Data breaches have been a hot topic the last few weeks with the Equifax mess headlining the news. Today it seems like there is a new company losing its customers’ personal data every week.
If you’ve ever had your personal, health or credit card information stolen you know what a hassle it is. But what about the repercussions for the business with your information that was hacked in the first place? How does it affect them? What if it was your organization, are you prepared to withstand a data security breach?
If a business “lost” your information, you probably see them as the bad guy, but a hack is usually significantly more detrimental to the business than the end consumer. It’s hard enough for a large enterprise to withstand a breach, but for a small to medium business (SMB), a single encounter with PCI issues (breached credit card information) can shutter the doors. For an SMB that is HIPAA compliant (required to protect the privacy and security of your personal medical information), there is an even greater chance that a single incident is going to take the entire business down.
So how much does it actually cost a business per record that is breached?
Let’s use the hypothetical example of a healthcare industry business that has 10,000 personal health records. If the business is breached (data was lost) and the current “average cost” to the business is $380 per record, they could expect to lose $3.8 million for breach notifications, legal costs, fines, brand name impact, etc. That is a lot of money for a relatively small amount of data. For a larger business with millions of records, this can be even more devastating to the company’s future.
The healthcare industry was an obvious example because we hear about HIPAA related breaches all the time, but what about other industries? Here is a list of average data breach costs by industry. Your personal information is likely held by a number of these.
Source: HIPPA Journal
An interesting note this article also makes, is how companies can reduce the average breach cost per record by taking some simple “defensive” steps. A company can save approximately $19 per record if they have a defined Incident Response Plan that they have practiced and can execute quickly should an incident arise. Use of encryption saves an additional $16 and employee education another $12.50 per record. That’s a total of $475,000 for the theoretical company example above.
In addition, if a company doesn't show that they took reasonable precautions to protect data, they could see heftier fines. On the flip side, if proactive and comprehensive steps to protect the data were taken but a breach still occurred, the company might get more leniency.
These factors could add up to impactful savings if a company does get breached.
But what else can you do to help prevent a breach in the first place that could save your company from incurring the entire loss – not only monetary but reputation as well?
A managed security service provider can help. Here is what our IT risk management team is doing to help companies reduce risk by applying our security solutions:
Defend
Well-patched systems reduce exposure to breach threats tremendously. This includes antivirus, intrusion protection, firewalls, web/email filtering, etc.
Detect
A SOC (security operations center) provider can detect incidents early to reduce what is lost. Early discovery limits the loss of records.
Health companies that had been breached in the past year did not discover the intrusion until an average of 270 days after the event. Others had been breached for more than seven years without even knowing it. What’s more, two-thirds of these companies were not informed of the breach internally but instead, were notified by a third party or the government.
—CIAB
Incident Response
Most companies do not have a defined plan, nor do they practice it. It’s important to track your critical data so that if a breach happens you know exactly what was lost. Having to assume it’s everything increases your cost. Get a disaster recovery assessment and work with a risk management provider who can advise and help with data categorization and defining controls around that data.
They should have an Incident Management Plan drawn up based on NIST 800-61 (Computer Security Incident Handling Guide) that can be customized to your company.
If you’re unsure how vulnerable your company is to a breach or you want to work with a managed security provider to ensure you are secure, 
for a consultation to see how we can protect your business, your end users and your customers from data loss.
