According to IBM Security’s 2019 Cost of a Data Breach Report, the average time to identify and contain a breach was a whopping 279 days, and it took even longer to discover and deal with a malicious attack. The average cost of an incident was $3.9 million, and the average cost per record, $150.
A malicious hacker can do serious damage to an organization. Breaches are not a cheap date. Capital One estimated the first-year cost of its recent breach would be $100-150 million. Add to that figure the aggregate cost of as many as 30 other companies suspected hacker Paige Thompson may have hit, and it should be abundantly clear that the damage that can be racked up by just one sociopath is astounding. Equifax was recently ordered to pay $700 million in damages for its megabreach, a figure many derided as a wrist slap.
By now, it shouldn’t be news that the probability of a breach or data compromise hitting your company, or one you do business with, is right up there with two more familiar likelihoods; namely, death and taxes. Likewise, the particular cause of a data breach or compromise is about as predictable as our individual approaches to death and taxes.
You need look no further than very recent news to illustrate the point.
U.K.-based Suprema sells a security tool used by organizations worldwide, including law enforcement. It allows users to control access in high security environments. It’s called Biostar 2, and it failed, leaking fingerprints, photographs, facial recognition data, names, addresses, passwords, and employment history records. Reports say 23 gigabytes of data containing 30 million records were in the wind, including data used by London’s Metropolitan Police, Power World Gyms, Global Village and Adecco Staffing. The cause, human error. The cost here is twofold. Fingerprints in the wind stay in the wind. They can’t be changed. There is no way to put a price on that, but at $150 per record, we might spitball and put it around $4.5 billion.
In other news, an FDNY employee flouted department data security policy by downloading data on a personal, unencrypted hard drive that subsequently went missing. The drive contained sensitive personal information and protected health information associated with more than 10,000 people treated or taken to the hospital by the department’s EMS. It was reported there were also nearly 3,000 Social Security numbers possibly exposed. This leak “only” comes in at a potential cost of around $1.5 million using the $150 a record estimate in the 2019 Cost of a Data Breach Report published by IBM Security. The cost of this unnecessary diversion is of course unknowable.
Another all too familiar way companies get got is by proxy. Choice Hotels recently reported the compromise of 700,000 guest records, which were exposed when a vendor copied their data. The mismanaged data was subsequently discovered by a hacker and held for a ransom, a request the hotel reportedly ignored. Ironically, the data had been on the server to test a “security offering” so there was nothing to ransom since the data was only copied from a server that was still controlled by the company. (That said, ransomware continues to be a very real threat, and it relies for the most part on employee error.)
Honda had a comprised database with more than 134 million records, and the Electronic Entertainment Expo, or E3 as it is popularly known, leaked press badge information that included names, phone numbers and home addresses of attendees, and do you know what these entities as well as all of the aforementioned organizations did not do? They didn’t do cyber right.
We all need to listen to the wisdom of The Office’s Dwight Schrute who said, “Whenever I’m about to do something, I think, ‘Would an idiot do that?’ And if they would, I do not do that thing.” True that’s easier said than done, and Schrute is a fictionalized proof of that. Human error is not the only threat to a company, but it is the most persistent one. Many of the hit parade of hacks were avoidable, but without an organizational culture predicated on staying safe, it’s hard to make must progress in the war against stupid mistakes.
Data breaches and compromises are expensive, result in an enormous amount of collateral everyday life damage and are more common than inter-relationship bickering. As with love spats and their aftermaths, there is always room for improvement. While it is folly to believe that any company can be made 100% hack or leak proof, they can become harder-to-hit targets. Security can be baked into all processes–from onboarding to new product launches to the storing of key data. They are more avoidable than one might be led to believe, but it requires a sea change in attitude and more importantly a complete change in the way everything digital is done with security always foremost in any given process.