Every day there is some information on Data breaches occurring around the world. The regularity at which this is happening raises questions on the security and safety measures applied to the digital data throughout the organization.
Determining how costly a data breach can be depends on several factors. Some direct costs include the regulatory fees, technical repair costs, legal costs, the compensatory costs to victims, the costs to pay for determining how the breach occurred, and what can be done to prevent further breaches. Indirect costs include lost profits and damage to the company’s reputation.
Depending on the business type (such as healthcare, financial, etc.) or the country, the cost of the data breach can vary. This amount can be broken down for each business vertical or for the whole organization.
Every year the Ponemon Institute releases their “Cost of a Data Breach Study” where they analyze the lasting cost and impact of information security breaches. Based on the report, the average cost was around $141 per data record in 2017.
So, assuming the same trend will continue, we can expect the cost of data breaches to be around the same range or increase.
According to the Verizon’s 2018 Data Breach Investigations Report there are over 53,000 incidents and 2,216 confirmed data breaches. The threat actors behind a data breach and their corresponding motives can be represented at a high level as below statistics:
For many businesses it’s more than losing the initial dollars, it’s also about the legal costs, the lowered brand reputation and loss in customer base.
Probable root causes for data breaches
The most likely root causes for a majority of the data breaches is human error with malicious or cyber security attacks and system glitches contributing the rest. These breaches are the result of intentional efforts to capture secure information, whether through hacking, phishing scams, or theft of files. These attackers are looking for holes in the system that they can take advantage of to hack the vulnerable systems.
The overall findings of the Verizon Data Breach report are based on the 4As (Actor, Action, Asset, Attribute)
Actor (External, Internal, Partners or Multiple) and the actor motivation factor (Financial, Espionage, Grudge, Fun and others)
Threat actions (Hacking, Malware, Misuse, Social, Error, Physical, and Environment)
Assets involved in data breaches (Databases, POS terminals, Web servers, Desktops, Documents, Mail servers, Human personnel, Laptops, etc.)
Attributes (Personal, payment, medical, Credentials, Internal, Secrets, Systems, Bank and Classified information)
According to the report Phishing and pretexting represent 98% of social incidents and 93% of breaches. Email continues to be the most common vector (96%). Phishing individuals (Social) and installing keyloggers (Malware) to steal credentials (Hacking) is still a common path for data breaches.
The 9 incident classification patterns include: Crimeware, Cyber-Espionage, Lost/Stolen Assets, Miscellaneous Errors, Payment Card Skimmers, Point of Sale, Privilege Misuse, Web Applications and Everything Else.
It only takes one incident to compromise the systems and result in data breaches.
Ways to reduce the cost of a data breach
How organizations react has a big impact on their future actions with respect to data breaches. Companies should have strategies in place to prevent breaches and to minimize damages when they happen. Some of these methods include:
• Using an incident response team.
• Encrypting data records.
• Regular training of employees on how to prevent breaches, report breaches, and respond to breaches.
• Employing security measures to minimize the likelihood of breaches.
• Having a redundancy plan so that the damaged data can be accurately restored.
Alternatively, engage a security consultant/expert who can perform comprehensive risk assessment using international risk standards and assess the business impact to understand the current security posture of the organization.
Collaborating with GAVS Technologies, companies can leverage its expertise in infrastructure services and digital solutions. Our services include automation led infrastructure services particularly in the security and identity management services which are enabled by smart machines, DevOps & predictive analytics. GAVS’ focus is to strengthen governance & transformation through security, cloud orchestration, Governance, Risk & Compliance (GRC)
Using our analytics platform, companies can invest in behavioural detection in combination with machine learning based on AI, which will help in identifying the malware’s path and take the necessary steps to protect the organisation.
Another big cost-saving factor is reducing the time it takes to discover the breach. Many breaches aren’t discovered until months after the breach occurred.
• Automatically apply patch updates regularly or deploy technology which removes the need for manual updating. This technology works by automatically identifying vulnerable applications and deploying the latest updates as they become available.
• Implement a regular backup process using a simple ‘one touch’ rollback system to allow organisations to automatically roll back and regain access to their data.
Effective from May 2018, the General Data Protection Regulation (GDPR) will make data breach reporting mandatory. Non-compliance with GDPR and its other requirements will result in a regulatory fine.
It might not be possible to completely prevent breaches, but the right preparation can drastically reduce the resulting cost.
Get in touch with GAVS at https://www.gavstech.com/reaching-us/ to understand how to prevent data breaches and its cost associated consequences.