Data Breach Incidents Cost U.S. Companies
The Ponemon Institute released a study last month which examined 43 organizations across 17 different industry sectors, showing that data breach incidents cost U.S. companies $202 per compromised customer record in 2008, compared to $197 in 2007. Since the study's inception in 2005, this cost component has grown by more than $64 on a per victim basis, nearly a 40% increase.
Implications of Data Breaches
The implications of data breaches go beyond the direct costs associated with notification and security response and include the potential of regulatory fines, customer defections, opportunity loss, and brand damage. With data breaches seemingly a constant in news story, it's clear that more action is required to reverse the trend, stop the losses and repair the damage. Of the companies surveyed, more than half of respondents believed that training and awareness programs would assist in preventing future breaches and 44 percent looked to expanded use of encryption.
Both those options are reasonable measures to put in place to cope with the potential future data breaches. Generally, such measures are most effective when driven by a risk management program. Such an approach can help guide the deployment of both technology and resources in the most efficient fashion as well as ensure ongoing measurement and reporting to management on program efficacy.
Get Started With a Risk Assessment
The best place to get started is with a risk assessment. This helps you to better understand your position and avoid potential loss, both operationally and from a reputation point of view.
The following is a brief example focused on the risk to data:
The Assets that you are trying to protect is PII (personally identifiable information)
You need to know where it is, how it is used and how it is transported over the network
The Threats (what are you afraid of happening?)
Sophisticated cybercriminals stealing account credentials, credit card records or medical histories to file false claims
Hackers using application attacks to gain access to database records
Insiders gathering personal data through misconfigured access control
The Vulnerabilities (how could the threat occur?)
Targeted social engineering attacks; malware exploiting Adobe .pdf and MS office .doc vulnerabilities
Current Mitigation (what is currently reducing the risk?)
Staff
Technology
Processes
In this case the impact to the business is high and the probability of exposure is serious. The overall risk is medium to high depending upon the track record and the operational effectiveness of the controls. These processes can be broadly applied across industry segments.
Risk Management Program
From the starting point of a risk assessment for a critical area to the business, a broader-based risk management program can be developed. Such a program can be driven through both qualitative and quantitative methods. A quantitative approach allows risk to be expressed with financial values and thus resonates strongly with management. However, such a process is resource intensive and thus more expensive, so broad-based coverage is challenging. Therefore focusing on high impact areas with quantitative methods and driving coverage with qualitative approaches tends to produce the best results.
Of course, all of this requires organizational commitment, not just from IT but the business units, operations and finance organization as well. However, given the rising costs of coping with data breaches, the growing sophistication of the attackers and the regulatory imperatives, it makes a great deal of sense to deploy both human and technical resources in the most effective and efficient manner possible.
While there will always be gullible people and con artists to take advantage of them, training and awareness work to minimize that risk.
