The True Cost of a Data Breach to a Small Business

Data Breach: Impact on Small Business

 

Based on over 1,500 interviews with actual data breach victims, the 2016 Ponemon Data Breach study provides a grim portrait of the impact that a data breach can have on a business. CIT has taken the Ponemon data and interpolated it with Trustwave’s data breach report to focus on the impact that data breaches have on smaller businesses specifically.

How many unique records does your business maintain?

Many business owners and technology managers don’t know the answer to this question. While it may seem trivial, it’s a question that is of critical importance from within the context of a data breach.

If your small business is like most in non-regulated industries, you probably have around 6000-7000 unique records. Healthcare, financial services, insurance, and hospitality businesses tend to have far more than that.

Why does this matter?

Put simply, it helps you understand your organization’s financial exposure in the event of a breach.

Let’s start out by defining what exactly a data breach is.

The Definition of Data Breach

A data breach is an event during which otherwise confidential information is viewed, stolen, or used by an unauthorized person or entity. It’s different than a data loss event, which is when confidential or otherwise controlled information is inadvertently or maliciously deleted or otherwise obfuscated from its regular use.

Different industries have varying levels of importance in which they view data breach incidents.

Healthcare (HITECH, HIPAA), Finance (FINRA, SEC), Banking (FFIEC), and payment card industries (PCI) each have strict and clearly defined penalties for data breach events. Most define the magnitude of a data breach event by the number of records that were potentially compromised or viewed.

As far as data breach notification requirements, regulated data is just one of many types of information that has legal protection. This can include routine information used to run a business, such a customer’s name, address, state ID information, banking/payment account number, and even biometrically generated information (such as a thumbprint).

While any single piece of information might be non-regulated when in isolation, the combination of any of them makes it legally reportable under many state statutes. It goes without saying that banking, payment card, social security number, student ID, medical account, health insurance, and/or any financial information falls within the scope of reporting laws.

[dt_divider style=”thin” /]

We’ve made a White Paper that details the Malware Trends of 2016! Click the button below to download.    [dt_button link=”https://www.corp-infotech.com/evolution-malware-whitepaper/” target_blank=”false” button_alignment=”default” animation=”fadeIn” size=”medium” style=”light_with_bg” bg_hover_color_style=”accent” text_color_style=”context” text_hover_color_style=”custom” text_hover_color=”#ffffff” icon=”fa fa-chevron-circle-right” icon_align=”left”]Download “The Evolution of Malware” White Paper[/dt_button]

[dt_divider style=”thin” /]

Regulatory Agencies that Deal with a Data Breach

So, who says you have to tell if your business has been breached?

Well, the Federal Trade Commission for one. They tend to insist on knowing these things. Along with most state governments.

If you’re keeping track, Alabama, South Dakota, and New Mexico are currently the only states that don’t have mandatory reporting laws separate and apart from any industry or regulatory oversight.

What industry oversight exists? Health and Human Services (HHS) oversee HIPAA and anything that involves patient healthcare data, Sarbanes-Oxley (SOX) enforces public corporation regulation, and the Payment Card Industry Data Security Standards (PCI-DSS) oversee e-commerce using Visa and Mastercard accounts. Each one has stiff fines and penalties for data breaches or other reportable data-related incidents.

To shed some light on the myriad of state statues that pile onto the Federal statues and regulatory oversight organizations, here is a list (current as of time of publication) of data security related state statues.

