When will your data breach happen? Not a question of if but when
IT security is a growing threat for businesses of every type and no organization is safe. While information security risks have been around for a long time (several Civil War battles were decided by details obtained by the enemy), today they bring with them challenging complexities and costly ramifications for businesses.
U.S. consumer cyber-attacks in 2014 averaged $5.85 million per breach.[1] The average cost per record compromised was $201 per record.[2] Hackers today are learning new ways to infiltrate web sites and networks. Hacking toolkits and the necessary hardware and software infrastructure are available for sale or for rent via the Internet.
Employees have ready access to company information and are often ignorant about how to detect and prevent breaches because of a general lack of training. That means a cyber-attack at your company is no longer a question of if, but when.
Anthem Insurance, Sony, JP Morgan Chase, Target and Home Depot are some of the bigger names that have recently been in the headlines due to cyber-attacks, but there are countless other small and medium-sized businesses that are going through the very same breaches, just on a smaller scale.
The Target breach led to the resignations of both the Chief Information Officer and the Chief Executive Officer. In addition, the credit card issuers that ended up footing the bill as a result of the breach are attempting to bring a class action lawsuit against Target in order to recoup some of their losses. Similarly, former employees and business partners of Sony that had personal information exposed in that breach have also brought a class action suit against the company.
The Disappearing Perimeter
It is clear from examining the year over year statistics related to data breaches that the collective efforts of information security teams have done little to stem the tide. Companies continue to increase their budgets for more and better security technology and yet the breaches continue to occur more frequently and with greater impact.
The primary methods for protecting information are based on securing an organization’s perimeter. Things like firewalls, intrusion detection systems (IDS), multi-factor authentication and virtual private networks (VPN) are all based on keeping the cyber attackers out. As information technology evolves, the perimeter of an organization’s infrastructure continues to fade as a result of ever-increasing connectivity between customers, suppliers, and service providers. Add mobile devices (tablets, phones, etc.), teleworking and cloud computing to the mix and it is nearly impossible to define where the “perimeter” is.
The problem with relying primarily on traditional perimeter security approaches is that many of the recent high profile breaches were not the result of failed perimeter security. Rather, the breaches were the result of attackers using compromised IDs and passwords from authorized users. Once inside, the attackers methodically explore and exploit internal vulnerabilities (which are generally not protected as well) until they gain access to the information they are seeking.
Former Websense CSO Jason Clark recently stated that 80 percent of security spend is going to firewalls, IDS and anti-virus solutions, despite only being effective to 30 percent of threats.
The sooner we recognize that our tried and true security techniques are failing us, the sooner we can take a fresh look at preparing for the inevitable. A shift in focus from “if” we have a breach, to “when” we have a breach will pay dividends as a result of better planning and preparation.
Preparing for a Data Security Breach
Studies show that the appointment of a Chief Information Security Officer and involvement of business continuity management in the incident response process decreased the costs of breaches per compromised record by $10 and $13, respectively.
However, the most significant cost reductions for organizations came from having a strong security posture, which reduced the average cost of a data breach by $21 per compromised record, and an incident response plan, which shrunk the cost by $17 per compromised record. These findings emphasize the importance of being prepared for a breach in data security.
The starting point in planning for cyber-attacks is having an incident response plan (IRP) in place to ensure appropriate action if security is breached. An effective IRP will address preventative controls, timely detection of potential problems and rapid response to data security breaches. The key components of a well-defined IRP include:
- Incident Response Team – Select individuals from departments that will be involved when a data security breach occurs, such as Executive Management, Information Technology, Human Resources, Public Relations, Legal, and Operations. Identify the roles each Incident Response Team member will play and ensure they have the authority to execute.
- Data Classification – The organization’s incident response strategy takes into account the type of data compromised by the breach in determining its response efforts and activities. Categorize data so employees know how to handle various types of information. Levels can include “public/non-classified,” “internal use only” and “confidential.” Then, focus on protecting the most confidential data.
- Communication Plan – A comprehensive communication plan involves more than maintaining a current contact list of Incident Response Team members, system support personnel and external service providers. The organization should also plan what message it wants to convey and to whom it will communicate internally and externally after a security breach. Include an alternative plan when the normal notification process is pre-empted.
- Training – Incident preparedness training ensures that all company personnel are ready to handle data breaches before they occur. Incident Response Team members should be well versed in how to appropriately evaluate, respond and manage security incidents. Even if not directly involved in the incident management process, all staff should understand the company’s overall breach response plan so that their actions support, not hinder, breach response efforts.
- Testing – The IRP should be thoroughly and continuously tested in advance of an actual data breach to help identify process gaps and provide assurance that the plan will be effective in responding to incidents.
The Human Element
Without a doubt, employees are the weakest link in the security chain. While businesses have done an excellent job in the last decade of improving the process and technology aspects of IT security, they’ve fallen short in training their own employees to defend and protect their company information.
The curious and fallible nature of humans demands that companies train and reinforce their employees on these matters. This is an area that companies cannot afford to overlook. “Bring Your Own Device” (BYOD) complicates matters as employees create new risk by accessing company data with their own technological devices including laptops, smartphones and tablets. Employees must be motivated to think about and understand the security risks and consequences associated with their actions.
One Step Ahead
It is critical that an organization be aware of the new risks and new ways to address them, allocating time regularly to exploring new threats and new controls.
Even with all the proper precautions in place, data breaches will continue to happen. We will always be vulnerable, but how we prepare can help ease the pain when an attack hits. Preventative measures will minimize disruption to customers, operations and productivity, and aggressively managing through the security breach will yield a much more desirable outcome.
[1] 2014 Cost of Data Breach Study: United States, Ponemon Institute LLC
[2] ibid
About the Author:
David Barton is a Managing Director at UHY Advisors, and leads the Internal Audit, Risk and Compliance practice. He is an expert in information security and technology risk and controls. Reach him at [email protected] and follow him on Twitter at @ITcontrolsfreak.