145.5 million.
That’s the number of Americans whose data was exposed as a result of the Equifax breach announced in September of 2017. The number is staggering, and the company is facing intense scrutiny from the federal government and has opened itself up to state and local lawsuits.
While the Equifax breach caught all of our attention due to its size – and the likelihood that we were one of those with exposed information – it isn’t the scariest statistic regarding breaches. These large breaches receive extensive exposure in the media, but the truth is that many more breaches occur with fewer records compromised. Those incidents don’t make it to the nightly news or the headlines. But they occur far more frequently than the catastrophic breaches like Equifax, and no company is immune, regardless of size.
In a recent report by the Ponemon Institute, it was found that the global average for a breach was $141 per record. While there are a number of factors that go into that number, and the amount varies by region, one thing is clear – security breaches are an expensive issue that all companies must be ready for.
What’s Considered a Breach
For the 2017 Cost of Data Breach Study, Ponemon Institute interviewed 419 companies that had experienced breaches in the previous year. These incidents ranged from as few as 2,600 records to as many as 10,000 compromised records.
The study focused on incidents where one of the following was exposed – either an individual’s name, debit card, financial record, or medical record. This kind of information, known as Personally Identifiable Information (PII), gives hackers enough information to create system accounts, credit records, or worse in the case of medical records.
The study also identifies three main reasons these incidents occur. Human error and system glitches are two of the reason, with the third – criminal or malicious attack – being the most prevalent and costly.
What is the Cost for an Enterprise
As noted, the study found that the cost, per record, of an enterprise data breach, is $141. That number reflects the average cost across global companies. But for American companies, the cost is greater.
The average cost for the U.S. was $225 per record, $84 more than the global average. In addition to the cost of detection, remediation, and escalation costs, the United States companies must follow strict notification policies based on regulations. Because of this, notification of a breach to those potentially affected made America’s costs the highest in this category.
The cost of a breach also depends on the industry of the organization. Public sector and research companies saw the lowest costs associated with an incident, with the associated costs being $71 and $101 per record, respectively. Healthcare and financial services, however, experienced costs almost double to triple that amount. The per-record amount for financial services averaged $245, while healthcare saw an average of $380.
All of this resulted in the estimated average of $3.6 million per incident.
Small Companies are Not Immune
To say that small businesses are not immune is an understatement. In fact, the damage done to a small business by a security breach can be devastating, even though the overall cost may seem smaller.
According to Security Magazine, the average cost of a data breach for a small business is $36,000 to $50,000. Compared to several million, this may seem trivial, but it has a far greater impact on a business that is less likely to be able to absorb these costs.
Recent years have seen an increase in attacks on smaller companies. These attacks increased to 31% last year, up significantly from 18% only two years before. That’s because more than 70% of attacks specifically target small businesses.
While it may seem like enterprises are a better mark for attacks, small businesses present an attractive, almost irresistible target, for two reasons. First, these businesses are generally unaware of security threats. Second, these businesses have a greater exposure to threats, exactly because they are less aware. It creates a vicious cycle that is difficult to escape without help and training. Only 15% of small business owners say that they are “very knowledgeable” regarding persistent threats.
Costs are More Than Financial
The financial impacts of a breach are only part of the equation, for both enterprises and smaller companies.
Losing customers is the biggest concern for companies that have experienced a breach, and this loss of customers leads to an increase in the financial impact. The Ponemon 2017 study found that global companies that lost 4% of their customers from a breach could see the overall average cost of the incident increase to $5.1 million. American companies experienced the greatest blow from lost customers, as well.
For small companies, the effect of a breach can be disastrous. Recovery from an incident may be impossible. In fact, it’s estimated that 60% of small to medium businesses that are hacked go out of businesses within 6 months of the breach.
The costs of a security breach are enormous, regardless of organization size, and its effects can be devastating. Yet many companies, particularly small and medium businesses, don’t make security a priority, even with the devastating effect it can have. Understanding potential holes, addressing concerns, and proactively managing risks can mean the difference between a prosperous organization and one that is out of business.
How to Protect Your Company from a Data Breach
There is no single line of defense that will protect you from a breach. Rather, you need a number of layers of defense in place to keep your security practices up to par. However, here are a few of the things you should be doing to stay safe:
- Keep only the data that you need, especially data that is highly sensitive
- Destroy your data before disposal
- Use a number of technical security defenses
- Run all system patches and security updates
- Dual factor authentication
- Encryption at rest
- Encryption in transit
- Use a web application firewall
- Run regular scans
- Use a remote logging server
- Do regular penetration testing and remediation
- Have a competent and security-minded IT team
- Have written security protocols
- Train your employees about security and risk evaluation
- Have an attorney that understands your areas of risk
- Have a cyber liability insurance policy
These points listed above are the high-level essential items that you should be keeping in mind for your organization so that you do not suffer a major data security event. It’s important to know however that not every organization is the same and each case should be handled differently based on the type of data you’re storing, what you’re doing with it and where the potential exposure points are. If you’d like a professional evaluation of your security posture, don’t hesitate to give us a call for a free initial consultation.