NIST 800-171: Lets Talk Numbers (Part 2)
We won’t lie, becoming NIST 800-171 compliant is no easy task nor is it a cheap one. Hiring the right people or, right organization to facilitate the process of becoming compliant can be a costly investment. However, it is just that, an investment.
By definition, an investment is “an act of devoting time, effort, or energy to a particular undertaking with the expectation of a worthwhile result”. So, while the costs to implement NIST 800-171 policies may be somewhat of a deterrent from implementation, the costs of recovering from a breach as the result of a weak security posture and lack of compliance is often worse.
When a breach happens, the organizations exploited experience costs including forensic analysis, system repair, data recovery, legal and insurance considerations, additional controls, customer support and losses to brand and reputation. These costs are not temporary either. Institutions could spend years trying to cleanup the damage of an exploit as well as recover the customers that were lost and reputation that was tarnished.
However, more specifically, lets talk numbers. In the annual study for 2017 conducted by Ponemon Institute, the average cost of a data breach in the United States reached an all-time high of $7.35 million. This $7.35 million ended up being a 5% increase in comparison to the previous year. Additionally, it was discovered that breaches cost organizations an average of $225 per record compromised which is more than double the global average. Furthermore, “compliance failures” was listed as one of the top five reasons the cost of a breach rose in the U.S. For health institutions experiencing a breach, the ceiling for HIPAA fines is tremendous. For higher education, the monetary consequences do not necessarily result in fines, but in being unable to maintain government funding hence, the monetary consequence.
Without considering the type of institution breached, the costs that make up the average $7.35 million can include some or all of the following:
- $25,000 – $50,000 for Forensic Experts
- ~$600 per hour for Legal Approval of Letters
- $5 – $10 per person for Credit Monitoring Services
- Service for verifying the addresses of potentially affected individuals for breach notification letters
- Standing up a call center for larger breaches
- PR firm for press releases if more than 500 people are breached
- Customer churn: the amount of revenue lost from customers choosing to do business elsewhere
- Cyber Insurance
- Regulatory Fines
Ultimately, when it comes to computer systems and networks, the vulnerabilities are abundant, and the costs associated with a breach are high. It is therefore better to make the investment in strengthening the networks’ security posture and in becoming compliant from the beginning instead of being forced to make the change after a breach has already taken place.