Where Is the Disconnect? Data Breach? Pocket Change. Victims? Who Cares?
I am continually surprised that US companies have a devil-may-care attitude towards a data breach. New legislation protects all financial companies from having to admit to a data breach, ever, or notifying victims that their personal information was stolen.
A few years ago, the cost of a data breach was much less – now it has crept up to $9 million. Except you have Yahoo at $3 billion, Adult FriendFinder at $412.2 million, eBay at $145 million, and good old Equifax currently at $143 million. I guess that’s still pocket change for many companies. In retrospect, how many of these companies would have been more straightforward and honest in facing the problem instead of hiding it? It’s true, hindsight is 20/20. Despite the money, why on earth would you want the disruption to the business flow?
I don’t understand how companies have no idea they have been breached. Then don’t want to notify the victims once they find out. Of course, notifying victims months later also means the damage has already been done. Where is Don Quixote when you need him? And yes, the detection time does impact the overall cost of a data breach. In the ‘2017 Cost of a Data Breach Study’, sponsored by IBM and written by Ponemon Institute, detection time was considered a factor and the findings were interesting.
According to the report, “The mean time to identify (MTTI) and mean time to contain (MTTC) were reviewed. Overall, it took more than six months on average to detect an incident, with an average of 55 days or almost two months to contain it.” Hopefully, none of these companies have to comply with the General Data Protection Regulation (GDPR) 72-hour breach notification requirement!
The report continues, “If the MTTI was less than 100 days, the average cost to identify the data breach was $5.99 million, however, if the MTTI is greater than 100 days, the average cost increased to $8.70 million.” In a study by Neustar last year, Distributed Denial of Service (DDoS) attacks led to losses of between $50,000 and $100,000 per hour – not exactly petty cash. It would seem to be in the best interest of companies to take a more proactive stance towards cybersecurity.
The obvious reluctance of US companies to notify victims of a breach is costing them money, on an hourly basis. Having thought about the ‘why’ of this situation, the only reasons I can think of is they are afraid of the loss of stock value (Yahoo is paying for that now), loss of brand (Target still hasn’t recovered), and loss of public trust (Equifax). However, by refusing to fess up, they have made their objectives unachievable. Data breaches from several years ago are becoming more prevalent in the news. It appears you can’t hide forever. We hope.
On a different note, the report also looked at the costs associated with having a business continuity or disaster recovery plan. Unsurprisingly, the costs for a data breach go down when a plan is in place. The report also noted the difference between those companies who had a manual versus an automated plan. “Companies using a manually operated Disaster Recovery process experienced an estimated average cost of $6,101 per day. In comparison, organizations utilizing an automated Disaster Recovery process had an average cost per day of $4,041.” This is interesting, considering the study found that 75 percent of the survey respondents did not have a disaster recovery plan, and 66 percent admitted that they could not recover from a cybersecurity attack. What am I missing here?
We have a client that took security very seriously and needed to solve the issue of internal data breaches, which are cited as a primary cause of breaches. The other challenge was that the 24,000 employees were globally dispersed. Compliance with all country and even regional regulations and mandates was becoming a problem. Maybe you have the same issues they had? End user tagging did not always reflect the confidentiality of the content of a document, content containing vulnerabilities had to be manually processed, no way to identify vulnerabilities in real-time, unauthorized users sharing privacy or sensitive information with third parties, no process to identify sensitive company information, apply security controls, and adhere to global compliance requirements. Read how the client solved its privacy challenges.