The latest results from the 2017 IBM and Ponemon Institute study on the cost of a data breach show a 10% decline globally but a 5% increase in the U.S.
Why this is?
- On an average, it takes more than six months for a company to determine a breach.
- The quicker a breach is contained (less than 30 days) the lower the overall expense after an incident.
- Healthcare related breaches are more expensive than other types of breaches.
- Forensics costs, notification costs, lawsuits, HIPAA settlement fines, and post breach repair of reputation and fixes add up expenses.
- Third party involvement are more likely the reason for many of the breaches.
- As PCI 3.2 mandates, it is necessary to verify third parties have strict password, authentication, configuration policies; and physical controls in place. Third parties should also have a validated PCI DSS or other compliance certifications that remain up-to-date every year.
- Avoiding compliance or data security standards might help businesses in the short term but ultimately the costs can be disastrous in the long term.
- Staying under the radar is not a good option. Deliberately avoiding applicable regulations will result in significantly higher fines if an organization is breached.
- Don’t report a breach without proper guidance or understanding the implications.
- You definitely don’t want to hide a breach; but get a professional to help you with the process of gathering information, reporting to authorities, and documenting the incident, etc.
Measures to lower the cost of a breach
The perfect answer of course, is to avoid a breach in the first place. The realistic answer given breaches are not 100% avoidable, is making sure you as a business is well-equipped. A few missteps could lead to bigger blunders.
The Ponemon study says, “how quickly an organization can contain data breach incidents have a direct impact on financial consequences.”
Other factors are:
- The time taken to contain a breach has a direct bearing on the cost.
- Technology is crucial to support the various areas and lower the time to either detect, contain or mitigate the breach.
- A unified set of consistent regulatory requirements are absolutely necessary to help lower overall costs.
Have a plan, just in case
An Incident Response Plan might sound unnecessary. It’s not just for the big names. A good plan will help answer the following:
- Determine what an incident is?
- How to contain it?
- Who will handle internal and external communications?
- When should legal be involved?
- Forensics and investigation details
- Backup plans
- Business continuity plans
- And the list continues…
In addition, a risk assessment is always a good way to take into account the different areas of a business that could get affected by a disaster; either people induced or caused by nature.
Our goal at Omega is to do whatever it takes to keep businesses resilient in the face of disaster. Omega’s solutions and services address security and continuity challenges now from one device – Appliance S150. Incident response plan and risk assessment are additional services that will keep you several steps ahead in this challenge. Call us at 618-310-5611 or email firstname.lastname@example.org.