State Citation
Alaska Alaska Stat. § 45.48.010 et seq.
Arizona Ariz. Rev. Stat. § 18-545
Arkansas Ark. Code §§ 4-110-101 et seq.
California Cal. Civ. Code §§ 1798.291798.82
Colorado Colo. Rev. Stat. § 6-1-716
Connecticut Conn. Gen Stat. §§ 36a-701b, 4e-70
Delaware Del. Code tit. 6, § 12B-101 et seq.
Florida Fla. Stat. §§ 501.171, 282.0041, 282.318(2)(i)
Georgia Ga. Code §§ 10-1-910, -911, -912; § 46-5-214
Hawaii Haw. Rev. Stat. § 487N-1 et seq.
Idaho Idaho Stat. §§ 28-51-104 to -107
Illinois 815 ILCS §§ 530/1 to 530/25
Indiana Ind. Code §§ 4-1-11 et seq., 24-4.9 et seq.
Iowa Iowa Code §§ 715C.1, 715C.2
Kansas Kan. Stat. § 50-7a01 et seq. 
Kentucky KRS § 365.732, KRS §§ 61.931 to 61.934 
Louisiana La. Rev. Stat. §§ 51:3071 et seq.
Maine Me. Rev. Stat. tit. 10 § 1346 et seq.
Maryland Md. Code Com. Law §§ 14-3501 et seq., Md. State Govt. Code §§ 10-1301 to -1308
Massachusetts Mass. Gen. Laws § 93H-1 et seq.
Michigan Mich. Comp. Laws §§ 445.63, 445.72
Minnesota Minn. Stat. §§ 325E.61, 325E.64
Mississippi Miss. Code § 75-24-29
Missouri Mo. Rev. Stat. § 407.1500
Montana Mont. Code §§ 2-6-1501 to -1503, 30-14-1701 et seq., 33-19-321
Nebraska Neb. Rev. Stat. §§ 87-801 et seq.
Nevada Nev. Rev. Stat. §§  603A.010 et seq., 242.183
New Hampshire N.H. Rev. Stat. §§ 359-C:19 et seq.
New Jersey N.J. Stat. § 56:8-161 et seq.
New York N.Y. Gen. Bus. Law § 899-AA, N.Y. State Tech. Law 208
North Carolina N.C. Gen. Stat §§ 75-61, 75-65
North Dakota N.D. Cent. Code §§ 51-30-01 et seq.
Ohio Ohio Rev. Code §§ 1347.121349.19, 1349.191, 1349.192
Oklahoma Okla. Stat. §§ 74-3113.1, 24-161 to -166
Oregon Oregon Rev. Stat. §§ 646A.600 to .628
Pennsylvania 73 Pa. Stat. §§ 2301 et seq.
Rhode Island R.I. Gen. Laws §§ 11-49.3-1 et seq.
South Carolina  S.C. Code § 39-1-90
Tennessee Tenn. Code §§  47-18-2107; 8-4-119
Texas Tex. Bus. & Com. Code §§ 521.002, 521.053
Utah Utah Code §§ 13-44-101 et seq.
Vermont Vt. Stat. tit. 9 §§ 2430, 2435
Virginia  Va. Code §§ 18.2-186.6, 32.1-127.1:05
Washington Wash. Rev. Code §§ 19.255.010, 42.56.590, 2015 H.B. 1078, Chapter 65
West Virginia  W.V. Code §§ 46A-2A-101 et seq.
Wisconsin Wis. Stat. § 134.98
Wyoming Wyo. Stat. §§ 40-12-501 et seq.
District of Columbia D.C. Code §§ 28- 3851 et seq.
Guam  9 GCA §§ 48-10 et seq.
Puerto Rico 10 Laws of Puerto Rico §§ 4051 et seq.
Virgin Islands  V.I. Code tit. 14, §§ 2208, 2209

 

[dt_button link=”https://www.corp-infotech.com/contact-us/” target_blank=”false” button_alignment=”default” animation=”fadeIn” size=”large” style=”link” text_color_style=”context” text_hover_color_style=”accent” icon=”fa fa-chevron-circle-right” icon_align=”left”]Structure Your Business for the Future — Contact Us[/dt_button]

 

Data Breach Cost: Adding It All Up

Based on aggregate data reported by organizations of all sizes reported during the year, the cost incurred by an organization for each record compromised during a data breach increased from $154 (2015) to $158 (2016).

This included information from over 1,500 unique post-breach interviews in 16 distinct industries.

Certain industries that have stringent regulatory oversight or store particularly large volumes of protected data naturally trend above this figure.

As an example, Healthcare organizations — which represented 42% of the reported incidents and 27% of total respondents – realized an average cost of $355 per record compromised. Retail organizations, who are frequently targeted smaller businesses, realized an average cost of $172 per record compromised.

Small businesses were the most dramatically impacted by reported breaches with an average post-breach non-reimbursed incident response cost of $1.72 per record compromised. This would translate, for a typical small business, to a direct out-of-pocket cost of roughly $14,000 excluding any legal, regulatory, or compulsory fines/fees.

Industry data tells us that on average the total cost of a breach to a small business is $665,000. Larger businesses report that a typical breach costs over $7M.

This however is not the largest cost reported by victims of data breach. By far, the largest post-breach cost reported by victims is lost business.

Following a data breach, organizations must take aggressive (and often expensive) steps to retain their customers’ trust. Taking proactive steps quickly upon detection of a breach has shown a direct correlation towards a reduction in the overall cost of the breach.

The emerging data surrounding data breach is an indicator of a growing problem for businesses that deal with sensitive information.  It’s compelling evidence that Information Security is becoming ever more urgent.

