ArticlesCybersecurity

Understanding the True Cost of Data Breaches – And How Organizations Can Protect Themselves

By November 24, 2020 No Comments

The piece below is an article which originally appeared in Zero Hedge on November 23, 2020. Check out the original here

In March 2020, the Marriott Hotel chain disclosed to the world that they had been a victim of a massive data breach that could have impacted up to 5.2 million of their customers. (Not?) Surprisingly, this wasn’t the first such incident involving the Marriott. Back in late 2018, the company reported a data hack that compromised the personal data of up to 300 million people. And, despite the staggering number of records impacted (over 300 million!) by that breach, that was not the “real story” behind this incident. What’s noteworthy is the fact that the hack may have been ongoing for 4 years – as long ago as 2014!

The Banquet of Financial Consequences

While there is a general sense that protection of sensitive corporate data should be a priority, history bears testament to the fact that lax data security policies are commonplace. To realize how common disregard for data protection is, all we need to do is look at some real-world examples of data breaches, and the financial consequences that followed:

2014: The Home Depot malware attack. Cost: $56 million in restitution
2014: Hacking at Sony Pictures Entertainment. Cost: $100 million in data recovery and cleanup
2015: Anthem cloud storage data breach. Cost: $100 million
2008: Heartland Payment systems malware attack. Cost: $140 million
2007: Hacking of TJ Maxx. Cost: $162 million
2013: Target credit card data hack. Cost: $162 million
2011: Sony PlayStation digital data room attack. Cost: $171 million
2007: Hacking of servers at Hannaford Bros. Cost: $252 million
2006: Compromised database at Veterans Administration. Cost: $100 to $500 million
2011: Data breach at Epsilon. Cost: A staggering $4 billion!
Corporate data security experts may heave a sigh of relief that, both the number of data breaches and the number of records exposed are on a down-tick of late.

However, other key metrics, including the level of sophistication of the attacks, the lead time to recover, and the average financial cost of recovery are trending the wrong way. And that does not mitigate the real financial impact of a breach when it does happen. Invariably, when data theft does come to light, what’s more revealing is how little effort corporations put into protecting their sensitive data assets in the first place. Many companies believe that putting their data networks behind a firewall, or using commercially-available data encryption is the answer. But it isn’t!

The challenge with poor or nonexistent data protection is that often, corporate IT security experts might not detect the breach until many days, months or even years later. Case in point: The TJ Maxx hack began in 2007 – but the cyber criminal continued syphoning sensitive data over a staggering 18-month period! One would think that even a rudimentary data protection system would have sounded the alarm sooner? But that doesn’t seem to be the case!

Broad-based Fallout

Corporate victims of data breaches don’t just bear the financial consequences as a result of a hack or data theft. The fallout can often be much more broad-based than that, including:

The organization suffers reputational damage – bad publicity is worse than no publicity!
If misused, stolen sensitive data (such as R&D reports) could leave the corporation at a severe competitive disadvantage for years to come
Loyal customers and business partners distance themselves from the company’s brand
There’s regulatory fallout, with watchdogs and compliance agencies looking for answers
Sometimes, there’s a domino effect, where other issues and shortcomings (unrelated to the data loss) surface during an investigation into the data breach
Employee morale takes a huge hit, resulting in the loss of self-esteem and sense of pride in their employer
There’s an interruption to business as usual, giving sharp-witted competitors an opening to fill the void and grab market share
While this fallout might seem unbearable, deep-pocketed corporations often (but not always!) survive and live to fight another day. However, the customers whose personal data is lost might not be as fortunate:

Some of their data finds its way on the market in the dark web, and then misused, leaving the individual a pile of unwanted financial woes
Individuals with impeccable credit until now, take a deep credit downgrade
People whose personal data was compromised might be unable to apply for additional credit, including new credit cards, mortgages or auto loans
When organizations finally detect personal data breaches, the general practice is to offer “free credit monitoring” to those impacted by the theft. However, the speed at which some hackers operate, such assistance might be too little too late – typically the damage occurs within 24 to 48 hours of the breach.

The Need of The Hour

Keeping corporate data secure is serious business, where the stakes are high and laxity often results in huge financial, reputational and legal consequences. The risks are even greater when high levels of compliance are mandatory, including with stringent standards such as SOC 2, HIPAA and GDPR. For such applications, solutions like GoogleDrive or DropBox just won’t cut it! For real-world applications where highly-sensitive materials need to be stored, shared and protected, a secure data room, capable of handling large volumes of transactions, is the only answer.