Many factors must be considered in order to more accurately calculate the risk your company could experience in response to a data breach. These factors include your industry’s overall risk profile, size of your organization, and most importantly your company’s preparation to mitigate such a breach. For security practitioners, the principle of “Security by Design” is an essential property we try to instill in all of our IT endeavors. This simple principle basically implies, an investment made during the design phase is more cost effective than the expenditures expended after the fact. In the event of a breach, this principle certainly holds true, but how true is the question we must attempt to answer.
To support answering this question, TokenEx has developed the TokenEx Risk Calculator. The TokenEx Risk Calculator is based on various public sources for costs associated with data breaches (Ponemon’s 2015 Cost of Data Breach Study: Global Analysis). The TokenEx Risk Calculator takes a unique approach to calculate a likelihood given a specific industry, the likelihood of a breach, the associated costs, and most importantly your organization’s preparation to prevent such a breach.
In order to evaluate your organization’s current security investment, TokenEx evaluates the maturity of critical control areas as defined within the Framework for Improving Critical Infrastructure Security by the National Institute of Standards and Technology (NIST) or more commonly referred to as the Cybersecurity Framework (NIST CSF). The NIST CSF defines the Framework Core as a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. The Core presents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level.
TokenEx Risk Calculator
In order to facilitate the risk calculation, several questions are presented to gain a better understanding of your industry, potential breach size, and the measures taken to minimize a cyber security incident.
Calculate Your Risk
Number of Records Stored:
How well does the organization know where information resides within it organization and who has access to the information?
What measures does the organization employ to protect against a potential breach?
What controls does your organization leverage to identify a potential breach?
In the event of a breach, the organization has the following in order to mount a proper response:
The ability of the organization to recover from a breach:
Here are your results...
Likelihood of a Breach involving Sensitive Data
Potential Cost per Breach
Using the Calculator
Using the TokenEx Risk Calculator is simple to calculate a likelihood and cost of a potential breach. Below are explanations for each question in the calculator and what type of information is needed to answer the question accurately.
The cost of a breach varies by industry. There could be many factors that contribute to the varying costs including the value of the data associated with the industry, political climate, or attack vectors targeting specific industries. The Ponemon Institute has evaluated sixteen different industries ranging from Public Sector to Healthcare. The first step in your journey is to select the industry that best defines your organization.
NUMBER OF RECORDS
Certainly the number of records your organization is responsible for protecting is a critical factor. Keep in mind that record count includes more than just data records at rest. Record count should be all records that are stored or transmitted through your organization. Your organization is ultimately responsible for all data it comes in contact with regardless of its form or medium.
NIST CSF defines Identify as the understanding of the business context, the resources that support critical functions, and the related cybersecurity risks. This Core Function enables an organization to focus and prioritize its efforts consistently with its risk management strategy and business needs. For this section, how well does your organization know where information resides and who has access to the information?
NIST CSF defines Develop as the appropriate safeguards developed and implemented that ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. What measures does your organization employ to protect against a potential breach?
NIST CSF defines Develop as the appropriate activities developed and implemented to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. What controls does your organization leverage to identify a potential breach
NIST CSF defines Respond as the appropriate activities developed and implemented to take action regarding a detected cybersecurity event. The Respond Function supports the ability to contain the impact of a potential cybersecurity event. In the event of a breach, what does your organization have in order to mount a proper response?
NIST CSF defines Recover as the appropriate activities developed and implemented to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event.
Interpreting the Results
With the information provided, the TokenEx Risk Calculator is capable of calculating a likelihood and cost of a potential breach. Also presented is detail related to whether or not the data is tokenized data. While tokenization cannot prevent a breach in its entirety (an impossible possibility), it can greatly reduce the impact associated with the breach. Certainly data that is not tokenized is at a greater risk to the organization.
Many factors must be considered in order to more accurately calculate the risk your company could experience in response to a data breach. While continuous improvements to internal security controls is always recommended, these efforts will not eliminate the threat and only marginally reduce the likelihood. Not to say that running an effective Security Program is not effective, rather that the most significant factor at play is where the actual data resides. Removing the sensitive data in its entirely via tokenization is the most efficient way of minimizing the cost of a breach. The most effective way of minimizing the likelihood of a breach and by extension the costs associated with the breach is running a well-managed Security Program coupled with the use of tokenization.