With the average cost of data breaches rising – including per-record costs of each breach – it’s high time most enterprises are going to have to get serious about changing their approach to infosec.
As 2017 gets further in our rear-view mirror, many are saying that 2018 should bring changes to their approach to information security. Eighty percent of survey respondents in the U.S. and U.K. say they’ll change how they approach security, with most either switching managed service providers or switching from internal to third party resources, many for the first time.
Ponemon Institute estimates an average breach cost of $3.5 million in 2017, with a 27% probability that a U.S. company will experience a breach in the next 24 months that costs them between $1.1M and $3.8M. If you multiply Ponemon’s estimated per-record cost for a breach, split out by industry vertical, many of the breaches listed at the end of this article would potentially cost hundreds of millions of dollars. There are other cost factors: Yahoo’s acquisition by Verizon saw a $350M reduction in purchase price due to a loss of 1.5 billion records. The IRS estimates that due to a scheme involving the IRS Data Retrieval Tool, used to complete the Free Application for Federal Student Aid (FAFSA), it cost the government (and taxpayers) $30 million in fraudulent tax returns. Health insurer Anthem has agreed to a $115 million settlement in connection with a breach that impacted 80 million of their customers. It’s interesting to note that if multiplied by Ponemon’s estimated per-record breach cost of $380 for the health vertical, their liability would have been over $3 billion.
What happens when threat actors themselves are breached? A group of spammers operating under the name River City Media unknowingly released their own ill-obtained data stores of Personal Identifiable Information (PII) due to backup misconfigurations, resulting in an estimated additional breach of 383 million records – this from a database discovered to have 1.4 billion records. Another spambot breach reportedly involves over 700 million records.
The number of people whose personal information has not been breached is relatively low, and lack of proper attention to security infrastructure and operations is the root cause of almost all of the most notable breaches of 2017. With Equifax, it was lack of appropriate patch management and failure to notice data exfiltration. With Saks, a website design flaw was linked to unencrypted customer data. For several others, it was a contractor that left PII available, whether by error or negligence, on AWS. Uber even tried to cover up their breach by paying off the threat actors that stole the data. To ensure the fox isn’t in the henhouse, 3rd party security providers can provide guidance and oversight, especially if reporting to CFO, CEO and Chief Legal Counsel levels of management.
What’s more, the Mean Time to Identify and Mean Time to Contain for 2017 remain respectively at 208 and 52 days, dramatically increasing breach costs. It’s not just that lack of proper controls, architecture, and policy are lacking: suboptimal incident detection and response raise the cost of a breach even higher.
Many of the breaches of 2017 haven’t released findings of the numbers of records stolen, and are still under investigation. At least 30 states in 2017 have introduced or considered security breach notification bills and resolutions, and federal legislation is being formed that would carry a 5-year prison sentence for those who would fail to notify.
The European Union’s General Data Protection Act (GDPR) carries a non-compliance penalty that is 4% of a company’s global revenues or €20 million, whichever is greater. Complying with security best practices almost becomes a cost center unto itself, not because of revenue it will gain, but because of monetary value that proper security would preserve.
Many times, I’ve heard security expenditures referred to as being akin to insurance, but they are each distinct from the other. Insurance replaces the value that is lost, while security strives to prevent the loss from happening in the first place. It’s an important difference: avoiding putting people’s information at risk is far preferable over reimbursement for costs one incurs due to inadequate security.
The most logical course of action for any business that wishes to avoid exposing sensitive data and incurring subsequence breach costs, including regulatory fines and penalties, is to use security resources that bring the most value. Appetite for CapEx and payroll vs. OpEx certainly plays a role.