Cited as the number one security threat for cloud computing, data breaches refer to the loss of confidentiality for data stored within a particular cloud instance.
It is of course worth noting that such a threat is likely to exist even within an on-premise solution, or traditional outsourced solution.
The concern over the loss of confidentiality is entirely understandable, as the potential financial and reputational cost can be significant.
This will be entirely dependent on the data that has been stolen; organizations will have many types of data ranging from intellectual property and sensitive business information to personal data (e.g., customer data).
For personal data, according to the “2013 Cost of Data Breach Study,” conducted by the Ponemon Institute, a data breach (referred to as the theft of protected personal data) can cost up to $200 per record.
This cost is entirely dependent on the country in which the surveyed company resides.
In terms of deriving the cost per record, costs were divided into two categories, direct and indirect.
Direct costs are those that refer to “the expense outlay to accomplish a given activity such as engaging forensic experts, hiring a law firm or offering victim’s identity protection services.
Indirect costs include the time, effort, and other organizational resources spent during the data breach resolution.” Dependent on the country in which the surveyed company resided, the costs varied in terms of direct versus indirect.
For example, companies surveyed in the United States experienced 32% direct costs compared with those in Brazil where direct costs rose to 59%.
According to insurance company Beazley in their small business spotlight, the greatest direct cost associated with responding to a data breach is the notification required.
This of course is more relevant to those businesses that have a requirement to notify affected customers.
In the United States, for example, and as of the time of writing, and according to Bloomberg Law9 there are only four states without a data breach notification law; these are Alabama, Kentucky, New Mexico, and South Dakota.
However, the data notification requirements across the various states do differ, with varying requirements such as notification triggers and method of notification.
Now, of course, the United States is not the only country where data breach notification laws exist; under the European Union’s Regulation on the notification. of personal data breaches, providers of publicly available electronic communications services are obligated to notify customers about data breaches.
This notification must be done within 24 hrs to the national competent authority.
Moreover, impending legislation, in particular in the European Union, is likely to increase the notification requirements for organizations that experience a data breach.
Notification is one cost associated with data breaches; however, as recent public data breaches have demonstrated, those affected companies have many other costs to contend with, and these may be either direct or indirect.
Additional costs can include direct technical costs to identify the cause of the breach, and any remediation work to close vulnerabilities and prevent the issue from reoccurring. In addition, there are likely to be costs associated with the breach itself, such as the potential loss of business.
Following the 2006 data breach experienced at the TJX Corporation in which $45 million credit and debit cards were stolen, it was reported that the retailer had faced costs of over $256 million (these figures do vary greatly dependent on the source; therefore, the more conservative figure is quoted here), despite initial estimates attributing the costs at a “mere” $25 million.
While this level of a data breach is certainly at the higher level of examples, it does provide an illustration of the impact an organization faces when experiencing a data breach, and subsequently validates the reason why it is rated as the number one concern when migrating to cloud computing.
A large proportion of the costs from the TJX breach was related to the offer of services to its customers; this included credit monitoring services as well as identity theft protection.
A breakdown of the estimated costs, and associated activities were presented in an article published by Wired in 2007; while the actual figures in below Table may be disputed, it does provide an insight into the associated costs related to a data breach.
What these figures, or rather what these activities, clearly demonstrate are that the costs associated with a data breach can be significant, and any potential breach is quite rightly seen as a major concern.
In addition, it is worth noting that some of these figures seem low and therefore it is assumed they are per record (e.g., cost per call is $25, but is likely per customer).
From a cloud perspective, it is worth noting that as the risk is not outsourced, the remediation costs will be borne by the customer and not the provider.
The data controller will almost always be the end customer and therefore they will be responsible for ensuring that not only is the appropriate due diligence undertaken but their own customers (data subjects) will look to them to remedy the situation.
It may be possible to point the finger at a provider, but the truth is that the data subjects (whose records have been stolen) are not direct customers of the cloud provider and their decision to no longer work with the company they trusted to look after their data will affect the bottom line of the data controller.
This is referred to as the abnormal churn rate, which can be as high as 4.4% dependent on geography and likely sector.
A small caveat to the above statement: the provider could also experience a loss of trust if the breach is significant and public enough to negatively impact the trust of other customers, both potential and/or existing.
Other types of data can also have a significant financial impact. Research conducted by the Center for Strategic and International Studies identifies the following categories in its report entitled “Economic Impact of Cyber crime”.
The cost to companies varies from among sector and by the ability to monetize stolen data (whether it is IP or business confidential information).
Although all companies face the risk of loss of intellectual property and confidential business information, some sectors—finance, chemicals, aerospace, energy, defense, and IT—are more likely to be targeted and face attacks that persist until they succeed.
From a cloud perspective, while personal data will demand due diligence, the hosting of data classed as intellectual property should be commensurate to its value.
This should include not only the cost of the research but also the opportunity costs such research represents to the business.
Financial crime usually involves fraud, but this can take many forms to exploit consumers, banks, and government agencies.
The most damaging financial crimes seek to penetrate bank networks, with cyber criminals gaining access to accounts and siphoning money.
The migration of cloud services, particularly for financial services will witness greater focus from nefarious actors looking to commit fraud by targeting systems hosted by external providers.
This renewed focus was reported by CNBC when “cybercriminals acting in late 2013 installed a malicious computer program on the servers of a large hedge fund, crippling its high-speed trading strategy and sending information about its trades to unknown offsite computers.
Admittedly, these types of attacks are not solely targeted at cloud computing but demonstrate the threat landscape for financial fraud involves malicious actors that are very technically adept and well resourced.
Confidential business information
The theft of confidential business information is the third largest cost from cybercrime and cyberespionage.
Business confidential information can be turned into immediate gain.
The loss of investment information, exploration data, and sensitive commercial negotiation data can be used immediately.
The damage to individual companies runs into the millions of dollars.”
The loss of confidentiality for an organization can have a significant impact regardless of whether the data are hosted externally or are an internally provisioned service.
Using cloud computing can have enormous efficiency gains, but as the example of Code Spaces (more detail under Data Loss) demonstrates, the need for security remains and indeed one can argue that with the volume and complexity of threats increasing the need for security has never been more important.
Ultimately, the loss of confidentiality will impact the cloud customers significantly, and also be to the detriment of the provider.