As part of National Cybersecurity Awareness Month, we’re sharing tips about how you can emphasize cybersecurity awareness and implement security best practices in your organization.
You know those moments when your mother would warn you about something a million times, and you ignored her repeated warnings? And then the thing she warned you about would eventually happen, even though you swore to her that it wouldn’t? That’s the current state of the data breach landscape. Data breaches have become a cost of doing business today – it’s not an ‘if’ but ‘when’ will my organization be breached scenario. Our own CTO/CISO Darran Rolls even broke down the anatomy of a data breach, and just how many potential points of exposure there are in an organization.
The Ponemon Institute recently released a new study outlining the true cost of a data breach. Not surprisingly, data breaches are expensive – not just to identify and contain the breach but to repair the damage done from a customer trust and reputation standpoint. The ‘cost’ is priceless. For example, while the recent Yahoo! data breach impacts the company’s reputation, even worse than that, the fall-out financially is great: in this case, putting a potential merger in jeopardy. In short, the stakes are higher than ever before, both financially and from a reputation standpoint.
If you were given an invoice for an average data breach, it would likely total around $4 million, a 29% increase from just a few of years ago. If you itemized that invoice, it would include stolen records, resources expended on action and recovery, loss of intellectual property and loss of reputation, among other immeasurable damages. The records alone are worth about $158 each. In recent, real-world context, imagine losing $158 for each of the 70 million records stolen in the Dropbox breach.
If you’re in the healthcare or financial industries, you face even stricter fines and regulations. The findings show that the most expensive per-capita costs were in healthcare, education and the finance. Healthcare costs came in at $355 per-capita – more than double the average.
Strict regulations aren’t just for these industries either. The passing of the GDPR promises hefty fines for companies that don’t protect the data of EU citizens. These regulations are not just for EU companies, but all companies that operate in the EU – meaning almost every global company will be subject to them.
Budgeting for your breach
The Ponemon Institute study shows that companies are now budgeting for a breach as a part of a reasonable data protection strategy. The current rate of breaches shows that all enterprises are at risk as hackers continue to up the ante on their attacks. Unfortunately, many breaches we’ve seen making headlines of late were preventable. Take the LinkedIn and Dropbox breaches – both were due to poor password hygiene. An insider opted to use an existing password across multiple applications, and the websites were hacked. Once a hacker has those user credentials, all bets are off. It’s even worse if the impacted enterprise isn’t safeguarding its user identities and enforcing strong password requirements or mandatory password reset.
Identifying a Breach
Breaches often take months (or longer) to identify, with additional time to contain the breach. Ponemon’s findings show that it took an average of 229 days to discover a malicious breach and 82 more days to contain it – that’s more than 7 months before a breach is even discovered, and another nearly 3 months before shutting it down. And these figures were compiled before the recent Yahoo breach, which happened some two years ago. In any case, by that point, the damage is largely done.
What can you do?
With findings this grim, how do you protect your organization? For starters, make strong investments in security on both the offensive and defensive fronts. Having proper safeguards in place is a good starting point, but recent statistics show that 185 million incidents bypassed perimeter defense and anti-virus detection. You must think beyond the perimeter to identity, the new attack vector, with a user-centric approach to security. After all, a user’s identity is the only thing that ties the user to his or her access to data within an enterprise across all systems and all entry points, both on-premises and in the cloud. In short, identity is everything.
We all know that breaches are not a sign of failure – they’re quite simply the current reality. What matters now is how you mitigate the risk, and how quickly you respond to contain a breach once it does occur. Are you prepared for your data breach?