According to the Ponemon Institute’s latest Cost of a Data Breach Study (sponsored by IBM Security), the average cost of a data breach has risen 6.4 percent. Given today’s security threat landscape, it seems likely these costs will continue to rise.
Thankfully, the data also provides several clues as to how an organization can lower its overall costs. Some of these are clearly stated in the report. Others require a little bit of reading between the lines. We combed through Ponemon’s findings and guidance to pull out eight concrete ways to lower the cost of a data breach.
1 Prevent a breach from happening
Ponemon’s focus is largely on the cost of remediation, but clearly, the best way to reduce the cost of a breach is to prevent them in the first place. For many organizations, staff turnover can create gaps in IT security coverage.
So can M&A activity in which an organization inherits unfamiliar systems, such as when a “Microsoft shop” acquires an organization whose infrastructure is based on IBM Power Systems. (Actually, unfamiliar systems can be an issue even for organizations using the same platform.) If you don’t have the in-house staff you need to cover IT security effectively, a qualified managed service provider can help.
2 Protect your devices
Among study respondents, the extensive use of IoT devices increased the cost of remediation by $5 per record. The data doesn’t make clear why remediation costs more when there are devices involved. It’s likely, that a wide array of end-point types (e.g., laptops, tablets, smartphones, etc.) make it harder to track down the cause of the breach and resolve the issue.
Whatever the cause, mobile devices can increase a company’s security risks, but following several best practices can help lessen your exposure. Passwords are one key weakness. It’s not just that people use the same password for multiple devices. Many of the devices connected to the Industrial Internet of Things (IIoT) are still using the factory-set passwords. In recent years, at least one major cyberattack (Mirai) made use of that fact.
3 Encrypt your data
Interestingly, the encryption of data also reduced the cost of remediation $13 per record. Again, it’s unclear why, but we can speculate that although the encrypted data was stolen, the encryption made it less likely that the data thieves actually gained access to useable/sellable records. This, in turn, could lower abnormal churn (loss of customers after a breach) due to loss of customer trust.
Ponemon’s calculation of remediation costs includes legal expenses, but it’s not clear whether it includes the cost of fines for non-compliance with regulations such as HIPAA or PCI DSS. It’s likely the study factors those fines to the extent that respondents include them, but either way, these costs can be substantial. By encrypting data on devices, in your data center, and in transit, you’re demonstrating a good faith effort to protect it. Many regulatory enforcement agencies take that into account when assessing fines.
4 Secure your data during a cloud migration
Your systems and data can be particularly vulnerable during a migration to the cloud. Cyberthieves know that your IT department has its hands full, and their guard may be down. Organizations undergoing a major cloud migration at the time of a breach can see costs rise. Sometimes as high as $12 per record lost or stolen. Another reason could be that the general chaos surrounding an improperly planned or managed migration leads to slower and less effective remediation. Proper migration planning is a must.
5 Choose your business partners wisely
Ponemon found that when a third party caused the data breach, remediation costs increased by more than $13 per record. This rise in costs could be caused by a number of factors, but no doubt it increases legal fees. Organizations that need to comply with HIPAA know the importance of vetting their business associates (it’s required by the regulation). Other businesses might do well to follow their example.
6 Create a response plan ahead of time
Organizations that had an incident response (IR) team saw per record costs $14 lower than average. The study also notes that “the rush to notify victims without understanding the scope of the breach, compliance failures, and the engagement of consultants to assist in the remediation of a data breach all increase post data breach costs.”
The faster your organization responds to a breach the less it looks like you’re trying to cover it up. However, missteps are easy when you’re trying to get ahead of negative publicity. Planning your response ahead of time and establishing a core IR team can help you respond quickly and effectively.
7 Use the opportunity to build trust
Your pre-breach planning should include how you will preserve – and even build – customer trust. Abnormal customer churn is a real issue for many businesses. In Ponemon’s study, the global average churn rate for the combined sample was 3.4 percent. The US had a slightly higher churn rate at 3.6 percent. However, abnormal churn was a particular problem in several industries where customer relationships are built on trust, such as healthcare (6.7 percent) and financial services (6.1 percent).
While these percentages may seem small, they are significant. Companies that kept abnormal churn below 1 percent were able to save as much as $2.2 million as compared to those with abnormal churn rates above 4 percent. One way they did this was by offering data breach victims identity protection services, a practice that has just about become standard these days.
8 Identify and contain the breach quickly
Ponemon looked at two metrics: Mean Time to Identify (MTTI) and Mean Time to Contain (MTTC). The implications of each of these should be fairly obvious. The faster you can identify and contain a breach, the fewer records are likely to be compromised. Also, identifying and containing a breach quickly can go a long way toward building customer trust in your data protection efforts.
This year’s study found an MTTI of 197 days and an MTTC of 69 days. Shortening both of these saves remediation costs. When companies were able to identify a breach in less than 100 days saved significantly. More than $1 million, on remediation costs, than those who took more than 100 days to identify a breach. Companies that were able to contain the breach less than 30 days after identification also saved more than $1 million as compared to those who took longer.
Connectria would like to thank Ponemon and IBM Security for continuing to sponsor this study year-after-year and the permission to leverage their data as we work with customers to help them secure their data and systems.