7 Factors that Affect the Cost of a Data Breach

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.hob-trendtalk.com/2014/09/23/7-factors-that-affect-the-cost-of-a-data-breach

Data breaches have become common occurrences. Business costs associated
with data breaches range widely. However, the costs are not strictly direct
monetary costs. Security breaches also negatively impact the reputation of
businesses, generally leading to lost or reduced customer trust and
confidence.

7 Factors that Affect the Cost of a Data Breach

An independent study conducted by Ponemon Institute (sponsored by Symantec)
analyzed the cost sustained by companies from a wide range of industry
sectors, including financial, communications, healthcare and education,
after those companies experienced the loss or theft of protected data. The
research study identified seven factors that influence the cost of data
breaches. The following attributes decrease the per capita cost of data
breach, and are listed in order of importance:


1.    Strong Security Posture

The overall security plan is referred to as the security posture – the
approach the business takes to security, from planning to implementation.
Understandably, organizations which had a strong security posture
experienced lower costs than those companies that had a weak security
posture at the time of the incident.

This highlights the importance of enforcing a strong security posture, by
implementing strong protection measures, keeping in place a comprehensive
training and education program, and frequently monitoring security levels.
Organizations should use tools and techniques for protecting the
organization’s information assets, by integrating multiple security
practices for a robust defense mechanism. This includes enforcement of
password rules, restriction and control of unnecessary access to internal
networks, and the vital security methods of authentication techniques and
encryption.



2.    Incident Response Plan

The study found out that organizations which did not have a security
incident management plan in place during the data breach increased the cost
consequences. This is not surprising, since the lack of a security
procedure means that a significant delay in enabling the responsible
persons to apply the correct response is to be expected.

This stresses the importance of having an all-encompassing security policy
which describes in detail the security violation response. A rapid response
following an information security incident re-enables network protection
and the restoration of the normal network operations. Moreover, in order to
be well prepared in the event a security incident takes place, the support
staff should receive continuous practice.



3.    A CISO (or Equivalent Title) has the Overall Responsibility for
Enterprise Data Protection

The management of data protection should be centralized, whereby an
information security professional should be responsible. Ideally, a Chief
Information Security Officer should have a strong balance of technology
knowledge and business acumen, and be in charge of information security,
information risk management and cybersecurity.



4.    Consultants were Engaged to Facilitate Data Breach Remediation

Organizations which used consultants to help with their data breach
response and remediation strategies experienced lower costs than those
which did not appoint any consultants; in the US, those organizations that
appointed consultants managed to decrease the cost an average of $13 per
compromised or exposed record.

The following three factors increase the per capita cost of data breach,
also listed in order of importance:



5.    Data Lost Due to Third Party Error

Data breaches resulting from third parties resulted in higher cost
consequences; in the US, third party errors increased the cost of data
breach by an average of $43 per record. The security policy should also
cover third parties, including vendors, suppliers and business partners,
and these should implement all the preventative measures.



6.    Lost or Stolen Devices were Involved in the Data Breaches

Data breaches resulting from lost or stolen mobile devices, such as
laptops, smartphones and tablets, as well as from portable data storage
options such as USB drives, containing confidential or sensitive
information, lead to elevated costs.

The replacement cost of the device itself is another factor to take into
account when estimating the data breach cost, and thus measures to prevent
loss or theft of the mobile devices should be in order. However, it is the
data which should be given first priority for protection.

Probably the best option for accessing company data in the corporate
network through smartphones would be that data is not downloaded to the
smartphone at any given time. This means that since no data is loaded to
the smartphone, no data can be lost or stolen if the smartphone is lost,
since all data is completely and securely located in the central corporate
network.

Furthermore, remote access to sensitive or confidential information should
only be allowed via access methods which are secure, authenticated and
centrally-managed. This can be achieved via implementation of an SSL VPN,
due to its ease, high security and flexibility. Modern SSL VPN solutions
use strong encryption and authentication methods such as tokens, Smartcards
and SSL client certificates to enable a secure connection to the enterprise
network.



7.    Quick Notification to Data Breach Victims

In several countries, including the US, regulations dictate the timely
notification of data breach victims. Notwithstanding, if organizations are
too rapid in contacting individuals, this can actually result in higher
costs. In this context, the term “quick” refers to organizations which
notified data breach victims and/or regulators within 30 days after the
discovery of data loss or theft. In light of the research findings, it is
advisable to allow a longer time period to notify individuals, while still
complying with the country’s regulations.



Takeaways

Data breaches can lead to long-lasting repercussions due to the numerable
costs involved. Knowledge of the factors that affect such costs facilitates
the process of risk mitigation, since organizations can put in place the
necessary security measures.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!