fbpx
Category

General Security

More than Money: Comprehensive Cost of a Data Breach

By | General Security

The size and cost of data breaches are increasing rapidly. IBM Security sponsored Ponemon Institute to conduct a study, Cost of a Data Breach Report*, which was published in July 2018. According to the IBM study, since 2017, the average total cost of a data breach increased by 6.4 percent and the average size of a data breach (meaning the number of records lost/stolen) increased by 2.2 percent. The average global data breach costs $3.86 million; the highest global average is by US companies coming in at an average of $7.91 million. By mid-2018, the cost per lost or stolen record was $148.

Total cost is different for every breach depending on type, size, and timeline, but there are common categories of costs that apply to all. Not all costs are visible from a glance. We wanted to know what really goes into the total cost of a data breach; this article is the result. Take a quick look as we break down the likely costs, both direct and indirect, of a data breach in 2019. Buckle up, it’s a bumpy ride.

For your information, data breach cost information has been organized into four categories:

  1. Detection and escalation
  2. Notification
  3. Post-data breach response
  4. Lost business

Dollar amounts are not given as it is different for each breach and dependent on many variables including type, size, timeline, etc. However, please consider the possible applications to your circumstance and recognize the vast reach a breach could have on your organization. It’s not a matter of if, but of when. We want you to understand, prepare, prevent, and have as minimal damage as possible. Here we go!

Detection and Escalation

Direct Cost

Crisis team management. What happens when an organization is attacked? Plan and prepare for security crises. This cost is much more of a pre-breach step that will cost dearly if not created before a breach occurs. As aforementioned, security breaches are not a matter of if, but of when. Have an incident response team? You should. Organizations with incident response teams reduced the cost by as much as $14 per compromised record (IBM, 2018). Even with an equipped internal team, serious situations often require outside consulting, such as FireEye, and are very expensive.

Forensic and investigative activities. As soon as a breach is detected, an organization delves into forensics to determine what happened during a cyber incident and who was responsible. The goal is to stop the spread of leaked information and limit impact. This stage involves digital forensics, malware and threat analysis (Deloitte, 2016). Depending on the attack vectors used, a larger network compromise might be found and result in expensive threat hunting to identify all affected assets.

Assessment and audit services. Assessments are worth the investment, especially after a breach. Understanding and finding weaknesses in a system can help prevent further network abuse and a future breach. The likelihood of a recurring material breach over the next two years is 27.9% (IBM, 2018). Costs associated with assessments and audits include fines or fees due as a result of non-compliance with federal or state cyber breach related laws/industry regulations the company may be subject to (Deloitte, 2016).  Following a breach, audits and compliance will be required. Higher skill assessments may also be implemented but not required. Higher skill assessments help harden security and ensure another breach doesn’t occur in the same manner.

Communications. Public relations work and communication about the breach is vital, and often costly. A good PR team can help manage external communications, somewhat repair brand image, and provide media and brand monitoring following an incident (Deloitte, 2016). Communicating with the public is often embarrassing but can save a lot of pain and dollars in the long run. Trying to cover up a breach is a terrible idea. Our advice: rip it off like a Band-Aid and let it heal in the open.

Indirect Cost

Time. On average, it takes 196 days to identify a data breach (IBM, 2018). However, it only takes minutes for most attackers to compromise an organization. 68 percent of breaches took months or longer to discover (Verizon, 2018). The sooner the detection, the less it will cost. Time really is money when it comes to data breaches.

Notification

Direct Cost

Notification costs are all costs associated with informing and advising individuals whose data was compromised. State and/or federal law and industry regulations mandate specific notification procedures and policies. Notification includes: printing, mailing, call center services (Deloitte, 2016). Informing clients, customers, and stakeholders is vital. Communicate openly, effectively, and in a timely manner to avoid further time and cost.

Post-Data Breach Response

Direct Cost

Help Desk. Customers, clients, and stakeholders will have questions. Account information will be demanded. Staffing a customer information and service help desk can help with the personnel repair as systems teams take care of technical repair. Inbound communications help should also be considered in direct costs.

New accounts. Time, resources, and personnel are often needed to reset passwords or issue new accounts. Costs in this category can include forcing account resets and asking for additional validation when assisting customers.

Legal. When it comes to legal costs, it can get spendy really quickly. There is a wide range of legal advisory fees and settlement costs. These fees are often externally imposed and can include costs associated with legal actions by the company to defend its interests. Legal fees and settlement costs for individual breaches and the damages associated vary, but are often very hefty. A sad fact: recovery could take years and may not be ultimately recoverable, even after a positive verdict in favor of the company (Deloitte, 2016).

Product Discounts. Damaged reputation can lead to a sense of damaged product or service. Organizations can offer products or services at a discount as a means to repair and repent for a security breach. Discounted products can add significantly to the total cost of a breach.

