Almost one in four Americans stop doing business with companies who have been hacked, and more than two in three people trust a company less after a data breach, reported ZD Net.
The data breach trend
Today’s economy thrives on disruption. Unless you maintain quality services and keep up with technology, you are likely to become obsolete. Blockbuster, Tower Records, and Myspace are reminders of what can happen if your business fails to adapt and evolve with technology, claims the True Passwordless Security Whitepaper.
Quality services, however, increasingly depend on securely keeping up with technology – as we shall see in a moment.
The CrowdStrike’s Global Threat Report 2020 points out to a snowballing number of the ransomware incidents, followed by ransom demands from cybercriminals who conducted data exfiltration from feebly protected companies.
The ransomware related data breaches in 2019 were particularly characterised by a nasty method, described by CrowdStrike as ‘big game hunting’. Using this method, a hacker known as ‘Gnosticplayers’ was hacking companies from 2016 through 2019 and was selling their data on the dark web marketplaces.
The Capital One hack, as disclosed in July 2019, impacted more than 100 million Americans and six million Canadians. An investigation revealed that the suspect behind the hack illegally accessed Capital One’s AWS servers to retrieve the data, along with the data from 30 other companies.
‘Cloud blunder’ is also becoming common reasons for data breaches. This exercise, sometimes called ‘channelling-off’, usually happens when another company extracts a subset of data from a corporate key database without affecting it. ‘Cloud blunder’ typically happens when cloud services are not appropriately secured or when data moves to an outside company (e.g. to marketers) and then becomes stolen.
And the list is going on as the data breaches are becoming increasingly common – and more and more costly.
Consequences of a data breach
When news of a data breach at major organisation breaks, the aftermath can be chaotic, says ZD Net. How chaotic it can become shows a recent study portraying the Wall Street reaction to an enterprise that suffered a data breach:
- The average share price of a company disclosing data breach falls by 7.27%.
- The full impact may not be felt until 14 market days or more have passed.
- Share prices may rebound, but the financial health of an organisation will suffer in the long-term.
- Breached companies continue to underperform 12 months after disclosure.
- Two years later, underperforming continues by -13.27%.
- The average cost of a data breach to the enterprise is up to USD 3.29 million.
- Marriot was sued after disclosing a data breach in a class-action lawsuit seeking USD 12.5 billion!
The expenditures of data breaches are attributed to four cost components:
- Detection and escalation: Activities that enable companies to detect and report the breach.
- Notification: The activities the company must undertake to notify people whose data has been compromised. The regulatory bodies must also be informed.
- Post data breach response: This involves the processes of helping customers communicate with the company and also the related costs of redress.
- Lost business: This is the largest single cost of a data breach and amounts 36% of the total cost. This includes lost business (revenue loss), business disruption, systems downtime and customer acquisition.
On average, customers’ trust in a hacked company declines by more than 67% after a data breach, reveals a recent study. The data breaches of Facebook (85%), Marriott (78%), and SunTrust Banks (77%) were among the most memorable in 2018.
Almost all respondents (92%) in the cited study agree that companies are financially liable to their customers after a breach and over one in five people are unwilling to give their financial information to a company that has been hacked.
South Africa is no data breach exception
South Africa is also experiencing a disturbingly high number of data breaches with the Liberty Life data breach still being the biggest thus far. In October 2018, South Africa experienced its biggest-ever data breach in which 60 million ID details were exposed on a real estate server. The company refused a ransom demand and this breach disclosed the personal details of more than 30 million people.
Early this year, the South African Nedbank has suffered a data breach via a third-party service provider. The incident potentially affected 1.7 million customers.
Research by Ponemon Institute showed that a data breach costs South African companies R50 million (about USD 3m) on average. By comparison, the average data breach in the UK costs R60 million (USD 3.88m), Germany R73 million (USD 4.78m) and in the United States R130 million (USD 8.19m.
Who will be the next? We do not know for sure but, if the trend continues, the next data breaches will have even starker consequences.
The basic cybersecurity hygiene for preventing data breaches
At the RSA 2020 conference, Microsoft warned that 1.2 million accounts were compromised in January, almost all of which were preventable by one simple security measure. Microsoft warns that only 11% of enterprise users make use of tools such as multi-factor authentication. A staggering 89% of accounts remain open to fairly simple attacks.
The basic cybersecurity hygiene, which can prevent many attacks, includes keeping our passwords safe (e.g. by getting a password manager), developing a habit to check before we click, and keeping our devices and software updated.
Closing any digital account that is not in use anymore is one of the best ways to rid of unnecessary worries if these accounts are being hacked.
For some accounts, we can use social media (e.g. Google, Facebook, LinkedIn, or Twitter) to log in, if that option is available. This option, however, is reasonable only if we have very strong passwords for our social media accounts.
Not clicking on unknown or suspicious links whether on websites or in emails can save us from many troubles. It will prevent malware infection and help to keep our credentials safe. A maxim ‘better safe than sorry’ should become the order of the day.
Setting software on automatic update always when possible is another habit that will reduce a need for remembering this important security task. This is particularly vital for cybersecurity applications such as firewalls and antivirus software. Also, introducing advanced cybersecurity technologies when possible (e.g. artificial intelligence) can significantly help.
Avoiding cybersecurity information overload is a way of managing cybersecurity fatigue. It is indeed easier said than done but we should try not to read everything that is daily served to us on the Internet. For example, instead of reading about ‘55 ways to secure our digital life’, we should strive to learn more about a security topic or two per week that we can easily relate to.
Insurance can also help. In these times of still non-bulletproof technology and skills shortage, IT and business managers increasingly consider taking cybersecurity insurance to protect organisational IT budget from unforeseen cybersecurity incidents. The main benefits of cyber insurance include cover for various costs: from IT internal forensic investigation of cybersecurity incidents to the processes of recovering and lost income.
However, building a proactive culture, which demonstrates that cybersecurity is not a solely technological problem, is the key to preventing data breaches.
Performing even basic cybersecurity hygiene will help organisations to protect their business and reputation. More advanced cybersecurity practices, such as ones we offer at VM Advisory, will bolster your company’s cybersecurity posture that will keep your customers and business partners happy.