According to the 2018 Horizon Scan Report, cyber-attacks present the greatest threat to organizations, and the average total cost of data breach has climbed to $3.86M, according to the 2018 Cost of a Data Breach Study.
Of the financial costs mentioned in the above report, “lost business” was the leading contributor – accounting for as much as $1.45 million. Loss of business was mostly down to reputational damage. However, it should also be noted that reputational damage can also spill over onto contractors, suppliers, shareholders, and anyone else the company is affiliated with. In fact, the Ping Identity 2018 Consumer Survey highlighted that a staggering 78% of people said they stop all engagement with a brand that recently experienced a data breach. This shows that, on the whole, consumers are making data security a priority, which means that organizations must follow suit.
Other costs include incident response, legal expenditures, product discounts, regulatory interventions and the disclosure of data breaches to the relevant parties (victims, supervisory authorities, etc.). Financial costs can also include the loss of valuable company information, such as intellectual property, payment card details, protected health information, etc.
Additionally, Business Email Compromise (BEC) scams are becoming increasingly more lucrative for hackers. BEC scams are a type of phishing attack where unsuspecting employees and executives are tricked into transferring money into the attackers account. Cyber-attacks can also disrupt online sales, if the victim’s website/POS is taken down for whatever reason.
There are also legal consequences associated with cyber-attacks. Companies that store significant amounts of personal data will be subject to various data protection regulations – the most notable being the GDPR, which came into effect earlier this year. Under the GDPR, fines can be as much as €20 million, or 4% annual global turnover – whichever is higher.
What Can We Do to Minimize the Impact of a Cyber-Attack?
The first step towards minimizing the damage caused by a cyber-attack is to implement an Incident Response Plan (IRP), which, as the name suggests, will help your organization respond to, and recover from a security incident in a timely and efficient manner. An IRP will include details about how to report the incident to the relevant stakeholders and authorities, and details about how to repair and restore the affected systems.
Once you have an IRP in place, the next step is to ensure that all employees and stakeholders are aware that the plan exists, know where to find it, and are sufficiently trained to execute it. Incident response training should be carried out at least twice a year, and training should also include techniques for identifying social engineering attacks, and anything else that may prevent a security incident.
Given that the majority of security incidents are the result of employee negligence, companies will need to focus on what is happening to their sensitive data. To start with, they will need to know where their sensitive resides. This may require using a solution which can automatically discover and classify a wide range of data types, such as PII, PHI, PCI, and so on. Doing so will enable security teams to assign the relevant permissions to this data, and setup some form of Data-Centric Audit & Protection (DCAP) solution to ensure that they can detect, alert and respond to changes made to this data in real-time.
Additionally, some DCAP solutions are able to automatically generate a wide range of customized reports, which can be used to satisfy regulatory compliance requirements.