Identity protection services. Customer data protection post-breach can be a challenge, and a major expense. Expenditures associated with the detection and protection against potential efforts to use an individual’s compromised personal data for unauthorized purposes following a breach can be hefty (Deloitte, 2016). Most organizations may not be affected as the content being stored may not be related to identity protection.

Regulatory interventions.  A data breach could cause the prohibition of doing business within a certain country. Required audit reporting and fines for regulation violations can add up quickly. GDPR violations alone can add up to $4 million, or a more significant portion of business revenue.

To help with regulations, we recommend using a comprehensive compliance framework like Defensix. It has a handy module for governance, risk, and compliance (GRC) that streamlines compliance controls and helps organizations orchestrate all of their GRC needs.

Cybersecurity improvements. Following a breach, improvements are necessary. Improvements can include technical upgrades and patches to the infrastructure, security controls, monitoring capabilities, or surrounding processes. Costs include all efforts to recover business operations after an incident or to prevent a similar occurrence in the future (Deloitte, 2016).

Indirect Cost

Insurance premium increases. Expect insurance rates to increase following a breach. Purchasing or adjusting insurance policies following a breach can be costly (Deloitte, 2016).

Increase cost to raise debt. Organizations are higher-risk borrowers during months following cyber incidents. As such, organizations face higher interest rates for borrowed capital due to a drop in credit rating (Deloitte, 2016).

Lost Business

Indirect Cost

Impact of operation disruption or destruction. This category is highly variable and specific to each situation. It includes losses tied to manipulation or alteration of normal business operations and costs associated with rebuilding operational capabilities. According to Deloitte, it includes costs “to repair equipment and facilities, to build temporary infrastructure, to divert resources from one part of the business to another, to increase current resources to support alternative business operations to replace the function of systems that have been temporarily shut down. It also includes losses associated with inability to deliver goods or services” (Deloitte, 2016).

Value of lost contract revenue. Though very hard to quantify, a major cost is loss of revenue and ultimate income loss. The loss of future opportunity associated with contracts that are terminated as a result of a cyber incident can be devastating.

Devaluation of trade name. This category is the intangible cost referring to the loss in value of the names, marks, or symbols an organization uses to distinguish its products and services. To determine the devaluation, an estimate value of trade name before and after the cyber incident needs to be assessed (Deloitte, 2016).

Loss of intellectual property. Another intangible cost includes loss of exclusive control over trade secrets, copyrights, investment plans, and other proprietary and confidential information. Unfortunately, these costs often lead to loss of competitive advantage, loss of revenue, lasting and potentially irreparable economic damage. Patents, designs, copyrights, trademarks, and trade secrets are included in this category (Deloitte, 2016).

Lost value of customer relationships. Sentimentality aside, relationships have monetary value for organizations. After a data breach, each customer or member is given a value to quantify how much a business must invest to acquire that customer/member. These costs include the likely revenue that one customer will generate for the business over time. Customer relationship value can be evaluated per industry or organization (Deloitte, 2016).

 

Recommendations to Reduce Costs

“Practice does not make perfect. Only perfect practice makes perfect,” said Vince Lombardi, football legend and wise man.

Why are companies falling short when it comes to data security? We believe it is caused by practice of testing from an audit perspective – meaning preparing and protecting against auditors – and not against real-world attackers. In order to prepare and prevent data breaches, we recommend the following real-world approaches to security maturity.

  1. Identify top risks. Determine the top risk areas and assets. These areas could include processes or activities of high value such as data sets, computer systems, control devices or other digital assets. Conduct assessments to find weaknesses and top priorities. Silent Break Security can help you out here with any type of sophisticated adversary testing. Identifying realistic, direct, and intangible impacts on an organization can help prioritize where efforts and investments should be made.
  2. Build a realistic budget and invest. Once priorities are determined, make the sacrifices necessary to invest where it matters most. No organization can cover everything. Model realistic scenarios and invest in risk-focused services and products.
  3. Create the dream team with the right tools. Assemble a team of experts who understand not only tech and regulations, but business strategy, products, revenue streams, operations, and cyber risk programs. As for tools, investing in proper, updated systems, infrastructure and software is well worth it. There are a lot of moving parts when it comes to compliance and security maturity. Many parts don’t seem very exciting or important until they are due to a data breach. They are annoying to keep track of but valuable to have. Defensix is exactly what an organization needs before, during, and after a breach. It streamlines and simplifies security. We’re happy to tell you more here.

Data breaches are real and happening faster than ever before. As another wise man said, “It is better to prepare and prevent, than to repair and repent.” Preparation and prevention may not be a cure, but they can lessen the blow from a data breach. You know why an organization needs to be ready. How an organization prepares and prevents can make all the difference.

 

 

*Disclaimer: This article is intended to be a conglomerate of studies to organize information in a digestible manner with added analysis and recommendations from Silent Break Security. The majority of data breach statistics and information has been gathered from recent studies by IBM/Ponemon Institute (2018), Verizon (2018), and Deloitte (2016). Silent Break Security has received written permission from the Ponemon Institute, who was sponsored by IBM Security to conduct the study, Cost of Data Breach Report, 2018. Silent Break Security does not claim rights to any of the cited/quoted information.

