Alongside the launch of its new hybrid data governance solution for the enterprise, Egnyte has claimed it could have saved companies hit by data breaches last year up to $14 billion. We are no strangers to press releases with extravagant claims but this one seemed outrageous enough that we felt we needed to find out more. For example, is it just pure marketing spin or is there any real basis to it?
How did Egnyte get to $14 billion?
That’s a good question. We wondered if it was a typo and asked for clarification. After a few emails we were given the details below which we were told can be attributed to Isabelle Guis, Chief Strategy Officer.
It starts with the average cost per item in a data loss / breach which is $154. This figure comes from a May 2015 report by the Ponemon Institute. The key here is that this is described as an average cost with Egnyte also citing IBM who say that in some verticals the cost per item can double. The next key figure is the number of records exposed in the US last year which is 169 million. That figure comes from ITRC Dec 2015 / Experian.
$154 x 169 million = $26.026 billion in losses from data that was lost or stolen.
The next key figure is the savings. Egnyte estimates it could have saved around 53% of the data. It uses data from the Identity Theft Resource Center which lists the amount of data lost and the reasons it happened. Taking the ITRC Survey for 2015 data breaches report and looking at the things Egnyte claims to protect against it arrives at the formula:
7.3%+13.7%+9%+14.9%+10.5%= 53%
Each of those numbers represents a particular cause of loss. They are: data on the move, accidental email, subcontractor/3rd party, employee negligence and physical theft. When you then calculate 53% of the $26.026 billion in losses you get to approximately $14 billion.
There are still a number of questions over this calculation. For example it assumes that the average value holds true across a much wider data set than Ponemon themselves looked at. It also assumes that all the affected companies purchased Egnyte’s products and that the company was able to service such a huge growth in sales.
While the numbers are clearly more than a little speculative they do put an interesting perspective on the cost of data loss / breaches that is rarely considered. Most reports tend to focus on broad numbers not the cost per cause of data loss.
It would be interesting to see how many companies use the ITRC categories when investigating their own data losses. For example, were their controls on 3rd party/contractor data access good enough that losses here were less than the 9% average? Did they have strong enough internal controls to limit data losses to malicious insiders and negligent employees to below 14.9%? It certainly makes for an interesting exercise and potentially one that is worthwhile when trying to establish the effectiveness of company data protection policies.
Conclusion
One of the problems for many organisations when it comes to establishing the effectiveness of their IT security is knowing what to compare it against. While Egnyte has used the ITRC categories to highlight its own claims it may well have ignited a serious internal inside organisations. It would be interesting to know how many companies now consider setting key improvement metrics using the ITRC categories.
While the Egnyte claim of such large-scale savings does require some more than hopeful sales projections it has stuck to what it knows best. It hasn’t claimed to prevent all types of data loss, just those it’s products are designed for.