Assessing the Price Tag of Cybersecurity

Credit unions and other organizations pay a hefty price, directly and indirectly, when a data breach or incident affects their environment. The costs can arise from damages and resurrecting tarnished reputations.

The “2018 Cost of a Data Breach,” sponsored by IBM Security and conducted by Ponemon Institute, reported the global average data breach expense at $3.86 million each. The study estimates the average tab for each lost or stolen record containing sensitive and confidential information at $148 per file. Costs vary and are subject to hidden costs such as lost business, adverse reputation effect and employee recovery time spent.

The criminal enterprises staging these events are organized and fully armed, Gene Fredriksen, chief information security strategist for St. Petersburg, Fla.-based CUSO PSCU, maintained there’s certainly a direct expense to affected organizations. “Credit unions are very good about tracking the direct costs related to fraud. What it costs them to make the member right.” Where it gets a little fuzzy is member attrition. “There’s not always a lot of definition around why people leave and the costs associated with moving those accounts.”

Phishing remains a go-to con because scammers are rewarded by people who repeatedly use the same simple passwords. “That might tangentially give [phishers] enough social engineering capability to steal your money or parts of your identity,” Mark Ruchie, chief information security officer, at Minneapolis-based Entrust Datacard said.

Nayan Patel, vice president, strategic alliances at Brookfield, Wis.-based Fiserv, said, “The credit union has an enormous responsibility to protect their most critical data and assets, that is the member data.”

Patel noted some 90% of all compromises happen through email because it is the most cost effective for cybercriminals. Meanwhile credit unions need to identify and remediate threats. “All of these things have substantial cost to the organization, but they are absolutely required.”

Drew Lydecker, president and co-founder, and Ron Hayman, chief cloud officer and COO, both with Chicago-based AVANT, also spoke about the biggest cyberthreats they see (phishing, spear phishing, malware) and the financial data risks they present.

“State sponsored attacks are picking on the weak, generally the firms that have a shortage in IT talent, lack the resources and doing what we call the ‘10-year playbook,’” Lydecker said. That means protecting their organizations the same way for the past decade by throwing outdated tech at security concerns.

Hayman placed the cost per record on lost credit cards at $5.40 and financial records at $4.12. “Multiply that by the number of customers or records you can see a real material cost.”

Read more about cybersecurity costs in the February 6 issue of CU Times.