Data breaches are expensive—and exhaustive
Okay, this isn’t something we learned at NetDiligence, but it is certainly something we learned more about.
The 2017 NetDiligence Cyber Claims Study points out a lot of interesting metrics related to incident response and the costs incurred. The survey found the average cost of a data breach from 2014 to 2017 was $394,000, with the business sector filing the largest number of claims followed by healthcare, financial and retail organizations. The sectors with the most expensive cost-of-breach were retail and telecommunications at $1 million and $666,000 respectively.
The most common causes of data breaches in their survey were hackers, malware and viruses, ransomware and cyber extortion, and staff mistakes. Interestingly, business email compromise and wire transfer fraud made it onto the list for the first time, and lost or stolen device claims doubled in 2017. Anecdotally, the emergence of wire transfer fraud is a rising concern among insurance, legal, and forensics experts as well.
Of the records exposed in a data breach, the survey found that hackers and malware were responsible for exposing 99% of all records with a combined total of 624,242,076 from 2014-2017. The vast majority of the exposed records were within the retail industry at 67%, followed by healthcare at 18% and financial services at 14%.
All of this information allows us to paint a picture of how data breaches affect businesses. Not only is the cost and number of records exposed a major issue, but the duration of the incident also dramatically impacts a business’ ability to function normally and at full capacity. A white paper by Corax and Clyde & Co was presented at the conference and found that after a data breach, the median duration of the event is 78 days. While many cases are cleared up in a much shorter amount of time, this figure demonstrates the extensive nature of these breaches.
Take advantage of out-of-the-box security and privacy features
Office365 compromises were a hot topic of conversation throughout NetDiligence. During a panel discussion, Tetra Defense President Cindy Murphy was asked why she thinks so many compromises take place within the platform. She jokingly responded, “Well, the most popular kid always draws the most attention.” Colleague and joining panelist David Nides of KPMG elaborated to stress the under-utilization of stock security and privacy measures, such as two-factor authentication. Two-factor authentication is not automatically enabled but can significantly reduce the risk of compromise. A simple text message to an attached cell phone number after a password login can avoid thousands of dollars and records exposed.
Train and retrain internally
After discussing two-factor authentication, the natural follow-up concern is pushback from internal team members and stakeholders for the inconvenience caused by using those safeguards. While it may be easy to disregard the security features altogether, it is crucial to present them as a requirement, not an option. Effectively navigating these internal struggles can be tricky, but several panelists across several sessions pointed out that routine and repeated internal training is one of the only ways to increase cybersecurity awareness and understanding within your company culture.
Training needs to address not only security protocols, but also best practices for recognizing questionable activity. A common topic throughout the conference was business email compromise and how susceptible team members are to click and engage with fraudulent messages. Whether it’s an email alert that a new pay stub is available or a rushed message from the “CEO” requesting an immediate wire transfer, employees need to be equipped with the knowledge and best practices to identify these attempted attacks.
Internal training is especially important in relation to turnover. When team members leave the company, current employees’ workloads may change and they may receive new responsibilities. These new responsibilities may lead to more technological involvement or access. If the employee has not completed cybersecurity training since they joined the company, they may not be aware of the latest threats and protocols.
Some panelists throughout the conference discussed the idea of gamifying or incentivizing employees when they identify an attempted attack. Cindy Murphy discussed this on her panel. “At (Tetra),” she said, “we all view it as kind of a game to identify email phishing and attempted attacks. Everyone gathers around to see what they found and how the attackers tried to weasel their way in.”
Time is of the essence
Too often we hear about data breach attacks first being recognized days before the client’s attorney or cybersecurity insurance provider were notified. This significantly impacts the scope of the breach, as it gives the bad actors more time to cover their tracks and disappear altogether. Reasons for this behavior include disbelief, fear of repercussions, and guilt if the person who first identified the breach somehow enabled it. Regardless, it is crucial to notify your legal counsel and/or your cybersecurity insurance provider immediately. For those who do not have cybersecurity insurance, immediate notification of legal counsel or an incident response team is still crucial and will likely reduce the overarching cost of the breach when all is said and done.
If you cost a company money, it’s annoying. If you cost a company their reputation, it’s over.
This was another anecdote that surfaced several times throughout the conference. A lot of conversation revolved around the cost of business interruption and the breach itself; however, more than one panelist and speaker drove home the importance of brand reputation. At the end of the day, if a business is breached, it is crucial to manage the situation efficiently, thoroughly, and responsibly. If the business misreports the extent of the breach, blanket notifies all customers even if they don’t need to, or hunkers down and doesn’t disclose any information, the business runs the risk of severely damaging the brand’s reputation.
While financial costs are substantial and serious, revenue can still be generated once the incident response has run its course. However, if the business missteps, the potential harm to the brand’s reputation may be irreversible.
It’s not the waking, it’s the rising.
In any profession, it’s easy to fall into a routine, take the path of least resistance, make sure the bosses are happy, and not rock the boat. This year’s Santa Monica session of the NetDiligence Cyber Risk Summit kicked off with a simple message from a new Hozier lyric—it’s not the waking, it’s the rising. In the world of cybercrime, cryptocurrency, and coverage against it, we all expected to hear about the latest trends, statistics and defenses. Instead, Jeremy Barnett of NAS Insurance delivered an inspiring message challenging everyone in the room to take things one step further to elevate the work we do every day.
He emphasized that we all have one primary goal–to help our clients respond to and recover from cyberattacks. But to elevate our efforts, he charged us with the objective to fight back—to develop better safeguards, better coverage, and better outcomes—because as he put it, “someone’s got to do it.”
To a room filled with attorneys, insurance brokers and underwriters, and digital forensics experts, his message hit home. While we do our absolute best to respond to ransomware and hacking attacks, we can always do more to prevent and lessen the impact of these attacks. Because, after all, it’s not the waking, it’s the rising.