“According to the Privacy Rights Clearinghouse, there have been 9,033 data breaches made public since 2005—and those are just breaches that were reported in the U.S. or impacted U.S. consumers. Spread out over the last 14 years, that averages out to about 1.77 breaches daily. All told, there were not less than 11.6 billion records lost in those breaches.”

 

Many experts today believe that consumers are now suffering from 'data breach fatigue.' Instead of being outraged, consumers either feel despondent or apathetic — typically choosing to not mention it with their friends or family. If pressed, most consumers will say that they care; however, a newly released study by the Ponemon Institute found that 32 percent of data breach victims took no action to secure their data after a breach, and 55 percent took no action to guard against identity theft. It’s obvious that our actions do not match our words with regards to data breaches.

 

Given the relative apathy of consumers and the likelihood that all organizations will gradually become the victim of a breach, it’s inevitable that businesses will choose to not dedicate an adequate amount of resources toward their cybersecurity programs. However, becoming the victim of a cybersecurity incident oftentimes results in the company having to pay substantial direct and indirect costs.

 

Costs to Consumers and Businesses

 

The costs of a crucial data breach in the United States is astonishing. As stated by the research published by IBM, the average cost of a breached record for a U.S. company was an incredible $233, and the average total cost of a data breach in the United States was about $8 million. These costs were demonstrated to an extraordinary degree in the 2017 Equifax breach of approximately 143 million records. Since that time, reports indicate that Equifax has paid a total of $439 million in costs, which include security upgrades, credit monitoring services, legal fees, as well as fines and settlements from scores of lawsuits.

 

Not simply do organizations pay an exorbitant amount of direct costs as the result of a breach, sadly cybersecurity incidents can also affect an organization’s bottom line through indirect costs. Before it was unveiled that Yahoo! suffered a mega-breach of approximately 500 million accounts in 2013 and 2014, Yahoo! was set to be purchased by Verizon for about $4.8 billion. After the breach, Verizon purchased Yahoo! for approximately $4.48 billion. This breach, which did not include sensitive information such as payment card or bank information, cost Yahoo! $350 million. Even worse, this amount did not include spendings connected to legal fees, fines, breach notifications, and various corrective actions. Given the astronomical costs of a data breach, it’s important to discuss some quick action items that companies can take to help them guard against such incidents.

 

Effective Strategies for Preventing Breaches

 

What is the answer to defend your customers’ information? While the answer is always going to be “adopt a best-practices information security program such what is stated in the NIST 800-53 framework,” there are some immediate action items that can be started to decrease against the risk of being the victim of a material breach.

 

First, nearly 25 percent of data breaches are the result of well-meaning employee mistakes such a falling for a phishing scheme or inadvertently disclosing sensitive data. To guard against these mistakes, organizations should provide basic security awareness training to information system users, including managers, senior executives, and contractors as part of initial onboarding training. Companies will need to provide this training within 60 days of onboarding. The organization’s workforce members should also be provided with refresher training on an annual basis.

 

Second, organizations should be certain that their patching practices are up to speed. Within the past couple of years, reports have demonstrated that substandard patching of information systems have been one of several causes of data breaches. For new systems, the organization should ensure that the latest patches are installed on the systems so that those systems conform to the organization’s hardened system configuration. For those systems that are considered crucial, organizations should patch those systems within one month of that particular patch’s release.

 

Lastly, it is vital to be familiar with who is doing what within the information system. Companies should ensure that an audit logging mechanism is running on the information system and also that the mechanism cannot be disabled by users. This audit logging solution should log, among other things, all user enter to the sensitive information environment as well as invalid access attempts. The logging mechanism should recognize the user and record the type of event that was performed as well identify the affected data, component or resource. Logs have got to be reviewed regularly, and when suspicious activity is found, the organization should address the incident according to the organization’s incident response policy. Many incidents go on for months or years as a result of administrators not actively monitoring the system activity on a daily basis. By monitoring the system activity, companies can greatly lessen the severity of the incident should it occur.

 

While cybersecurity incidents are actually commonplace in today’s information security landscape, the costs incurred by companies that have been breached have demonstrated the need for continued cybersecurity vigilance. By training their workforce, patching their systems, and monitoring the activity that takes place on the information system, companies can help to eliminate the risk of an incident as well as lessen the severity should one occur.

 

This article is originally posted on tronserve.com