The costs of a breach on a per-record basis realized by businesses grew by 29% from 2013 to 2016. The growth of these costs between 2015 and 2016 indicates that these costs have reached a market maturity, and should be considered a permanent cost that organizations dealing with sensitive data need to be prepared to deal with on an ongoing basis.

Another damaging aspect of a data breach comes with the length of time that an attacker has access to internal computer systems (referred to as ‘Dwell Time’ in Cybersecurity circles).

In 2016, the dwell time for breaches originating from malicious and criminal attacks increased to 229 and 82 days, respectively.

Think about that statistic for a moment – 229 days with an attacker monitoring all internal communications and transactions.

Using total breach-cost data, in combination with demonstrated effective mitigation techniques, we can arrive at what sorts of techniques reduced both the occurrence rate of data breaches and the total cost of those breaches.  This can serve as a starting point to develop a minimum set of compensating controls for organizations facing the need to more carefully protect their sensitive information.

 

  1. Have a plan – Formulate an Incident Response Plan (IRP) that deals with data breach eventualities very aggressively
  2. Understand what data is present – Over 70% of all organizations have neither a formal understanding nor policy as to what data is stored on their computer systems. Identify each type of data that is stored within the organization and classify it based on what facets must be protected.
  3. Isolation – Segregate systems that access, store, or process sensitive data from other systems. Implementing well-designed network segmentation makes it much more difficult for an intruder to get to sensitive data without detection.
  4. Default anything is bad – Change the default values (password, system name, etc.) for any system that accesses, stores, or processes sensitive data.
  5. Detection is paramount – Implement a layered-defense strategy that not only permits for protection from intruders, but also can identify signs that an intruder may be within the systems storing sensitive data.
  6. Formalize your decision-making roles – A well-written IRP will include organizational roles and responsibilities as it relates to Information Security. Don’t let the lack of a complete IRP stand in the way of documenting who within your organization is in charge of making Cyber Security decisions. After an intrusion has been detected (or once you have been notified that one has taken place) is not the time to figure out who is responsible for what! This simple process has shown to reduce the overall cost of a breach by a measureable amount.
  7. Encrypt data – Meaningful (read that as a minimum of 256 bit AES symmetric key) encryption within all information containers that contain sensitive information greatly improves an organization’s chance to mitigate a breach without reportable data loss or access. This includes database, disk, and removable media. Within Database systems, enforce both column-level and database-level encryption for any databases that contain sensitive data. Disk subsystems that contain servers with sensitive data should be protected using in-file system and on-disk (data-at-rest) encryption. This includes all disk, tape, and/or removable media that store sensitive data.

 

These guidelines have been proven through thousands of data breaches to provide effective mitigation of their severity and overall reduction of breach costs.

Organizations of all sizes are susceptible to data breach and are equally exposed to risk from their handling and storage of sensitive data.

Smaller businesses are being more aggressively targeted due to an overall lack of security awareness and lack of security budget.

Using these guidelines in conjunction with a standardized cybersecurity framework such as the 20 Critical Security Controls provides an excellent position from which to develop and evaluate organizational cybersecurity posture.

As experts in compliance assessment, cybersecurity penetration tests, and network security, Corporate Information Technologies can help create, refine, or validate your organization’s CyberSecurity posture.

 

[dt_divider style=”thin” /]

We’ve made a White Paper that details the Malware Trends of 2016! Click the button below to download.    [dt_button link=”https://www.corp-infotech.com/evolution-malware-whitepaper/” target_blank=”false” button_alignment=”default” animation=”fadeIn” size=”medium” style=”light_with_bg” bg_hover_color_style=”accent” text_color_style=”context” text_hover_color_style=”custom” text_hover_color=”#ffffff” icon=”fa fa-chevron-circle-right” icon_align=”left”]Download “The Evolution of Malware” White Paper[/dt_button]

[dt_divider style=”thin” /]
.

CIT, Charlotte NC, is your answer to protecting your records.  They will assure your confidential information is not viewed, stolen, or used by an unauthorized person or entity.

CIT is an MSSP provider of Cylance Protect, the cutting-edge software that uses artificial intelligence and machine learning to identify and block threats before they’re even executed.

Because it’s based on pure mathematics, Cylance doesn’t require internet access and isn’t resource intensive. In fact, on average, it only uses about 1% of your CPU.

CylanceProtect is THE ANSWER for antivirus protection. Let CIT and CylanceProtect predict and prevent your cybersecurity. We will take cybercrime out of your everyday. Change today . . . call us for your Cylance demo.