When it comes to your business experiencing a data breach, the question is more when than if.
More than 50% of U.S. businesses experienced a cyber attack in the past year. The statistical trends suggest that companies of all sizes will continue to struggle with data breaches into 2018 and beyond.
Data Breaches Continue to Accelerate in 2017
In the first half of 2017 alone, there were nearly 2 billion records lost or stolen in a breach.
To put that in perspective, there were “only” 721 million records lost or stolen in the last six months of 2016 — in other words, there’s been a 164% increase in breached records. These numbers could be even higher, but nearly 60% of the total breaches include an unknown or unreported number of compromised records (similar to the Yahoo breach, which was reported as a larger breach over time – now listed at 3 billion-plus records).
The fact is, cyber attacks are going to remain rampant until businesses can commit to, prioritize, and implement security tools and policies across the entire organization.
From dedicated employee education and awareness training to improved password behavior and everything in between, the time is now to take control of your business and protect yourself from an inevitable breach attempt.
Small Businesses Are Under Attack
Prioritizing breach-prevention tools and policies is especially critical for small businesses. Hackers know small businesses have less resources to assist in achieving requisite defense mechanisms (whether it be shortage of staff or budget), and have targeted them at an alarming and increasing rate each year, according to Symantec’s Internet Security Threat Report.
What’s more alarming than that? Almost 90% of small business owners don’t feel like they’re at risk of experiencing a breach.
Regardless of how they feel, the catastrophic effects of a data breach on small businesses is well documented. “Experts say these kinds of attacks can be so damaging to revenue and customer expectations that small businesses are forced to close,” according to the New York Times.
“Experts say these kinds of attacks can be so damaging to revenue and customer expectations that small businesses are forced to close.”
– New York Times
Part of the reason why breach-prevention is devalued and de-prioritized by executives is because they can’t conceptualize or quantify the cost of a breach to the company’s bottom-line, or reputation.
Average Cost of a Data Breach in the U.S.? $7.35 million
IBM and the Ponemon Institute teamed up to produce their 12th annual Cost of Data Breach Study this past summer. The results are staggering and they can help you make a case to executives:
- Average Cost of a Data Breach
- Globally: $3.62 million average cost of a data breach, up 17% since 2013
- In the U.S. only: $7.35 million average cost of a data breach, up 25% since 2013
- Average Cost per Record Breached
- Globally: $141 average cost per record breached
- In the U.S. only: $225 average cost per record breached
While those numbers paint a broad picture of the cost of not putting additional resources into breach-prevention, it’s important to understand the nuances of those data points in a way that is tangible. Data breach costs include:
- Loss of Customers: Loss of customers costs “includes the abnormal turnover of customers [also called “abnormal churn”], increased customer acquisition activities, reputation losses and diminished goodwill.” The average U.S. business paid $4.13 million in loss of customers costs.
- Post Data Breach Response: Post data breach response costs are “the costs associated with ex post response and detection…ex post costs include help desk activities, inbound communications, special investigative activities, remediation, legal expenditures, product discounts, identity protection services and regulatory interventions.” The average U.S. business paid $1.56 million in post data breach response costs.
- Detection and Escalation: Detection and escalation costs “include forensic and investigative activities, assessment and audit services, crisis team management and communications to executive management and board of directors.” The average U.S. business paid $1.07 million in detection and escalation costs.
- Notification: Notification costs “include the creation of contact databases, determination of all regulatory requirements, engagement of outside experts, postal expenditures, email bounce-backs and inbound communication set up.” The average U.S. business paid $0.69 million in notification costs.
Financial, Technology, and Services Industries Among Most Affected by Data Breaches
Not all breaches are created equal. Certainly, your industry affects the potential cost of a data breach.
Given the nature of a data breach, most modern businesses that rely on software (especially third-party software) to store customer records are susceptible. Still, for some industries, regaining customer trust is more difficult than others.
- Abnormal Churn Rate is defined as the “greater than expected loss of customers” that results from a data breach.
Businesses that are in the Financial (5.7% abnormal churn rate; 1st), Services (5.2% abnormal churn rate; 3rd), and Technology (4.4% abnormal churn rate; 4th) industries see the largest loss-of-customers impact as a result of a data breach (the Health industry is 2nd).
In fact, 24% of all breaches affected financial organizations, according to the Verizon Data Breach Investigations Report (DBIR).
Poor Password Behavior, Phishing, Negligent Employees Are Aiding Breach Perpetrators
There are many things you can do to improve your company’s ability to avoid and detect breach incidents. Some big, some small, some expensive, and some totally free.
But where do you start?
“81% of hacking-related breaches leveraged either stolen and/or weak passwords.”
– Verizon Data Breach Investigations Report, 2017
The only way to know where to start is to understand where these breaches originated from, and what behavior and/or policies enabled them.
- Poor Password Behavior is the #1 Thing Leveraged by Perpetrators: According to the Verizon DBIR, “81% of hacking-related breaches leveraged either stolen and/or weak passwords.” That is by far the number one method used by perpetrators to breach companies, up 29% from 2016. The main problem is that regardless of the password policies set by companies, employees bring their poor password behavior with them from outside the office. Over 70% of employees are reusing passwords at work (the Dropbox breach, which consisted of over 60 million user credentials being stolen, was enabled by an employee reusing a password at work). This includes passwords that protect the accounts of highly sensitive company and customer information. Additionally, employees are sharing unprotected passwords with co-workers and storing passwords insecurely.
- Go Phish — 98% of Social Attacks Linked to Phishing Scams: According the the Verizon DBIR, breach perpetrators leveraged social attacks 43% of the time, and 66% of all malware was installed via malicious email attachments. Phishing is incredibly valuable to hackers — it allows them to gain a foothold via malware and then leverage stolen credentials off the foothold: “95% of phishing attacks that led to a breach were followed by some form of software installation.” Over 75% of these attacks were financially motivated. Phishing attacks are prevalent because hackers have become experts at copy-catting common services like Google Docs, and negligent employees are easily duped by requests for sensitive information like login credentials and/or passwords. To give you some additional context, in a company with over 30 people, 15% of unique users were successfully phished, and 3% of unique users were successfully phished multiple times.
Ready to learn what you can do to protect your business from a data breach? Read our post on the three simple, inexpensive steps you can take to securing your organization.
Interested in a business password manager to meet your needs and aid your organization in breach prevention? Check out Dashlane Business, trusted by over 7,000 businesses worldwide, and lauded by businesses big and small for its effectiveness in changing security behavior and simplicity of design that enables full company adoption.