Cost of data breach skyrockets: What can you do?
FYI, this story is more than a year old
Today, security should be a top priority for organisations, with data breaches are growing in number and the financial cost growing too.
According to CenturyLink, the average cost of data breach has nearly doubled in the past five years, from $6.46 million in 2010 to $12.9 million today.
Stuart Mills, CenturyLink regional director ANZ, says, “The costs aren’t just monetary. Organisations must understand the other risks including damage to reputation and leaked intellectual property.
“Customers and users place an enormous amount of trust in the companies with whom they do business. A single breach can damage that trust forever. And, if intellectual property is leaked it could sound the death knell for any organisation.”
He says, “Today, security isn’t just about basic monitoring services. Companies have far more to consider than they once did, particularly because of the rise of new technologies and business-use scenarios, like cloud and BYOD.
“Instead, security is a holistic approach to protection, prevention, and response, and it needs to encompass all aspects of technology.”
CenturyLink has identified what organisations should consider when implementing, updating, and enforcing their security policy:
The number of external threats is growing, making it imperative organisations maintain constant vigilance through a security policy that is constantly updated and enforced, CenturyLink says.
According to the company, the speed at which threats are increasing is exponential. For instance, there are millions of malware variations that enterprises must defend against, but it’s difficult for signature-based malware to keep up.
There are more distributed denial-of-services (DDoS) attacks than ever before, and they vary widely - they can be highly targeted or generic, long in duration or short.
On top of this, they mutate. There’s a new breed of DDoS attacks that use web servers as payload carrying bots, which makes them even more damaging because of exponential performance increases, CenturyLink says.
Furthermore there are application attacks, often targeted at financial systems, which can bring a company to its knees. What is significantly problematic about this is that most organisations don’t know they have been breached until long after the fact, says CenturyLink.
Employees often leak data because security policies are not enforced, CenturyLink says.
External threats are real and dangerous, but internal threats can be just as common and can be just as damaging.
Internal threats are often inadvertent, stemming from a lack of oversight as well as from disgruntled employees who leak sensitive data right after they’re fired, the company says.
When it comes to security, one key oversight is lack of training. It’s very important for employees know what the security policies are, from what devices they can use to what applications they can download, says CenturyLink.
More organisations are struggling with shadow IT, which is the use of hardware or software that is not supported or authorised by an organisation’s IT department.
Shadow IT can range from developers using various Software-as-a-Service (SaaS) platforms to employees storing corporate data in cloud storage solutions like Dropbox or Google Drive.
These solutions seem innocuous to most people, which is why employees need to receive comprehensive training about what is a security risk and what isn’t, CenturyLink says.
If an organisation isn’t compliant, it’s unlikely to be secure. Consider whether the organisation would pass a compliance audit for security and Payment Card Industry (PCI), says CenturyLink.
Complicating matters is the fact that many organisations don’t even know that governmental compliance regulations apply to them, the company says.
The right partners
More organisations are choosing to outsource security operations. However, when it comes to outsourcing security, it’s truly a buyer beware scenario, according to CenturyLink.
The first step is to understand exactly what needs protection including devices, network, applications, and data. Then, an organisation must determine which components of these are being outsourced.
The second step is to choose the right partner or partners for those specific needs. The more vendors are consolidated, the more efficient the strategy will be, CenturyLink says.
While security is expensive, not having the right security measures in place is even more expensive, according to the company.
Part of choosing the right partner comes down to understanding the balance between performance and cost. Choose a vendor who can help make the right decisions around balancing performance, effectiveness and cost, CenturyLink says.
Physical security is the protection of people, hardware, programmes, networks and data from any damage that might occur. If an organisation’s physical system isn’t secure, nothing else matters, says CenturyLink.
Yet physical security is one of the most overlooked aspects of a security strategy. The physical management of data centres includes security policies and procedures, security officer staffing, access control systems, video surveillance systems, standards compliance and physical security designs.
Make sure the data centre complies with standards and conduct annual audits, says CenturyLink.