Joomla Templates and Joomla Extensions by JoomlaVision.Com

Telecom Review North America


Latest Issue

Telecom Review's Interview with Marc Halbfinger, CEO of PCCW Global

Telecom Review's Interview with Alessandro Talotta, Chairman and CEO of Telecom Italia Sparkle

Telecom Review Summit 2016

Jeff Seal, Managing Partner Telecom Review NA Interviews the CEO of Spirent Technologies

Jeff Seal Interviews Zayo President Mike Strople

Telecom Review's Jeff Seal Moderates Submarine Fiber Optic Gathering

Socialize with us

Banner
Banner
Banner
Banner
Banner
Banner
Banner
Banner
We Should Still Care About Data Breaches PDF Print E-mail
Thursday, 02 May 2019 08:25


It seems like every day in the news you read about another data breach. According to a study published by IBM, an organization has a 27% chance of suffering a breach of at least 1,000 records. There have been so many data breaches in the past several years that now it seems commonplace.[1]

“According to the Privacy Rights Clearinghouse, there have been 9,033 data breaches made public since 2005 — and those are just breaches that were reported in the U.S. or affected U.S. consumers. Spread out over the last 14 years, that averages out to about 1.77 breaches a day. All told, there were at least 11.6 billion records lost in those breaches.”[2]

Many experts today believe that consumers are now suffering from "data breach fatigue." Instead of being outraged, consumers either feel despondent or apathetic – often choosing to not discuss it with their friends or family. If pressed, most consumers will say that they care; however, a recent study by the Ponemon Institute found that 32% of data breach victims took no action to protect their data after a breach, and 55% took no action to guard against identity theft.[3] It’s clear that our actions don’t match our words when it comes to data breaches.

Given the relative apathy from consumers and the likelihood that all organizations will eventually become the victim of a breach, it’s inevitable that businesses will choose to not dedicate an adequate amount of resources toward their cybersecurity programs. However, becoming the victim of a cybersecurity incident often results in the company having to pay substantial direct and indirect costs.

Costs to Consumers and Businesses

The costs of a significant data breach in the United States is astounding. According to the study published by IBM, the average cost of a breached record for a U.S. company was an astounding $233, and the average total cost of a data breach in the United States was nearly $8 million.[4] These costs were demonstrated to an extraordinary degree in the 2017 Equifax breach of approximately 143 million records. Since that time, reports indicate that Equifax has paid a total of $439 million in costs, which include security upgrades, credit monitoring services, legal fees, as well as fines and settlements from scores of lawsuits.[5]

Not only do organizations pay an exorbitant amount of direct costs as the result of a breach, cybersecurity incidents can affect an organization’s bottom line through indirect costs. Before it was revealed that Yahoo! suffered a mega-breach of approximately 500 million accounts in 2013 and 2014, Yahoo! was set to be purchased by Verizon for approximately $4.8 billion. After the breach, Verizon purchased Yahoo! for approximately $4.48 billion. This breach, which did not include sensitive information such as payment card or bank information, costed Yahoo! $350 million. Worse yet, this amount did not include costs related to legal fees, fines, breach notifications, and various corrective actions.[6] Given the astronomical costs of a data breach, it’s important to discuss some quick action items that companies can take to help them guard against such incidents.

Effective Strategies for Preventing Breaches

What can be done to protect your customers’ information? While the answer is always going to be “adopt a best-practices information security program such what is stated in the NIST 800-53 framework,” there are some immediate action items that can be undertaken to mitigate against the risk of being the victim of a material breach.

First, approximately 25% of data breaches are the result of well-meaning employee mistakes such a falling for a phishing scheme or inadvertently disclosing sensitive data. To guard against these mistakes, organizations should provide basic security awareness training to information system users, including managers, senior executives, and contractors as part of initial onboarding training. Companies should provide this training within 60 days of onboarding. The organization’s workforce members should also be provided with refresher training on an annual basis.

Second, organizations should ensure that their patching practices are up to speed. Within the past couple of years, studies have shown that inadequate patching of information systems have been one of the main causes of data breaches.[7] For new systems, the organization should ensure that the latest patches are installed on the systems so that those systems comply with the organization’s hardened system configuration. For those systems that are considered critical, organizations should patch those systems within one month of that particular patch’s release.

Finally, its important to be aware of who is doing what within the information system. Companies should ensure that an audit logging mechanism is running on the information system and also that the mechanism cannot be disabled by users. This audit logging solution should log, among other things, all user access to the sensitive information environment as well as invalid access attempts. The logging mechanism should identify the user and record the type of event that was performed as well identify the affected data, component or resource. Logs should be reviewed daily, and when suspicious activity is discovered, the organization should address the incident according to the organization’s incident response policy. Many incidents last for months or years due to administrators not actively monitoring the system activity on a daily basis. By monitoring the system activity, companies can greatly reduce the severity of the incident should it occur.

While cybersecurity incidents have become commonplace in today’s information security landscape, the costs incurred by companies that have been breached have demonstrated the need for continued cybersecurity vigilance. By training their workforce, patching their systems, and monitoring the activity that takes place on the information system, companies can reduce the risk of an incident as well as lessen the severity should one occur.

About the Author:

Dan Kiehl obtained his Juris Doctor degree from Valparaiso Law School in 2012, and practiced law for three years before transitioning to a compliance-based consulting role allowing him to help a wide variety of healthcare organizations remain compliant with multiple healthcare laws and standards.In his current role as a CompliancePoint Policy Analyst, he consults with a wide variety of organizations to ensure their privacy and information security policies are compliant with the various regulatory and third-party frameworks (e.g., GDPR, HIPAA, HITRUST, PIC, SOC 2, NIST and ISO).