“Four years later, Yahoo still doesn’t know how 3 billion accounts were hacked” read TechCrunch on November 8, 2017. The 2013 Yahoo breach is still as big as it gets. Since then, eBay, Home Depot, Target, Anthem, Uber, and Equifax have all faced their own breaches. This flood of corporate data breaches has left many wondering three things:
- What does a security breach really cost a company?
- Why do attackers keep succeeding?
- How can enterprises stay ahead of a breach?
Let’s find out.
What does a breach really cost a company?
Companies often invest millions of dollars to position themselves as being secure and reliable. But a breach can shatter the well-built reputation of any company. Once the news of a breach breaks, customers and investors may lose their trust in the breached company, especially if they feel that company hasn’t acted transparently or worked with their customers’ best interests in mind.
The wrath of Wall Street
A 2017 Ponemon research study commissioned by Centrify revealed a direct correlation between a data breach and a company’s finances. Companies impacted by a data breach are more likely to experience a decline in their stock, revenue loss, and increased customer bailing. It went on to say that the average company’s stock dropped five percent on the day a breach was disclosed. Furthermore, companies with poor security posture were found to have their stock drop as much as seven percent (without full recovery for at least 120 days after the breach). As an example, Equifax’s share value had fallen by 35 percent just nine days after they announced their own breach.
Fines, penalties, and compensation
Fines and penalties towards settlements add up to a hefty chunk of post-breach expenses. Companies that cater to a global user base must comply with any fines or penalties levied by other nations or regulatory bodies. Apart from this, companies often have to pay legal fees and settlements with litigants, including partners and consumers. For example, Anthem (the second largest insurance provider in the US) is slated to shell out $115 million to a class-action lawsuit because of a cybersecurity breach in 2015.
Commissioning a third-party investigation into a breach is one of the most important steps companies take post-breach. For example, Target hired security experts at Verizon to probe their network for weaknesses and assess their breach’s magnitude. The costs for such investigations are generally undisclosed, but companies are certainly spending more on remedying situations than they are on implementing critical security controls and proper security hygiene.
Given what a breach costs an organization, one might wonder why so many enterprises, including some Fortune 500 companies, are still experiencing breaches.
So, why do attackers continue to succeed?
It’s complicated. There are a few factors, however, that may be tipping the scales in favor of hackers.
Subpar security practices
Compliance regulations like HIPAA, PCI DSS, the CJIS Security Policy, and the GDPR require that organizations protect their sensitive data by following a set of guidelines. Unfortunately, most organizations limit their critical hygiene to meeting regulatory checkmarks without really investigating security controls that could push them above and beyond compliance. Poor security hygiene can endanger the security of an organization, especially if the regulations they comply with don’t require strict enough security procedures. For instance, many regulations don’t even mandate encryption or other industry-recognized security best practices.
Many organizations also risk their data by charging cloud providers like Amazon, Google, and Microsoft with full responsibility for securing their data in the cloud. But cloud security, as many have pointed out, is a two-way street. No matter how secure cloud providers make their solutions, it’s up to companies to ensure their cloud storage is properly secured. Accenture, Verizon, and WWE have already fallen prey to data leaks simply because of a poorly configured AWS server on their end.
Likewise, a Ponemon report on managing insider risks found that 66 percent of the surveyed data protection and privacy training professionals said their own employees are the weakest link in their efforts to create a strong security posture. Less than half of those surveyed said their organizations make training mandatory for all employees. Even with mandatory training, exceptions are often made for CEOs and senior executives.
Inadequate equipment, scarce staff
The information security industry is largely dominated by prevention tools that have proven to be inadequate when faced with expanding enterprise boundaries, insider threats, and sophisticated attacks that leverage social engineering techniques. But CFOs are reluctant to invest in security. A CFO quote from RSA Conference 2017 captures the challenge: “The problem with CISOs, and the entire cybersecurity field for that matter, is that you keep asking for more money and resources but can’t guarantee or even articulate what I am buying.” Companies looking to up their security and replace subpar security tools often find that even if they get updated tools, security analysts that are skilled in active threat hunting, threat detection, and incident response are scarce and expensive.
Just plain negligence
A great number of data breaches occur because of human negligence. Verizon’s 2017 Data Breach Investigations Report indicated that over 77 percent of data breaches involved an insider, more often due to human error than malicious intent.
This is especially true with key management. Failure to properly handle key management is the most common way that sensitive data ends up in the hands of hackers, even if it was correctly encrypted.
An organization’s expensive cybersecurity system is only as strong as its identity access management strategy. JP Morgan Chase, Deloitte, and Sony Pictures Entertainment were all breached because their employees with privileged access weren’t using two-factor authentication on their accounts.
For an organization that relies on third-party vendors (i.e. most companies), its data encryption is only as good as that of its entire vendor community. Target and Home Depot were both breached when their third-party vendor or supplier was hacked.
Staying ahead of a breach
Where does this analysis of past breaches leave enterprises? The takeaway is this: there is no secret ingredient to staying ahead of a breach. When it comes to stopping data breaches, it’s going to take a combination of solutions, people, and processes to keep enterprises protected.
First, enterprises need to shift their mindset from relying solely on perimeter protection to emphasizing vulnerability detection. The recent flood of insider threats and social engineering exploits has shown that the traditional security strategy of focusing on prevention tools and techniques is risky. Companies should invest in tools, technologies, and resources that can help detect vulnerabilities both inside their network perimeter and at endpoints.
Internally, companies also need to invest time and resources into training staff on data protection and privacy, the personal and business implications of a security breach, and on complying with regulations. Social engineering exploits have led to countless breaches, so it’s up to IT to make sure end users do their part in the fight against cyberattacks.
Looking outside their organization, enterprises should collaborate with institutions, regulatory bodies, and government agencies to share security information and experience, as well as set up strong security guidelines and protection mechanisms. In the fight against data breaches, no company can do it alone.