With an increase in threats to compliance and the growing number of security breaches, many business leaders, like you, wonder about the real costs of cybercrime. Most organizations understand the value of security and the importance of regulatory compliance, but are unable to protect their sensitive data based on best practices.
“Companies understand the threats they face from attackers that want to steal or damage their data, but must do a better job of protecting against them if they are to avoid damaging losses. With sensitive data stored so ubiquitously in company infrastructures, the onus is on executives to ensure that it is properly shielded from unauthorized access.” Source: NTT Communications 2016 Risk Value Report.
“The NTT Communications 2016 Risk Value Report” found that 25% of businesses expect their company to face a data breach in the future. Now that the average security breach costs $1 million, most organizations can’t afford such an occurrence. Still, businesses tend to take a reactive rather than a proactive approach to cybersecurity. Let’s explore the real costs of a data breach to your business and how you can take a preventive, comprehensive approach to security.
Know the Financial Costs of a Data Breach
As we increase data sharing and mobility, our cyber risks also increase. Attack tools and strategies today are more sophisticated than ever—making it easier to access your data. Cybersecurity incidents are commonplace, and any number of parties can initiate them—cybercriminals, hackers, or malicious employees. These security incidents can result from hacktivism, improper infrastructure, human error, or lack of proper training. According to a 2016 Ponemon Institute study, half of all data breaches are the result of malicious intent or cybercrime, 27% are due to system errors, and 23% result from human error. These breaches cost $236, $213, and $197 per capita, respectively.
As the “IBM 11th Annual Cost of Data Breach Study” notes, “the average consolidated total cost of a data breach grew from $3.8 million to $4 million, and the average cost incurred for each lost or stolen record containing confidential information increased from $154 to $158. In addition to cost data, the global study puts the likelihood of a material data breach involving 10,000 lost or stolen records in the next 24 months at 26 percent.”
Often Overlooked Costs
The complete financial costs of a data breach can be hard to quantify. Tangible assets are the easiest piece of the puzzle, but consider other expenses such as lost future business and reputational damage. Intellectual property loss, downtime, and operational impacts affect the daily activities of an organization and render it unproductive. Noncompliance is also a substantial financial factor—breaches often incur attorney’s fees, prosecution, and penalties.
Each data breach accumulates costs related to investigation, response, notifications to regulatory organizations, victim identification, public response, victim outreach, and internal and external communication campaigns. Victims often require compensation, as well.
According to Darren Gibson, vice president of sales for the payment processor Financial Innovations Group, “If or when a merchant experiences a security breach and is found to be non-compliant with PCI, then they leave themselves open to fines from their acquiring banks. The fines, of which aren’t small either, depending on the circumstances of the hack a merchant may be forced to pay anywhere from $5,000 to $100,000 each month they remain uncompliant to the PCI Standards.”
Many organizations are blindsided by the fines associated with regulatory settlements.
Assess the Risk for Your Industry
Every industry is at risk for a data breach, but some are especially vulnerable and make attractive targets for hackers. Financial services, healthcare, and other industries holding sensitive data are at the top of the list. The “Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data” published by the Ponemon Institute in 2016, found that 65% of organizations experienced a breach within the past two years, while 87% HIPAA-compliant third-party vendors (business associates) had incurred a breach. Criminal attacks are the number one cause of healthcare breaches, and they’re seriously expensive. Total costs of healthcare breaches resulted in an average of $2.1 million for healthcare entities and $1 million for business associates.
Recent cases show that costs may be even higher. In July 2016, Oregon Health and Sciences University paid a $2.7 million settlement for health information breaches, while Advocate Health Care in Illinois paid $5.5 million.
In spite of these alarming trends, respondents to the Ponemon report said that they had no plan to change what they’re doing about cybersecurity. Only 40% of healthcare organizations and business associates intended to make changes.
Take a Proactive Approach
In light of the mounting risks to security and the expenses of a breach, every organization must make risk-aware decisions. The ultimate goal: mitigate risk without addressing every threat or vulnerability. The majority of you don’t have the budget to address every single threat to your system, so a strategic approach is essential. So where does one start?
It’s imperative to begin with an incident response plan. The same Ponemon report on business security found that having a dedicated threat response team reduces the per capita cost of breaches by $26. Encryption—which most regulatory bodies require—reduces costs by $19 per capita.
Training continues to be a major weakness for companies large and small. Yet effective security training can reduce the financial implications of a breach.
The importance of ownership and planning for cybersecurity cannot be understated. Know the true financial costs of a breach, both immediate and future. Educate your team about compliance and security to mitigate your risk effectively.
Additional Resources on This Topic:
This article was first published on OnRamp.
With over a decade of experience in data center services, Bobby Boughton oversees the strategy, implementation and execution of OnRamp’s sales and business development for OnRamp’s growing, high security hosting, cloud computing and colocation services. Connect with Bobby Boughton on LinkedIn.