According to the Ponemon Institute’s latest Cost of a Data Breach Study (sponsored by IBM Security), the average cost of a data breach has risen 6.4%. Given today’s security threat landscape, it seems likely these costs will continue to rise.
Thankfully, the data also provides several clues as to how an organization can lower its overall costs. Some of these are clearly stated in the report. Others require a little bit of reading between the lines. We combed through Ponemon’s findings and guidance to pull out eight concrete ways to lower the cost of a data breach.
1/ Prevent a breach from happening. Ponemon’s focus is largely on the cost of remediation, but clearly, the best way to reduce the cost of a breach is to prevent them in the first place. For many organizations, staff turnover can create gaps in IT security coverage.
So can M&A activity in which an organization inherits unfamiliar systems, such as when a “Microsoft shop” acquires an organization whose infrastructure is based on IBM Power Systems. (Actually, unfamiliar systems can be an issue even for organizations using the same platform.) If you don’t have the in-house staff you need to cover IT security effectively, a qualified managed service provider can help.
2/ Protect your devices. Among study respondents, the extensive use of IoT devices increased the cost of remediation by $5 per record. The data doesn’t make clear why remediation costs more when there are devices involved. It’s likely, though, that a wide array of end-point types (e.g., laptops, tablets, smartphones, intelligent machines, etc.) make it harder to track down the cause of the breach and resolve the issue.
Whatever the cause, mobile devices can increase a company’s security risks, but following several best practices can help lessen your exposure. Passwords are one key weakness. It’s not just that people use the same password for multiple devices. Many of the devices connected to the IIoT (Industrial Internet of Things) are still using the factory-set passwords. In recent years, at least one major cyberattack (Mirai) made use of that fact.
3/ Encrypt your data. Interestingly, encryption of data also reduced the cost of remediation $13 per record. Again, it’s unclear why, but we can speculate that although the encrypted data was stolen, the encryption made it less likely that the data thieves actually gained access to useable/sellable records. This, in turn, could lower abnormal churn (loss of customers after a breach) due to loss of customer trust.
Ponemon’s calculation of remediation costs includes legal expenses, but it’s not clear whether it includes the cost of fines for non-compliance with regulations such as HIPAA or PCI DSS. It’s likely the study factors those fines into the extent that respondents include them, but either way, these costs can be substantial. By encrypting data (on devices, in your data center, and in transit), you’re demonstrating a good faith effort to protect it, and many regulatory enforcement agencies take that into account when assessing fines.
4/ Secure your data during a cloud migration. Your systems and data can be particularly vulnerable during a migration to the cloud. Cyberthieves know that your IT department has its hands full, and their guard may be down. This could be one of the reasons that organizations that were undergoing a major cloud migration at the time of a breach saw their costs rise $12 per record lost or stolen. Another reason could be that the general chaos surrounding an improperly planned or managed migration leads to slower and less effective remediation. Proper migration planning is a must.
5/ Choose your business partners wisely. Ponemon found that when a third party caused the data breach, remediation costs increased by more than $13 per record. This rise in costs could be caused by a number of factors, but no doubt it increases legal fees. Organizations that need to comply with HIPAA know the importance of vetting their business associates (it’s required by the regulation). Other businesses might do well to follow their example.
6/ Create a response plan ahead of time. Organizations that had an incident response (IR) team saw per record costs $14 lower than average. The study also notes that “the rush to notify victims without understanding the scope of the breach, compliance failures, and the engagement of consultants to assist in the remediation of a data breach all increase post data breach costs.”
The faster your organization responds to a breach the less it looks like you’re trying to cover it up. However, missteps are easy when you’re trying to get ahead of negative publicity. Planning your response ahead of time and establishing a core IR team can help you respond quickly and effectively.
7/ Use the opportunity to build trust. Your pre-breach planning should include how you will preserve – and even build – customer trust. Abnornal customer churn is a real issue for many businesses. In Ponemon’s study, the global average churn rate for the combined sample was 3.4%. The US had a slightly higher churn rate at 3.6%. However, abnormal churn was a particular problem in several industries in which customer relationships are built on trust such as healthcare (6.7%) and financial services (6.1%).
While these percentages may seem small, they are significant. Companies that kept abnormal churn below 1% were able to save as much as $2.2 million as compared to those with abnormal churn rates above 4%. One way they did this was by offering data breach victims identity protection services, a practice that has just about become standard these days.
8/ Identify and contain the breach quickly. Ponemon looked at two metrics: Mean Time to Identify (MTTI) and Mean Time to Contain (MTTC). The implications of each of these should be fairly obvious. The faster you can identify and contain a breach, the fewer records are likely to be compromised. Also, identifying and containing a breach quickly can go a long way toward building customer trust in your data protection efforts.
This year’s study found an MTTI of 197 days and an MTTC of 69 days. Shortening both of these saves remediation costs. When companies were able to identify a breach in less than 100 days, they saved more than $1 million on remediation costs than those who took more the 100 days to identify a breach. And, companies that were able to contain the breach less than 30 days after identification also saved more than $1 million as compared to those who took longer.
Connectria would like to thank Ponemon and IBM Security for continuing to sponsor this study year-after-year and the permission to leverage their data as we work with customers to help them secure their data and systems.