Computer breaches are expensive, and in terms of small business, they can be catastrophic. The actual cost to a business will depend. For larger businesses with more records, the cost can be over $7 million.
Despite the range in costs, there are common causes for breaches, and there are also simple solutions. The organizational goal is to reduce the probability of a breach, and at the same look for indications of a breach and prepare.
The cost of a data breach? Like all questions, the answer depends. For one thing, it depends on the size of the business, for example for a US small business it is about $47,000 to $79,841. It is important to note that despite the relatively low expense, a data breach for a small business is often deadly with 60% going out of business in six months. For a US enterprise business or a large business, it is going to be $620,000, or $3.6million, or $7.9million. These numbers are from the following sources-studies, respectively: Kapersky Labs, CSO Online, and IBM/Ponemen. The range depends on a number of factors most importantly is the number of records compromised, the greater the number of records, the greater the cost. These different reports are essentially surveys, the results are based on the questions asked and answers given; with the questions different for each survey. Often they are trying to measure the same thing, but they arrive with different answers.
In the reporting there are common themes, first, the cost of a breach is measured in terms of direct and indirect costs. Direct costs are associated with system down time, loss of work, costs associated with hiring professional services, the loss of cash due to theft and lost opportunity costs. Indirect costs are in staffing, training, notification costs, legal fees, reimbursements, refunds, damages, and loss of customers. The US has the highest indirect costs, however, the EU will catch up due to the GDPR. In terms of estimating the cost the IBM/Ponemen report calculates the cost by the number of records compromised, with the US average cost per record at $233. A record is defined as the information that identifies a single person whose information has been lost or stolen in a data breach. Examples are personally identifiable information (PII), healthcare information (HCI), payment card information (PCI), credit card records, etc. The result is, the larger the business, the more records, the greater the cost in terms of compromise and recovery.
The causes of a data breach? The reporting consensus is that there are three general breach types, first is criminal attacks, second inherent system errors, and third human errors. The response and recovery cost will vary by the type of breach, and the security systems and cybersecurity plans in place prior to the breach. What is the most common causes of a breach? The first answer is humans. The Verizon study reported that most people 78% will avoid accessing phishing email. However, there are 4% that will click on anything; the more phishing emails an individual has accessed in the past, the more phishing emails they will access in the future. Which means that system compromise will arrive via email, at 90% of the time, it is the most common attack vector. The solution is to focus on training. This too may be an issue for larger businesses with thousands of employees. In smaller companies, this may be easier to root out. Other common attacks are Denial of Service (DoS) attacks and Ransomware, however, these are not considered breaches resulting in the removal of records. However, the total cost to a business can also be considerable.
What is the best defense? That would be to implement cybersecurity best practices and have a cybersecurity plan. There are standards for cybersecurity planning they include the NIST 800-171, and the SANS, Center for Internet Security (CIS) Controls, in addition, there are controls set by industry. One of the most effective measures is to educate system users. In addition, is updating software, and software patch management, this is ensuring outdated software is replaced, and vulnerabilities are removed. Other effective controls are two-factor authentication and implementing user roles to segment data. These are all common elements of cybersecurity planning.
A cybersecurity plan will include monitoring and incident response. On average the time before an intruder or hacker is discovered is now about 191 days. This is an improvement, in the previous reporting, it was 201 days. The earlier an intruder is discovered the less cost in terms of response and recovery. It is only through monitoring system tools and proper system configurations that early detection is possible. The second element is incident response planning and exercises. Cost effective response and recovery is only when there are processes and procedures in place. Additionally, meeting US State, Federal, and GDPR reporting and notification requirements within their required time frames is only the result of planning and resources.
The means to control the cost of a breach is through adequate and actionable plans. To some extent cyberattacks are inevitable, the defense must be perfect 100% of the time, the attacker needs to be successful once. System monitoring can identify and reduce the attacker’s time in the system; a plan coordinates and executes the effort and speeds up recovery. Often the most difficult element in this process is getting the management commitment to establish the plans.
Author, Mike Olivier, MBA, MSCS is a certified PMP professional, with cybersecurity experience. His company 171Comply, located in San Diego, CA provides cybersecurity consulting services, taking a business approach to cyber planning challenges. As a GovFlex registered consultant, Mike and his company are available to provide services via the GovFlex platform.
The views expressed in GovFlex blog postings are solely those of the author.