Over the past 12 months there have been several high-profile data breaches which have hit the headlines. Most recently, the details of members using the infidelity website, Ashley Madison, were stolen. A small percentage of the stolen data, including names and addresses, appeared online shortly after the attack.
Although the attack on Ashley Madison will have come as a shock to the site's 37 million users, attacks of this nature are becoming increasingly common. But what is the impact of data breaches? Sony Pictures, which was the victim of a cyber attack in 2014, predicted that the breach would cost $35M (£23M) for the full fiscal year. Repairing the damage caused can run up a hefty bill. Restoring financial and IT systems results in manhours and software/hardware/vendor expenses.
What is the true cost of a data breach?
A study by The Ponemon Institute has attempted to quantify the cost of a breach. The report found the following key figures:
- Data breaches cost companies an average of £48 in direct costs to resolve the breach, and £92 in indirect costs such as loss of customers. This is a new high of £139 per compromised record.
- The total average organisational cost of a data breach increased to £4.2 million, up from £3.4 million in 2013
- Detection and escalation costs increased from £270,000 to £400,000. These numbers indicate increased investment in forensic and investigative activities, assessment and audit services, crisis team management, and communications to stakeholders and management.
- Post data breach costs increased. These costs typically include help desk activities, inbound communications, special investigative and remediation work, legal expenditures, and more. These costs increased from £1.023 million in 2014 to £1.049 million in this year's study.
It is clear from these figures that data breaches are costly in financial terms. For businesses though, there is also the issue of losing customer trust. To avoid becoming the next organisation at the centre of a data breach story, organisations need to take security seriously.
Education, education, education
In addition to having the right security solutions in place, employers must educate their staff. For hackers wanting to get hold of data, it is a lot easier to target employees than take on the firewall. Employers need to be educating their staff to be aware of hacking techniques such as phishing and social engineering attacks. Phishing is very much like the name it derives from. The hacker will send out an email, which may look legitimate, to a whole host of inboxes. It will only take one employee to click on the malicious link and the hackers could have access to the network.
There are plenty of precautions businesses and staff can do to protect against attacks.
The advice to employees needs to be to remain vigilant. They must question any unexpected email, with an attachment that arrives in their inbox. If it looks too good to be true, it probably is.
Trust no one, suspect everyone
If organisations want to get tough on protecting their network, they need to realise everyone and everything can be a threat. Every piece of software and hardware used could be a potential route in for hackers. This highlights the need for organisations to work in a zero trust environment. Zero trust environments are implemented by firewalls and take away the automatic assumption that an action or actions should be trusted. Every action needs to be treated with the same degree of suspicion regardless of where the action is coming from. Ensure that any compromised employee-owned device does not remain undetected and able to crawl its way into the crucial parts of the networks and data. If an issue is noticed, it needs to be scrutinised and investigated until resolved.
Simple steps to protection
Data breaches are in the public eye more than ever following attacks on large organisations and governments. However, this doesn't mean that these are the only targets which hackers are going after. Businesses of all sizes should follow these simple steps to maintaining a secure network:
- Train employees to remain vigilant and educate them about emerging threats - the best line of defence is to have the correct security solutions and procedures in place. Additionally, staff have a part to play by questioning anything suspicious in their inbox or on the web.
- Work in a zero trust environment - if everything is put under the microscope then it makes it a lot harder for the hackers to make their way in and hide.
- Create a dedicated budget to address cyber security - to avoid paying out fees following a breach, be proactive and ensure you have the correct hardware and software in place rather than as a reaction to a hack or data loss incident.