Every year for the past 5 years has been referred to as “the year of the breach”. Since 2013, 5.9 billion records have been lost or stolen – that’s the equivalent of 3.9 million per day. As a result, network data security has emerged kicking and screaming from the IT closet and demanded a seat at the boardroom table.
It seems little has been learned in the way of lessons in the intervening years. 2016 saw another long list of high-profile breaches, including the largest-ever breach at Yahoo, where a reported 1 billion records were compromised.
Other major breaches that came to light in 2016 include Anthem (the second largest healthcare insurer in the US), Netflix, Friend Finder and MySpace; plus an increasing number of government breaches – from the Turkish Citizenship Database, the Syrian Government and the Serbian Privatisation Agency to the alleged Russian hacking of the Clinton Campaign.
The healthcare industry has been a big target of attackers in recent years and that did not change in the first half of 2016. Healthcare led all industries with data breaches, which accounted for more than one quarter (27%) of the total. This was up 25% from the 211 breaches during the previous six month period. The attacks against these organizations involved 30 million data records or 5.4% of the total.**
A data breach is inevitable
“There are two types of organisations. Those who have suffered a breach and those who are going to suffer a breach”*. Rarely were truer words spoken. Why do we seem unable to hold onto our data? What are the causes of these breaches and how do we measure the true cost to the organisation?
In its 2016 Cost of Data Breach Report, the Ponemon Institute claims more than half of all data breaches are now the result of malicious or criminal activity – as opposed to systems failure or good, old-fashioned human error. (We look back fondly on the time when your typical data breach was because some civil servant found themselves “over-refreshed” and left their laptop on the last train home.)
The end of innocence
Historically, senior executives may have been guilty of under-estimating the cost of data loss; seeing it as an inconvenience rather than a business-critical issue. However, mandatory breach notifications, interruption to business operations and spiralling costs have made everyone sit up and pay attention.
Quantifying this sort of thing can be difficult as a breach is not always identified at the point of ingress. Sometimes, the breach only becomes apparent when the lost or stolen data is exploited. Worryingly, on average, it takes more than 6 months for a breach to be identified and contained.
The Ponemon study was based on 350 enterprise businesses across 11 countries and identifies a 29% increase in the average cost of a data breach since 2013. The average cost of a breach now stands at US$4 million, or $138 per lost or stolen record. For some industries, the sensitive nature of the data transmitted across their networks puts this figure even higher. The healthcare industry tops the table with a cost per record of over US$340.
The true cost of a breach
The costs incurred by a data breach are not always immediately apparent. Direct and indirect costs can be incurred for years after the initial breach – Target incurred more than $160 million in costs, was hit with a multi-million dollar class-action lawsuit, closed hundreds of stores and laid off almost 20,000 employees worldwide.
The costs associated with a breach can be categorised as follows:
• Investigation
• Notification
• Remediation
• Compensation
Taken as a timeline of costs, investigation often involves a forensic analysis of processes and systems to identify how, what and how many records were lost. Notification costs, mandatory or otherwise, are a relatively insignificant contributor to the overall costs. Remediation (paying for a new bolt on the stable door) and compensation costs can run to tens of millions.
$100 million may sound like a lot of money. However, when you put it into context for organisations the size of Anthem, it represents a very small drop in a very large ocean. $100 million is approximately 0.01% of Anthem’s annual revenues. The longer term, hidden costs of a breach often come in the form of an impact on future revenues resulting from a loss of trust and damage to “the brand”.
Whilst the time taken to restore the reputation of some big businesses could be significant; most will ride out the storm. However, it’s worth remembering that the big loss stories that make the news are not typical of most breaches. (http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/). The average number of records lost is between 10,000 and 100,000. For smaller organisations, this may prove fatal as the cost of customer acquisition rises, goodwill is reduced and reputation is left in tatters.
As legislation begins to catch up with the new cyber-landscape, we will see a significant increase in financial and compliance penalties resulting from breaches of increasingly strict regulations. A topic we explore in our article: Cyber security regulations – act now or pay the price
The age of encryption
If we’ve learnt one thing from the past couple of years, it’s that data breaches are inevitable. If you can’t secure the network, secure the breach. The only way to ensure that your data is secure as it travels across the network is to utilise encryption. By encrypting your data in motion, it is rendered useless if it falls into unauthorised hands.
It is important to note that encryption does not need to come at the expense of network availability and performance. The Senetas range of encryptors provides a scalable solution, suitable for networks of all types – from point-to-point to fully meshed, multipoint network infrastructures.
Our core products operate from 10Mbps to 100Gbps and support Ethernet, Fibre Channel, SONET/SDH and LINK protocols. These high-performance devices use AES 256bit encryption and operate in full-duplex mode at full line speed with no packet loss.
All encryption is not created equal. Senetas is the only organisation, globally, whose encryption products are multi-certified against Common Criteria, FIPS and NATO security standards.
*The United States Federal Bureau of Investigation, Director Robert Mueller
**Gemalto Breach Index 2016