Poker, Probability, and Protection, the Price of a Breach is not Pretty

Poker, Probability, and Protection, the Price of a Breach is not Pretty


IT Security Guru has an article about how 65% of IT Leaders Expect Serious Data Breach to Hit Their Business Within the Next Year That is a frightening number. How does this relate to poker? Or probability? Or the price of a breach? They’re all a numbers game. You should be most worried if you are in the health care and financial services sectors according to the Thycotic Black Hat 2015 Hacker Survey Executive Report.   Thycotic Survey

In poker, when you draw five cards, the odds of getting a single pair are about 2.37 to one, a Full House, 694 to one, and a Royal Flush (huzzah!) about 650,000 to one. Good poker players know the odds (Texas hold em being one of the most popular versions). However, being a great player means knowing how to bluff and it has been said you’re not playing the cards, you’re bit playing the man.

If you can’t spot the sucker in the first half-hour at the table, then you are the sucker. — Matt Damon in Rounders

However, ransomware notwithstanding, cyber criminals don’t bluff, they want your data.

In the world of IT security, when you are speaking about security to your peers and vendors, you need to be able to identify which of them know what they are talking about and which ones do not. Then, develop your strategy and license your solution(s) accordingly.

Integrating this into probability, let’s use the 65% figure that IT leaders are using about being hit by a breach in the next year. Over a three -year period, assuming nothing changes. There’s about a 4% chance of the company not being hit with a breach. There’s a 28% chance that you will be hit with a breach in all three years, a 24% chance that you will be hit with a breach in just one of the years, and a 44% breach that you will be hit with a breach in two of the years. Note that these scenarios add up to 100%.

The Ponemon Institute has a great study out, “2016 Cost of Data Breach Study: Global Analysis”, that you should download. A link to it is here. Lessons Learned From 11 Years of Cost of Data Breach Research This year’s study found the average consolidated total cost of a data breach is $4 million. The study also reports that the cost incurred for each lost or stolen record containing sensitive and confidential information increased from a consolidated average of $154 to $158.

It includes the costs of data breaches compiled by researching 333 companies, and includes the figures by country and market segment. The highest per record cost was for health care sector at $355. The study found that average total cost of a data breach as $4m. Using the data from the study, you can estimate the total cost of a breach in your industry, by changing your assumptions about the number of records your company would lose in a breach.

Doing nothing over a 3-year period and using the $4 million dollar figure, if the IT manager doesn’t learn, the expected losses due to data breaches over the  three-year period is almost $8m!

Brian Laing, VP of Product and Business Development at Lastline, said to IT Guru, “Most organizations recognize that they face a grave cybersecurity threat but have been too slow to react and often their response is piecemeal and tactical.”

Don’t be the company slow to react. With those odds and those costs, speak with vendors whose solutions are known for their ability to identify and stop breaches. Speak with your industry peers about best practices. Select the right solution. Your company will consider you a security guru.

Lastline is the first and only company to score 100% in a NSS Data Breach Study with zero false positives. Read about it here. Lastline Top Performer in NSS Labs 2016 Breach Detection Study