Data breaches: how to counter the costly matter

If your pocket has a hole, your wallet, keys or whatever is inside, may slip away. The very same way, if your network has a breach, your data may get estranged. At this point similarity ends. The pocket story is just one-time occurrence: you may whimper over lost cash, and credit cards’ cancellation and reorder is a headache, but hardly something more. While lost data will keep circulating, giving your business repetitive punches. Informational breaches affect everything: reputation, finances, clientele, and partners — on numerous occasions to the extent one could only wish its business to cease operations a.s.a.p. And we’re not trying to just scare the hell out of you: keep on reading.

Data on data losses

Let’s not be prosaic citing things like “depreciation of information security may cost you a fortune” — at least because it is really doing so. Ponemon Institute, the independent researcher, conducts annual survey on data breach and corresponding losses. Statistics is available for some past years already, and it is the thrill to study. Already in 2014 the average total cost of data breach per company was the amazing USD 3.5 million. By 2016 there was the leap towards 4M, but now, luckily, the amount shows the tendency to decrease: “just” USD 3.86 million.

Such sum certainly does not pop-up on your bills on one particularly unpleasant day — it accumulates with time. And the average time to detect and pin down a data breach, according to the same survey, is 280 days. Although residual shockwaves are likely to shake businesses for several years after the initial data breach date.

Some more facts we consider worth mentioning. The most prone to holes in their information safety are Middle East, India and Brazil. But breaches in these regions are not as expensive in comparison to the U.S., who tops this unfortunate price list. The North American average total cost of data breach is massive USD 8.64 million — and it keeps growing (8.19M in 2019). Healthcare-related info remains the most valuable/demanded data: the average price tag in this industry reached USD 7.13 million — and growing too (6.45M in 2019). Such soaring costs are explainable by a highly sensitive nature of health records, since illegal possession of these data opens great opportunities for manipulations — say, fraudulent offers of “quick recoveries”, etc. Or another example: the threat to publically expose one’s STD is a clear temptation of blackmailing.

Amusingly enough, the pandemic lockdown of 2020 demonstrated business not being ready to provide adequate data security for workforce operating remotely. More than ¾ participants of the same survey indicated their concerns with possible data breaches, when remote office model is in use. About the same amount answered affirmatively for their fears of increasing losses with remote operations.

More facts, less figures

In early 2020 UK-based budget easyJet airline suffered the “highly sophisticated” (as the airline quoted) cyber attack that exposed personal data of 9 million customers and over 2000 credit card records. Class-action lawsuit for the amount of GBP 18 billion was filed against the company; more than 10.000 affected customers were said to join the lawsuit.

A cloud provider (we’ll omit the company name due to reputation concerns) employee broke into a Capital One bank server and stole 140K U.S. Social Security numbers, 1 million Canadian Social Insurance numbers and 80K bank account numbers. The intruder tried to share the information online. The bank assessed the breach cost between USD 100M and 150M just for the 2019; the total amount is likely to exceed 300M.

In 2017 Equifax, one of the three major credit reporting agencies, stated personal data of 143 million people in the U.S., Canada, and UK hacked. The breach included highly sensitive information: birth dates, credit card numbers, etc. In 2019 Equifax reached a USD 700 million settlement.

Marriott, Home Depot and many more — the list of affected entities is truly long and, alas, keep expanding. We’ve already witnessed data breaches worth a fortune. It is especially painful for the smaller, 500 or less employees, companies — as such petite business entities are more vulnerable for holes in their budgets. But the very same survey we keep citing indicated the great avoidance tool: security automation and network testing. For the companies who deployed their automated security systems the total cost of data breach is USD 3.58 million less than average — leaving the losses at the comparatively miniscule level of “just” 100K.

You’ll come stronger, even if hurt

The most advanced businesses put their own networks to tests. Firewalls and anti-viruses do their jobs against embedded malware; companies’ internal policies, if strictly followed, can potentially disable malicious intents from within; for unknown human threats from the outside (read — hacking) there are special procedures, called penetration tests. Shortened for pentests.

Italian virtual training developer Digital Attitude — the “golden partner” of Microsoft, winner of Digital Transformation Champ Awards 2020 — was reasonably convinced of its network being secure. Denis Sumin, full stack developer and information security specialist of Digital Attitude, stated that “on the customers’ side there are IDs only — the system does not store emails, or names, or IP addresses”, while on the developers’ side there is no access to the production version of the company’s main product, the habit-inspiring platform. “We have everything firmly set inside. But the outer area is beyond our control, so we decided for the penetration test to strengthen the network security”, concluded Denis.

The test was performed by ITGLOBAL.COM. In spite of Digital Attitude confidence, single medium level vulnerability, the Cross-Site Scripting, was detected. Imitating the attack, the testers managed to insert into page their script that was executed on the customer’s side. The vulnerability was immediately patched via Content Security Policy.

We organized another pentest for FINOM international payment service. Still a startup, this Amsterdam-based financial institution adheres to the strictest security standards and meticulously follows European GDPR protocols. As FINOM accounts contain various, predominantly financial, highly sensitive information, it was decided to test namely the web application.

ITGLOBAL.COM modeled several attacks of different types, both manual intrusion attempts and penetration with specific utilities cyber criminals use. Again, merely a single medium level vulnerability, web server exposing its software version number, was found. Yet our specialists specified that only a highly skilled hacker can potentially get inside the system.

—

Data protection per se has no financial value whatsoever. It turns out that careless attitude towards possible breaches can have substantial financial impact. So, good care for your data being safe becomes a valuable asset of your business.