The true price of a data breach and how to avoid paying it

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.information-age.com/technology/security/123460695/true-price-data-breach-and-how-avoid-paying-it

Over the past 12 months there have been several high-profile data breaches
which have hit the headlines. Recently, almost 157,000 TalkTalk customers
had their personal details hacked. A small percentage of the stolen data,
including names and addresses, were put up for sale shortly after the
attack.

Although the attack on TalkTalk will have come as a shock to its 4 million
customers, attacks of this nature are becoming increasingly common. But
what is the impact of data breaches? Sony Pictures, which was the victim of
a cyber attack in 2014, predicted that the breach would cost $35M (£23M)
for the full fiscal year. Repairing the damage caused can run up a hefty
bill. Restoring financial and IT systems results in manhours and
software/hardware/vendor expenses.

What is the true cost of a data breach?

A study by The Ponemon Institute has attempted to quantify the cost of a
breach. The report found the following key figures:

For the eighth consecutive year, the average cost per lost or stolen record
has risen. In the latest findings, the figure rose from £95 in 2014 to £104
per record in 2015

The total average organisational cost of a data breach increased to £2.37
million, up from £2.21 million in 2014

Detection and escalation costs increased from £520,000 to £550,000. These
numbers indicate increased investment in forensic and investigative
activities, assessment and audit services, crisis team management, and
communications to stakeholders and management.

Lost business costs, including the turnover of customers, increased
customer acquisition activities and reputation losses, increased from
£950,000 in 2014 to £1.07 million in 2015.

It is clear from these figures that data breaches are costly in financial
terms. For businesses though, there is also the issue of losing customer
trust. To avoid becoming the next organisation at the centre of a data
breach story, organisations need to take security seriously.

Education, education, education

In addition to having the right security solutions in place, employers must
educate their staff. For hackers wanting to get hold of data, it is a lot
easier to target employees than take on the firewall.

Employers need to be educating their staff to be aware of hacking
techniques such as phishing and social engineering attacks. Phishing is
very much like the name it derives from. The hacker will send out an email,
which may look legitimate, to a whole host of inboxes. It will only take
one employee to click on the malicious link and the hackers could have
access to the network.

There are plenty of precautions businesses and staff can do to protect
against attacks.

The advice to employees needs to be to remain vigilant. They must question
any unexpected email, with an attachment that arrives in their inbox. If it
looks too good to be true, it probably is.

Trust no one, suspect everyone

If organisations want to get tough on protecting their network, they need
to realise everyone and everything can be a threat. Every piece of software
and hardware used could be a potential route in for hackers.

This highlights the need for organisations to work in a zero trust
environment. Zero trust environments are implemented by firewalls and take
away the automatic assumption that an action or actions should be trusted.

Every action needs to be treated with the same degree of suspicion
regardless of where the action is coming from. Ensure that any compromised
employee-owned device does not remain undetected and able to crawl its way
into the crucial parts of the networks and data. If an issue is noticed, it
needs to be scrutinised and investigated until resolved.

Simple steps to protection

Data breaches are in the public eye more than ever following attacks on
large organisations and governments. However, this doesn’t mean that these
are the only targets which hackers are going after. Businesses of all sizes
should follow these simple steps to maintaining a secure network:

Train employees to remain vigilant and educate them about emerging threats
- the best line of defence is to have the correct security solutions and
procedures in place. Additionally, staff have a part to play by questioning
anything suspicious in their inbox or on the web.

Work in a zero trust environment - if everything is put under the
microscope then it makes it a lot harder for the hackers to make their way
in and hide.

Create a dedicated budget to address cyber security - to avoid paying out
fees following a breach, be proactive and ensure you have the correct
hardware and software in place rather than as a reaction to a hack or data
loss incident.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!