It seems like every day, you read about another data breach.
According to a study published by IBM, an organization has a 27% chance of suffering a breach of at least 1,000 records. There have been so many data breaches in the past several years that now it seems commonplace.
Many experts today believe that consumers are now suffering from "data breach fatigue." Instead of being outraged, consumers either feel despondent or apathetic – often choosing to not discuss it with their friends or family. If pressed, most consumers will say that they care; however, a recent study by the Ponemon Institute found that 32% of data breach victims took no action to protect their data after a breach, and 55% took no action to guard against identity theft. It’s clear that our actions don’t match our words when it comes to data breaches.
Given the relative apathy from consumers and the likelihood that all organizations will eventually become the victim of a breach, it’s inevitable that businesses will choose to not dedicate an adequate amount of resources toward their cybersecurity programs. However, becoming the victim of a cybersecurity incident often results in the company having to pay substantial direct and indirect costs.
Costs to consumers and businesses
The costs of a significant data breach in the United States is astounding. According to the IBM study, the average cost of a breached record for a U.S. company was $233, and the average total cost of a data breach was nearly $8 million.
These costs were demonstrated to an extraordinary degree in the 2017 Equifax breach of approximately 143 million records. Since that time, reports indicate that Equifax has paid a total of $439 million in costs, which include security upgrades, credit monitoring services, legal fees, as well as fines and settlements from scores of lawsuits.
Not only do organizations pay an exorbitant amount of direct costs as the result of a breach, cybersecurity incidents can affect an organization’s bottom line through indirect costs. Before it was revealed that Yahoo suffered a mega-breach of approximately 500 million accounts in 2013 and 2014, it was set to be purchased by Verizon for approximately $4.8 billion.
After the breach, Verizon purchased Yahoo for approximately $4.48 billion. This breach, which did not include sensitive information such as payment card or bank information, cost Yahoo! $350 million. This amount does not include costs related to legal fees, fines, breach notifications, and various corrective actions.
Effective Strategies for Preventing Breaches
What can be done to protect your customers’ information? While the answer is always going to be “adopt a best-practices information security program,” there are some immediate action items that can be undertaken to mitigate against the risk of being the victim of a material breach.
First, approximately 25% of data breaches are the result of well-meaning employee mistakes, such as falling for a phishing scheme or inadvertently disclosing sensitive data. To guard against these mistakes, organizations should provide basic security awareness training to information system users, including managers, senior executives, and contractors as part of initial onboarding training.
Second, organizations should ensure that their patching practices are up to speed. Within the past couple of years, studies have shown that inadequate patching of information systems has been one of the main causes of data breaches. For new systems, the organization should ensure that the latest patches are installed on the systems so that those systems comply with the organization’s hardened system configuration. For those systems that are considered critical, organizations should patch those systems within one month of that particular patch’s release.
Finally, it’s important to be aware of who is doing what within the information system. Companies should ensure that an audit logging mechanism is running on the information system and also that the mechanism cannot be disabled by users.
This audit logging solution should log, among other things, all user access to the sensitive information environment as well as invalid access attempts. The logging mechanism should identify the user and record the type of event that was performed as well as identify the affected data, component or resource. Logs should be reviewed daily, and when suspicious activity is discovered, the organization should address the incident according to the organization’s incident response policy. Many incidents last for months or years due to administrators not actively monitoring the system activity on a daily basis. By monitoring the system activity, companies can greatly reduce the severity of the incident should it occur.
By training their workforce, patching their systems, and monitoring the activity that takes place on the information system, companies can reduce the risk of an incident as well as lessen the severity should one occur.
Dan Kiehl is a policy analyst with CompliancePoint.