December 20, 2016
Every year, $400 billion goes down the drain. That’s how much global businesses lose because of cyber security incidents, according to estimates from the insurance company Lloyd’s. Don’t pick your jaw up off the floor yet, because Juniper Research estimates that the cost of data breaches will be up to $2.1 trillion by 2019. If cyber threats were registering as a tiny blip on your radar, you now need to think of that tiny blip as a warplane carrying nukes. Without the right systems and policy to combat cyber crime, your business could face critical damage or even a complete downfall.
Heartland Payment Systems understands the ramifications of a poor security program all too well. In 2009 it was made public that more than 100 million credit cards and 650 different financial institutions had been compromised due to a data breach. It is estimated that the total cost of the incident was over $200 million, including the fines, compensation for fraud, and lost income. Six years later they suffered another newsworthy breach.
In 2013, retail giant Target proved that its security systems were far from adequate. A Bloomberg report indicates that over 40 million credit card numbers were stolen, as well as 70 million names, addresses, and phone numbers. Between settlements with the banks and a federal class action lawsuit, it ended up costing the company a total of $116 million.
Yahoo! had a similar breach in 2014, however it was only revealed this September. Information from over 500 million accounts is believed to have been stolen. To put this into perspective, the US Population is ~324 million people. This hack could wind up costing Yahoo! around $4.8 billion as they are being acquired by Verizon.
These are just some of the biggest attacks in recent years, but small- and medium-sized businesses are just as vulnerable. Because they have fewer resources than their enterprise counterparts, it is more difficult for them to adequately manage their cyber risk profile. While the targets on their backs might not be as large as the big businesses, their ease of access is often too appealing to hackers. Not only are attacks on smaller businesses a regular occurrence, but they can be just as devastating.
Ponemon’s 2016 Data Breach Study provided a lot of great quantitative information about breaches. Want to save your bottom-line if you encounter a breach down the road? Consider these cost drivers:
Savings: $16 per capita.
Having an incident response team was shown to be the most influential factor in reducing the costs of a data breach. On a per capita basis, it reduced the costs of a breach by $16. An incident response team is a group of internal and external personnel who are trained and prepared in responding to various scenarios. Incident response teams normally include experts with a broad range of skills, including IT and security, legal, computer forensic analysts, and crisis management firms.
Savings: $13 per capita.
It is mind-blowing to see how many companies still keep their critical data unsecured. Having your data properly encrypted means that it is less likely to be usable, even if it is stolen in a breach.
Savings: $9 per capita.
Business continuity is all about keeping your business running, even if you’re under siege. If you haven’t thought about the risks and vulnerabilities facing your business, how can you have confidence in your ability to recover from them?
Savings: $9 per capita.
With proper training programs in place, you can reduce the chance of your employees being exploited via phishing scams or other social engineering attacks. Knowledge is power and this is definitely true when it comes to protecting your business.
Savings: $7 per capita.
CISOs are high level executives responsible for ensuring that the security perimeter of your organization’s information systems don’t get overlooked. These systems are core to keeping your business running so why not give them the attention they need?
Savings: $6 per capita.
Companies must consider security and other technical developments at the board level. Because data breaches can potentially cripple a business, it is important for them to be analyzed in the boardroom.
Savings: $5 per capita.
Cyber Liability Insurance Cover (CLIC) has only been around for about ten years, so many people either don’t know about it or have a poor understanding of it. Even with the best systems, personnel, and infrastructure, it is impossible to completely protect yourself from all cyber threats. CLIC is a risk mitigation strategy that gives business the cash injection to ride out any disastrous cyber incidents.
Cyber insurance covers a wide range of different scenarios. One of the most important is for data breaches and privacy management. 46 states have mandatory breach notification laws, which means that if there is a breach, the company must notify those who are affected by it. Because this is incredibly expensive, it is one of the main drivers for businesses to acquire a policy. Another common type of coverage is for multimedia and other media liabilities. This can include payouts for intellectual property rights infringement or website defacement. There is also coverage for extortion and costs related to network security, such as DDoS attacks. Although there might be some overlap between CLIC and traditional insurance policies, CLIC ensures that your cyber risk profile is being managed properly.
To get the best CLIC for your business, it is best to work closely with the insurer to understand exactly what is being covered by the policy. You need to know what risks your company faces and how they will be covered when incidents occur. Would partners or third-party providers be protected by the policy as well? Businesses can also get a discounted premium by implementing the right security policy and controls. Following best practice guidelines, complying to relevant standards, and having good monitoring processes can all lead to lower insurance costs.
The right CLIC can be the difference between a minor hiccup and insolvency when things go awry.
Cost: $5 per capita.
Engaging outside consultants following a breach increases costs. Not being prepared when a breach occurs often requires outside teams to assess the extent of the damage. Keep in mind that this cost is an average cost and can be much higher depending on the type of breach you suffer.
Cost: $5 per capita.
These devices not only need to be replaced, but they may contain additional data that can contribute to the breach.
Cost: $6 per capita.
Although a quick response is critical, it is important for a business to take the time to form a well-thought-out strategy before they proceed with notifications.
Cost: $14 per capita.
The added complexity of other entities can make a breach and its fallout more difficult to manage.
According to the Ponemon Data Breach study, that was the average, which includes $143 of indirect costs. This is up from $138 in 2006. The average differed by industry, with the health, pharmaceutical, financial, and energy industries facing the greatest impacts of a breach. Customer churn and its costs also depended on the industry. Finance is particularly susceptible with a 6.2% churn rate following a breach. This is understandable—who wants to stay with a bank after their records have been compromised?
Lets just say that things are looking bleak. According to IDC Health Insights, one in three healthcare recipients will be the victim of a data breach this year. This increase is partially caused by additional security measures on credit cards (chips, pin codes), which has made them less valuable to cyber criminals.
As the Internet of Things (IoT) begins to take over our world, it brings with it a range of serious implications. Many of these devices aren’t very secure and expose us to more vulnerabilities. The watercooler of the future might have a lot more gossip to share than anyone thought possible.
Some things never change, and people are still the weakest link when it comes to our online security. The 2015 Anthem breach was caused by a phishing scam, and many of the other biggest breaches have been because of human failure. Perhaps it’s time to get back to basics: education. Just having secure systems does not guarantee that an incident will not occur (it’s a great start though). Security is everyone’s responsibility.