Look Inside Your Company to Prevent Costly Data Breaches

By Linda Park, Senior Product Marketing Manager, Symantec Corp.

The emphasis on business security seems to be increasing just as cyber threats themselves seem to be popping up like weeds. And many organizations are working hard to keep the bad guys out, and keep their information safe within the walls of the network. Data breaches are serious problems, costing some businesses millions of dollars in damages each year. But knowing these threats exist is one thing; understanding them is another. And while the external attacks are the ones making the news, what about data breaches caused by insiders?

In order to get a better picture of just how data breaches are affecting businesses, Symantec and the Ponemon Institute have been tracking the cost of these breaches for eight years. The recent 2013 Cost of a Data Breach study reiterated the importance of protecting businesses from potential breaches both inside and outside the organization.

Major Factors Causing Data Breaches

Perhaps the most significant finding of the latest report is that globally about two-thirds of all breaches (64 percent) are actually due to internal causes, specifically human factors combined with system glitches. In some instances this is a simple case of employee error that leads to information exposure, as well as willful disregard for company policy and industry regulations. The proportion of internal/external factors did vary significantly among the nine different countries studied, with Germany seeing just over half of breaches caused by internal factors, contrasted with Brazil, where they contributed to 78 percent of breaches.

Overall, the risks to data breaches originating within companies has increased by 22 percent in the years since the inception of the Cost of a Data Breach study. One contributing factor to this problem is a lack of knowledge on the part of employees regarding acceptable practices surrounding company information. A related survey showed that half of employees leaving jobs over the past year took confidential information when they left. And nearly that many actually admitted that they intended to use this information at their new companies, which oftentimes is a competitor. In many cases this type of data compromise begins by sending files outside the network to personal webmail or cloud storage, which 62 percent of employees did not feel was wrong. Even if these employees never do anything with the information, the majority never delete it.

Data Breach Costs and Factors

In the end, each compromised record caused by insider mistakes costs the company an average of $117. In the U.S. it is even more expensive, at $159, although on a positive note we’re seeing a slight decrease in cost from previous years. This might indicate that businesses are waking up and learning from past mistakes, implementing improved data protection in their organizations. Meanwhile, errors that are caused by malicious attacks are even more expensive. Regardless of the cause, however, data breaches are still costing companies a lot of money.

The CODB study was able to isolate seven factors within a company that had an effect, for better or for worse, on the per capita cost of a data breach. Overall, the single factor driving up costs the most was errors by third parties such as vendors and business partners. The next most significant factor was having devices stolen — this included mobile devices such as laptops, smartphones and tablets, but also takes into account desktops and servers.

On the other hand, the single factor that had the greatest influence on reducing the cost of a data breach was the company having a strong security posture when the data breach occurred. Having an incident management plan also played a large role in keeping data breach costs down. In addition, simply having a Chief Information Security Officer (CISO) appointed helps centralize information protection and helped minimize data breach costs. And finally, taking advantage of consultants to help with data breach preparedness and response also made a positive impact on reducing costs.

To apply these findings into your business, Symantec recommends educating employees on the reality of data breaches and how to handle sensitive data. This training should be supplemented by deploying security solutions such as data loss prevention (DLP) that can help identify where confidential information is in the company and keep it from leaving. Encryption and authentication tools will further strengthen information protection. Finally, developing a response plan, including notifications of those affected by the breach can help keep costs at a minimum.

For organizations wondering what impact a data breach would have on their company, Symantec has developed a tool at www.databreachcalculator.com. The Cost of a Data Breach report and related resources can also be downloaded from the Symantec website.

About the author

Linda Park is focused on product marketing for Symantec’s Data Loss Prevention solutions. With more than 13 years of high tech experience, Park joined Symantec in 2008. Prior to Symantec, Park was a consultant and marketing manager at IBM Corporation. Park received a bachelor’s degree in Computer Science and Economics from Duke University.