The number of data breaches is on the rise, and so is the cost per breach.It has grown to $4 million in the past year, with more than 30% from 2013, according to a new Ponemon and IBM study.
“Data breaches are now a consistent cost of doing business in the cybercrime era,’” says Larry Ponemon, chairman and founder of the Ponemon Institute. “The evidence shows that this is a permanent cost organizations need to be prepared to deal with and incorporate in their data protection strategies.”
On average,companies lose $158 per stolen record. That’s $4 more than in 2015. And in the healthcare industry things look even worse – a compromised record can actually cost a company about $355.
This is a reminder that hospitals store troves of valuable personal information. On the black market, personal medical records are the new currency. They are 10 times more expensive than credit cards, according to Experian. That’s partially because stolen data often includes Social Security numbers that can be used in identity theft.
“Malicious actors want as much intelligence as they can get, and health care is the easiest attack surface for seasoned and non-seasoned hackers,” says James Scott, co-founder and senior fellow at the Institute for Critical Infrastructure Technology (ICIT) in Washington D.C.
When it comes to who pays the most, the US ($221) and Germany ($213) have the highest costs, while the lowest are in Brazil and India. Detection, forensic and investigative activities, assessment and audit services and crisis team management account for the bulk of those expenses.
The root causes of data breaches
Most data breaches were caused by malicious or criminal attacks, according to the survey. In the UK specifically, 51% of companies are most likely to experience a data breach caused a cyber-attack, rather than by a system glitch or business process failure.
The study also found that the average time to identify a breach was 201 days, while the average time to contain it was 70 days. Needless to say, the benefits of responding quickly translate into significant amounts of money. Companies that have managed to identify the intrusion in the first 100 days saved up to $1 million.
“While the risk is inevitable, having a coordinated and automated response plan, as well as access to the right resources and skills, will make or break how much a company is impacted by a security event,”Ponemon adds.
Recommendations for companies
To decrease the cost of a data breach, companies, small, medium or large, should apply these hands-on measures:
Prepare an incident response team.
An incident response plan will enable your business to identify, investigate, neutralize and notify security incidents in a managed way, be it concerning a denial-of-service attack, website defacement or a full-on, large-scale data theft incident.
Apply extensive use of encryption. Adequate encryption will solve problems with securing information held in databases, laptops, emails, private clouds and big data environments.
Focus on employee training.I can’t stress this enough – employees are often the weakest link in any organization.Training needs to happen before there’s a problem and should include specific rules for email, Web browsing, mobile devices and social networks.
Gather and share threat intelligence. Cyber-threat intelligence has become one of the hot topics of the industry as it has become a goldmine of value for organizations. Some of the benefits include better planning for future threats, enhancing communications between the security team, management and board members, as well as driving better investment strategies and more directly connecting security priorities with business risk management priorities.
Notify customers in due time.Breach concealment is not an option, yet not all breaches require notification. If your data was encrypted or an unauthorized employee accidentally accessed but didn’t misuse the data, you may not be forced to notify customers. Be sure to seek legal advice before deciding to forgo.