Here are the new statistics released this month from the Ponemon Institute's annual survey of breach costs.


$188 per record lost – Average cost in 2012 for a data breach in the US

28,765 – Average number of records per data breach in the US

$5,403,644 – Average cost of a breach in the US

$565,020 – Average cost to notify clients of a data breach in the US

$3,030,814 – Average cost of lost business from a data breach in the US


The costs figures are plain and simple.  They are verified.  They speak for themselves.  If you are having trouble getting executives to buy into the notion that no security is more expensive than a little security, float these numbers past them.  A breach of just 500 records will likely cost you $94,000.  Information security is critical to survival.  Ironically, the smaller you are, the worse a breach will hurt from a financial perspective. 

Ask your executive team if they would consider not having a fire extinguisher or casualty insurance for your office.  If they say no, ask why they are willing to take such large risks with information security.  You're probably far more likely to suffer a security breach than to have a fire.  Put into proper perspective, most executives will follow your logic and begin to appreciate information security activities.

The definition of a data “breach” is a murky quagmire to many of our clients. For some it’s defined as “any unauthorized access or view of patient information outside an employee’s job scope.”  For another it’s defined as “a successful external cyber-attack which results in actual financial loss to a customer.”

Those are pretty different approaches to determining when a breach has occurred.  Things like company culture, regulatory compliance and insurance claims requirements will drive an organization’s definition of a data breach.

Read more: Define Data "Breach" Please..

As we continue to work through the 2013 Data Breach Investigation Report, I’ve realized that the more things change, the more they stay the same.  End user devices were involved in 71% of the reported breaches.  This is a significant jump over the last report but not really a new statistic altogether.

Here’s the sad truth.  We continue to value usability over security.  We always have and likely always will.  The ability to access data when, where and how we want is trumping our desire to protect the confidentiality, integrity and availability of the data.  Every information security professional wrestles with how to balance the risks of data access in an increasingly mobile workforce.

Read more: 2013 Data Breach Report - Point #3

Point #2 in my continuing discussion on the 2013 Data Breach Investigation Report is around physical security.  Over the past 18 months, we have been counseling our clients to take a renewed interest in physical security.  As systems have been given increased security over the years, they are becoming harder for the everyday criminal to hack.  This inevitably will cause the theft of computing resources and data to come crashing back into the physical world. The 2013 report shows this very thing has happened.

Read more: 2013 Data Breach Report - Point #2

As I read the Data Breach Investigation Report ( compiled from 2012 data points, there are interesting bits of information I want to share.  I’ll spend the next several posts detailing some of the highlights.

There was a sharp rise in attacks against manufacturing, transportation and utility organizations in 2012.  Coupled with a decline in attacks seeking financial gain in the form of immediate cash, what does this tell us?  Well, it says that while cask is still king, other reasons for hacking do indeed exist.

Read more: 2013 Data Breach Report - Point #1

Port level security has always been a touchy subject.  For some it is a last and final attempt to secure a network and protect information.  Kill the port and it can’t be used by anyone for anything.  Others claim this level of security isn’t necessary if you have good physical security controls and only creates an administrative nightmare. 

Then along came network admission control (NAC) and network access protection (NAP).  By interrogating a host and evaluating it against a set of predetermined criteria, we got the best of both worlds.  A "silver bullet" in the information security arsenal.  The problem is that NAC and NAP weren’t compatible in the early days.  So you had to choose one.  Even then, things like multi-function devices weren’t supported so you had to exclude lots of ports around your environment.  So you had a fortified environment except for where you had poked all the holes in it.  Some organizations accepted the shortcomings and implemented a solution while others decided to skip it altogether. 

Read more: Port Based Security: Do or Don't?

I was on a commercial flight a couple weeks ago.  There was a family sitting in the row ahead of me.  I was in the aisle seat behind and across from the teenage daughter’s aisle seat.  It was a long flight and I was working on my laptop for a bit, did some reading and then watched the end of a movie I had started.

As I did all of this, the teenage daughter broke out her laptop and started making movies of her flight experience with her webcam.  Harmless enough until she decided the angle she liked best was the one that had me front and center in the background. 

Read more: I Wish You Valued My Privacy As Much As I Do

Contact Information

Birmingham Office


Des Moines Office


Kansas City Office