The true price of a data breach and how to avoid paying it

The cyber-attack on TalkTalk could cost it up to £35m in one-off costs, the company has said.

Over the past 12 months there have been several high-profile data breaches which have hit the headlines. Recently, almost 157,000 TalkTalk customers had their personal details hacked. A small percentage of the stolen data, including names and addresses, were put up for sale shortly after the attack.

Although the attack on TalkTalk will have come as a shock to its 4 million customers, attacks of this nature are becoming increasingly common. But what is the impact of data breaches? Sony Pictures, which was the victim of a cyber attack in 2014, predicted that the breach would cost $35M (£23M) for the full fiscal year. Repairing the damage caused can run up a hefty bill. Restoring financial and IT systems results in manhours and software/hardware/vendor expenses.

What is the true cost of a data breach?

A study by The Ponemon Institute has attempted to quantify the cost of a breach. The report found the following key figures:

For the eighth consecutive year, the average cost per lost or stolen record has risen. In the latest findings, the figure rose from £95 in 2014 to £104 per record in 2015

The total average organisational cost of a data breach increased to £2.37 million, up from £2.21 million in 2014

Detection and escalation costs increased from £520,000 to £550,000. These numbers indicate increased investment in forensic and investigative activities, assessment and audit services, crisis team management, and communications to stakeholders and management.

Lost business costs, including the turnover of customers, increased customer acquisition activities and reputation losses, increased from £950,000 in 2014 to £1.07 million in 2015.

It is clear from these figures that data breaches are costly in financial terms. For businesses though, there is also the issue of losing customer trust. To avoid becoming the next organisation at the centre of a data breach story, organisations need to take security seriously.

Education, education, education

In addition to having the right security solutions in place, employers must educate their staff. For hackers wanting to get hold of data, it is a lot easier to target employees than take on the firewall.

Employers need to be educating their staff to be aware of hacking techniques such as phishing and social engineering attacks. Phishing is very much like the name it derives from. The hacker will send out an email, which may look legitimate, to a whole host of inboxes. It will only take one employee to click on the malicious link and the hackers could have access to the network.

There are plenty of precautions businesses and staff can do to protect against attacks.

The advice to employees needs to be to remain vigilant. They must question any unexpected email, with an attachment that arrives in their inbox. If it looks too good to be true, it probably is.

Trust no one, suspect everyone

If organisations want to get tough on protecting their network, they need to realise everyone and everything can be a threat. Every piece of software and hardware used could be a potential route in for hackers.

This highlights the need for organisations to work in a zero trust environment. Zero trust environments are implemented by firewalls and take away the automatic assumption that an action or actions should be trusted.

Every action needs to be treated with the same degree of suspicion regardless of where the action is coming from. Ensure that any compromised employee-owned device does not remain undetected and able to crawl its way into the crucial parts of the networks and data. If an issue is noticed, it needs to be scrutinised and investigated until resolved.

Simple steps to protection

Data breaches are in the public eye more than ever following attacks on large organisations and governments. However, this doesn’t mean that these are the only targets which hackers are going after. Businesses of all sizes should follow these simple steps to maintaining a secure network:

Train employees to remain vigilant and educate them about emerging threats – the best line of defence is to have the correct security solutions and procedures in place. Additionally, staff have a part to play by questioning anything suspicious in their inbox or on the web.

Work in a zero trust environment – if everything is put under the microscope then it makes it a lot harder for the hackers to make their way in and hide.

Create a dedicated budget to address cyber security – to avoid paying out fees following a breach, be proactive and ensure you have the correct hardware and software in place rather than as a reaction to a hack or data loss incident.

Sourced from Wieland Alge, VP & GM EMEA, Barracuda Networks

This article is tagged with: