse today. It is really bordering on negligence. First of all, you shouldn't let the data go to a laptop in the first place. I don't understand why companies are allowing employees to take customer data home.
Peter: When you say there is no good excuse these days, is one concern security awareness and training? Is there an understanding of these issues at the senior levels of companies? Is there a breakdown when it comes to actually implementing security awareness and training?
Avivah: I think the state disclosure laws have resulted in great awareness at the executive level regarding data privacy concerns, but translating that into reality is another matter. Security budgets are usually at the bottom of the list and systems are like spaghetti. There are so many processes in place in these large corporations and no one has a really good handle on all the data that comes in and out. That seems to be the general atmosphere, although I recently spoke with a very large New York investment bank that has a really good handle on data leaving their servers. They don't allow any data to ever leave and data that is on the server is encrypted and segmented, so there are exceptions, but generally there is a huge gap between executive level awareness and process within the IT department. It is going to take years to fix unless there it becomes a high priority.
Peter: Is one solution for companies to do a better job in risk-rating their data and closely looking at the individual data elements to determine what data people need to take with them on the road?
Avivah: Yes, that is a really excellent question. I think it is business as usual and no one in general is taking a hard look at why we do need this data in the first place on their hard drive.
Peter: What about retention programs? Folks say that if we don't have the data in the first place, it can't get lost or stolen. Are companies keeping data too long beyond their needs for legal compliance and business purposes? Should companies really look at cleaning house?
Avivah: Yes, data archive and retention policies are areas that are at the bottom of the budget list. I think the data auditing and accounting problems of the last few years have forced many of the top financial companies to take a hard look at their data retention and archive policies. While a lot of them have it under control, the average enterprise does not have that under control. They tend to keep data around instead of deleting it and archiving it properly for that is the easiest thing to do. It needs to be part of the audit program and the compliance requirements.
Peter: We talk a great deal about major international companies that have large IT budgets and large staffs. In reports by the Privacy Rights Clearinghouse, it seems there are many colleges and universities being subjected to data breaches. What would you recommend to non-profit organizations where budgets might not be as robust as they are in the for-profit sector?
Avivah: They are one of the most targeted sectors - one statistic reveals that 1/3 of the attacks were against universities and there is a good reason for that. They are naturally an open environment and don't want to have a lot of restrictions on how the network is accessed. I think the best policy for universities is just to very strongly restrict confidential data.
Peter: What about the concern that a real risk to companies is not just what they are doing in-house, but who their business partners and vendors are and what they are doing. The perimeter for the security program for companies has been extended tremendously with the amount of outsourcing that takes place. Your thoughts on that?
Avivah: You raise a lot of great issues that don't have a lot of good solutions. One of the big problems with outsourcing operations is the training part and the employee screening part. In fact, there are companies that are starting to pull outsourcing operations in-house either by hiring foreign employees or just by bringing it back to this shore.
Peter: Is that an area where encryption can be particularly important as data is transferred back and forth between business partners around the world?
Avivah: Certainly. The problem is the insider. I moderated a session at the Gartner security conference recently with 1,000 in the audience. I asked: what do you think the biggest source is for theft and fraud? At least 60/70 percent of the audience said it was insider fraud. Even if you are encrypting data in transit or at rest, it is usually the person who has authorized access to it that is the criminal. If you give access to a partner who you feel to be legitimate and has done their homework in authenticating who has access to the system, that is generally where it all breaks down. It is the people who have the best access that do the most damage. In the end there is no substitute for manual verification of your employees, customer and partners. That is what ChoicePoint is doing now and they are losing business because of it now. They are verifying every partner and customer manually. They are going to their site of business, giving them a questionnaire, auditing them and making sure that access rights are controlled very strictly. There is no substitute for manual verification. That is the problem.
This interview is available in its entirety as a podcast on the IAPP's Web site, under Resources, at www.privacyassociation.org.