Putting a price on a data breach

Johannesburg, 29 Jan 2021
Prischal Bahgoo, General Manager, ViC IT Consulting
Prischal Bahgoo, General Manager, ViC IT Consulting

Data breaches cost organisations more than they realise, making enhanced security and better data management critical in an age of ever-increasing risk.

The changing face of data threats

As more and more companies experience crippling security breaches, the wave of compromised data is on the rise. Data breach statistics show that hackers are highly motivated by money to acquire data, and that personal information is a highly valued type of data to compromise. “It’s also apparent that companies are still not prepared enough for breaches, even though they are becoming more commonplace,” says Prischal Bahgoo, General Manager at ViC IT Consulting.

Espionage makes the headlines, but in fact this type of crime accounts for just 10% of breaches in the latest data. Advanced threats – which also receive a great deal of media attention – represent only 4% of breaches. The majority of breaches (86%) continue to be financially motivated.

Credential theft, errors and social attacks are the three most common culprits in breaches. Employees working from home could be particularly vulnerable to these attacks. In these uncertain times, it makes sense to focus prevention efforts here.

Physical breaches have stayed relatively level and infrequent, but misuse, hacking, malware and social have all decreased since last year’s report. While hacking and social are down as a percent, they have remained close to the levels we have seen for the past few years. On the other hand, malware has been on a consistent and steady decline as a percentage of breaches over the last five years.

Quantifying risk

The cost of data breaches is excessive worldwide. According to the American Ponemon Institute’s 2020 Cost of a Data Breach report, the global average cost of a data breach was $3.86 million last year (slightly down from $3.92 million the year before), with each breach costing South African companies on average $3.06 million. We find the costs equate to around R75 per company employee, multiplied by your customer base.

Despite the fact that the reported cost of data breaches has dropped from 2019, these costs are still far too high – particularly since they are very avoidable costs.

It should be noted, too, that these costs are only those that are accurately measurable. It is difficult to put a value to the indirect costs due to brand reputational damage and the loss of customer trust. With no access to their data, organisations can also risk losses in productivity and sales, and experience a hiatus in critical internal processes such as communication, CRM and HR management.

In addition, on average, a minimum of 10% of breached customers will personally take legal action against the organisation after a data breach. Clearly, the direct and indirect costs involved in a data breach or data loss can be significantly higher than most organisations expect.

Mitigating risk

“With data being seen as the new oil, we expect to see increased data theft, along with common accidental data breaches, so CISOs and CIOs who are still considering perimeter security need to start looking deeper into field level encryption this year,” says Bahgoo.

Many more organisations are now looking at cyber insurance in the hope that this could be their answer to the challenge of potential data breaches and losses. However, understanding your policy and what it covers and how the limitations work around these matters is of huge concern.

With this being said, sensitive data should now be protected to a point of practically being removed from environments. Very similarly, ISO standards and compliance law are becoming more stringent to cover the understanding of protection of your data!

To mitigate the risk of data breaches and loss, best practice measures include:

  • Identify and remediate global access groups that grant access to sensitive and critical data;
  • Ensure only appropriate users retain access to sensitive, regulated data;
  • Routinely run a full audit of your servers, looking for any data containers (folders, mailboxes, SharePoint sites, etc) with global access groups applied to their ACLs;
  • Replace global access groups with tightly managed security groups;
  • Start with the most sensitive data and test changes to ensure that issues do not arise;
  • Follow the principles of Privacy by Design: minimise the sensitive data you collect, minimise who gets to see it, and minimise how long you keep it;
  • Identify stale data – especially sensitive information;
  • Archive or delete stale data if it is no longer needed;
  • Know that most attackers target data, but they reach their target by hijacking accounts;
  • Make sure stale accounts are deleted, or disabled and monitored for re-enablement and activity; and
  • Note that the more complex a file system structure, the greater the risk for overexposure and security vulnerabilities.