12 ways to increase security for Christmas

12 Ways to Prepare for a Secure Holiday

By | General Security

The holiday season is a time of family, friends, food, travel, and shopping. All of these traditions are great, but security is often the last thing on our to-do lists. Our gift to you is peace of mind. Imagine it as a basket of tips to secure your devices and accounts before heading off to grandmas, to ensure a safe holiday season. 

Below you’ll find some quick tips for a safe and secure holiday. We recognize there are a lot more ways to increase security than recommended here, but it’s a good start. There are 12 days left until Christmas — if needed, pick one a day leading up to the 25th for an easy implementation.

1. Update & patch.

Make sure all applications, software, and patches are up to date and functioning properly. Weaknesses in apps and software are exploited by hackers and can quickly compromise accounts. Keep information safe by ensuring firewalls, malware detectors, and anti-virus scanners are updated and working well. The pesky software updates are worth the vulnerabilities they fix. 

2. Backup everything important.

If you care about something, back it up. Encrypt highly sensitive information. Be sure to lock up any storage device with strong passwords and multi-factor authentication.

3. Avoid shared networks.

Do not, we repeat, do NOT shop online on a shared network. This means any network (i.e. WiFi at Starbucks) that is public and available to anyone. As soon as someone accesses the network you are on, they can access your devices and the information on them a whole lot easier. 

Do not enter credit card information or other personal information when using a shared network. When browsing or shopping online, use a private network, such as a VPN. 

4. Set up multi-factor authentication.

Increase security maturity by implementing a multi-factor authentication (MFA) application on all of your accounts and devices. MFA is a method of authentication using 1) something you know 2) something you have or 3) something you are to identify if you are who you claim you are when logging into a device or application. We recommend using an MFA app, such as Duo.

5. Too good to be true? Probably so.

‘Tis the season for killer deals and good bargains. ‘Tis also the season for more fraud and scams. If a deal seems too good to be true from an uncommon company or site, it most likely is too good to be true. Don’t fall for it. Be wary of extreme sales. Search for reviews of products and companies before purchasing anything online. 

6. Post on social media AFTER vacation.

We know that you want to show off the adorable snowman you made while visiting your cousins in Milwaukee…but don’t post about it (and especially don’t geo-tag it) until you have safely arrived back at home. Posting on social media during a vacation can increase chance of robbery, and in some cases can even invalidate insurance. Be aware. Unfortunately, your family and friends are not the only ones watching your social feeds.

7. Click carefully. Be wary of links & attachments.

One click can unleash chaos on a device.

Social engineers are getting more clever and cunning. Don’t click on or answer unsolicited emails or phone calls. If you didn’t instigate a conversation, you should also be skeptical of a solicitor’s intentions. You never know who is on the other side of that screen. 

8. Go without Admin Privileges

Run your computer without admin privileges. Limiting the amount of access a user (including you) has to major controls when unnecessary can prevent hackers from accessing the same privileges. The extra prompts will pay off. 

9. Change passwords strategically.

Changing passwords frequently can lead to bad password hygiene. With so many passwords to keep track of, people often get lazy or choose easy-to-remember codes. Instead of changing passwords every month, consider changing passwords strategically. 

Password managers, like LastPass, help keep track of passwords and can help to know when to change them. Here are some of their recommendations for when the time is right:

  • After a service discloses a security incident. 
  • There is evidence of unauthorized access to your account. 
  • There is evidence of malware or other compromise of your device. 
  • You shared access to an account with someone else and they no longer use the login. 
  • You logged in to the account on a shared or public computer (such as at a library or hotel). 
  • It’s been a year or more since you last changed the password, especially if you don’t have multi-factor authentication enabled. 

10. Increase password complexity & length.

Silent Break Security recently released the Top Cracked Passwords of 2018. The most common passwords all had the same elements — they were too simple. We’ve said it and we’ll say it again, P@ssword123! does not cut it anymore. 

Two of the biggest factors of password strength are complexity and length of the password. We recommend mixing alphanumerical characters of both cases with special characters such as !@#$%^&*. Passwords should be at least 16 characters long. 

11. Assure secure connection.

Check the URL at the top of the screen. A secure connection will show a little padlock icon on the left of the URL and the address will start with https://

If a connection is not secure, do not enter any personal information as it is not safe. As aforementioned, public networks or connections with unknown security status are easily accessible by hackers. 

12. Remove unnecessary sensitive data.

Have a PDF of your Social Security card floating around your desktop? What about your drivers license? Did you send it over email? While these things are a security nightmare, prevent another mistake by removing any sensitive or personal information. Make sure information and data on your computer or device is absolutely necessary. Do not send SSNs and other sensitive information over email. Be sure all communication of value is encrypted and secure before sending. 

Let’s make 2019 a more secure year for everyone. Have a happy and safe holiday season!