The cost of a data breach? Like all questions, the answer depends. For one thing it depends on the size of the business, for example for a US small business it is about $47,000 to $79,841. It is important to note that despite the relative low expense, a data breach for a small business is often deadly with 60% going out of business in six months. For a US small business or a large business, it is going to be $620,000, or $3.6million, or $7.9million. These numbers are from the following sources-studies, respectively: Kapersky Labs, CSO Online, and IBM/Ponemen. The range depends on a number of factors most importantly is the number of records compromised, the greater the number of records, the greater the cost. These different reports are essentially surveys, the results are based on the questions asked and answers given; with the questions different for each survey. Often, they are trying to measure the same thing, but they arrive with different answers.
In the reporting there are common themes, first the cost of a breach is measured in terms of direct and indirect costs. Direct costs are associated with system down time, loss of work, costs associated with hiring professional services, the loss of cash due to theft and lost opportunity costs. Indirect costs are in staffing, training, notification costs, legal fees, refunds, damages, and loss of customers. The US has the highest indirect costs, however the EU will catch up due to the GDPR. In terms of estimating the cost the IBM/Ponemen report calculates the cost by the number of records compromised, with the US average cost per record at $233. A record is defined as the information that identifies a single person whose information has been lost or stolen in a data breach. Examples are personally identifiable information (PII), healthcare information (HCI), payment card information (PCI), credit card records, etc. The result is, the larger the business, the more records, the greater the cost in terms of compromise and recovery.
The reporting consensus is that there are three general breach types, first is criminal attacks, second inherent system errors, and third human errors. The response and recovery cost will vary by the type of breach, and the security systems and cybersecurity plans in place prior to the breach. What is the most common cause of breach? The first answer is humans. The Verizon study reported that most people 78% will avoid accessing phishing email. However, there are 4% that will click on anything; the more phishing emails an individual has accessed in the past, the more phishing emails they will access in the future. Which means that system compromise will arrive via email, at 90% of the time, it is the most common attack vector. The solution is to focus on training. This is an issue for larger businesses with thousands of employees. In smaller companies this is an issue too. However, for many their job is to click on links, and open email from unknown sources. These are recruiters, customer service, sales, etc. On the other hand, the goal for the attacker is to masquerade as a customer, employee, sales lead, etc. The solution is more training, it is also segmenting the network and addressing high risk users with additional controls.
Other common attacks are Denial of Service (DoS) attacks and Ransomware, however these are not considered breaches resulting in the removal of records. Nevertheless, the total cost to a business can also be considerable.
What is the best defense? That would be to implement cybersecurity best practices and have a cybersecurity plan. There are standards for cybersecurity planning they include the NIST 800-171, and the SANS, Center for Internet Security (CIS) Controls, in addition there are controls set by industry. In addition to educating system users, there is policy. There is the policy to encrypt all data, and to ensure that all software to is up to date, that outdated software is replaced, and vulnerabilities are removed. Other effective controls are two factor authentication and implementing user roles to segment data. These are all common elements of a cybersecurity planning.
A cybersecurity plan will include monitoring and incident response. One average the time before an intruder or hacker is discovered is now about 191 days. The earlier an intruder is discovered the less cost in terms of response and recovery. It is only through monitoring software tools and proper system configurations that early detection is possible. The second element is incident response planning and exercises. Cost effective response and recovery, and notification is only possible when there are processes and procedures in place.
The means to control the cost of a breach is through adequate and actionable plans. To some extent cyberattacks are inevitable, the defense must be perfect 100% of the time, the attacker needs to be successful once. System monitoring can identify and reduce the attacker’s time in the system. It is a plan that coordinates detection and executes the response effort, it is a plan that speeds up recovery. Often the most difficult element in this process is getting the management to commit to cybersecurity planning.