Cyber Security – Top Tip Takeaways

Following our Cyber Security Round Table event chaired by Amicus ITS’ Head of Technology & Governance JP Norman, on Wednesday 24th June at IBM, delegates discussed the core issues affecting public and private sector organisations. The key takeaway points for all organisations is detailed below:

Top Tip Takeaways:

1.    The urgent need to raise awareness of the EU Data Directive,  its potential impact and 5%  TO financial penalties.
2.    To consider the impact and to plan ahead if we voted to opt out of the EU in the UK Referendum
3.    The need for organisations to educate staff on the issues and impact of cyber security, data and correct device use.
4.    To secure Board engagement on risk from cyber security breaches to recognise the resulting commercial fallout from loss of trust.
5.    Appoint a Data Controller and create core stakeholder engagement across departments.
6.    Organisations to implement and regularly review quality BYOD processes and manage web browsing and software applications.
7.    Organisations need to control data streaming and ensure it stays in the UK to remain compliant.
8.    Match security awareness by staff with maximising their productivity for the business.
9.    Ensuring your 3rd party supply chain have the same compliance checks, liabilities and recognised failure penalties to accompany your due diligence processes.
10.   To treat VOIP the same as any other form of data from cyber security POV and award it the same protections and covered by the same regulations as other data.
11.   Have an up to date digital policy and security measures within HR whatever the nature of the leaver to avoid data breach.

DSC_0083 JP Norman 10@300

IBM and Ponemon Institute count the true cost of data breaches

IBM in conjunction with US independent data protection and security organisation The Ponemon Institute have published that the per-record cost of a data breach reached $154 in 2015, up 12% from $145 in 2014.  Aggregated, this amounted to an average total cost of a single data breach of $3.79 million.  The survey reviewed 350 companies across 11 countries, each of which had suffered a breach.

Prior to this, technology and communications giant Verizon had estimated the per record cost to be a scant 54 cents. However Ponemon Institute Chairman Larry Ponemon noted this was based on a small sample of 191 reports from cyber insurance claims and represented only around 10% of the insurance coverage for the cost of the breach and ignored the indirect costs or loss of resulting business.

Target’s latest breach was estimated to cost the company over $1 billion, but it was only insured for $100 million. Ponemon added:  “Companies generally buy enough insurance to cover 50% of the value of their fixed assets, but only 12% of the value of their digital assets”.

Loss of business is a growing part of the total cost of a data breach, with an increased trend of customer churn, with reputation and goodwill adding up to $1.57 million per company cost (up from $1.33 million the previous year).

VP at IBM Security, Caleb Barlow commented:  “At a minimum, a company with a data breach has to send out letters notifying customers that they were breached pay for credit monitoring”.

Data breach costs reportedly varied substantially in different industries and geographies, with healthcare having the highest costs due to its long shelf life, at an average of $363 per record and the US with the highest per-record cost at $217, followed by Germany at $211, with India the lowest at $56 per record.

Healthcare records are especially valuable due to the volume of personal information, Social Security numbers and insurance details which can be used to create credit records or for identify fraud in 10-15 years.

Cyber breach cost reductions:
• Companies with incident response teams reduced the costs per record by $12.60 because of their ability to swiftly respond
• Using encryption reduced costs by $12.
• Employee training reduced costs by $8.
• If business continuity management personnel were part of the incident response team, costs fell by $7.10.
• CISO leadership lowered costs by $5.60
• Board involvement lowered costs by $5.50
• Cyber insurance lowered costs by $4.40.

Having an assured and well prepared management response has a definite impact on the bottom line cost of any cyber security breach.  As Caleb Barlow darkly warned:  “You don’t have days to respond.  You don’t even have hours. You have minutes to get your act together.”

Cyber breach cost increases:
• Bringing in outside consultants added $4.50 per record.
• Lost or stolen devices added $9 per record on average.
• Third party involvement as the cause of a breach increased the average per-record breach cost by $16 (from $154 to $170).

Factoring in time to respond to end cost proved significant too:
• Respondents took 256 days on average to spot a breach caused by a malicious attacker – and 82 days to contain it.
• Breaches caused by system glitches took 173 days to spot – and 60 days to contain.
• Human error breaches took an average of 158 days to notice – and 57 days to contain.

With cyber security a major thorn in the side of business and an increasingly sophisticated route to damaging trust and reputation, no organisation of any size can afford a) not to have reviewed the security of its estate and b) taken steps to develop relevant and up to date policies and measures to safeguard its digital assets – and share this regularly with the Board.

Additionally and crucially, as our Head of Technology & Governance, JP Norman reminds us, “The reputational and financial losses quoted are without the EU Data Directive changes on the way which will enable fines of up to 5% of global turnover. CIO’s need to ensure their boards are aware of the potential financial risks that are likely to be in place by late 2016”.

Ponemon

 

Data breaches widen – sort out your house or be damned

The Information Commissioner’s Office (ICO) has just reported a 25% increase in data breaches in Q3.  This reflects a continuing upward trend.  Type of breaches include: personal information disclosed in error, lost or stolen paperwork, plus loss of hardware containing sensitive information.  The shame is that with proper data handling procedures and staff training, these errors are nearly wholly preventable.  With ICO fines of up to £500k, the countermeasures required are neither onerous nor expensive for businesses.   Breaches have taken place across public and private sectors, with the UK’s greatest sinner being healthcare, accounting for 38% of all reported breaches.  With 2014 being the year that the proposed EU Data Directive comes into force, organisations will rightly face greater scrutiny about how they handle data.  Our advice to business is to get your house in order by reviewing data handling and data storage processes and rectify gaps before you face commercial loss, bad PR fallout – as well as possibly the anger of the ICO and a hefty fine.