Prime Factors Blog

The Surprising Aftermath of Data Breaches

Posted by Pete Flagella on Oct 20, 2016 10:00:00 AM

Find me on:


25173518_s.jpgData breaches get a lot of press when reporters first get word of them, but the stories tend to drop off quickly unless the public spurs them on. It doesn't help that these stories are brought to you by people who often don't understand the exact nature of the breaches or their true consequences. Since reporting guides everyone's impression as to causes and consequences, it may be time to bring you more information about what happens after a breach.

 

To learn how encryption can lower the cost of regulatory compliance while enhancing security, download our white paper Reducing the Cost of Regulatory Compliance with Encryption 

The Power of Ignorance

For the most part, a breach is typically described as a foreign presence that infects data, which then tips off the IT team so that steps can be taken to correct the problem. Customers are informed of the breach, get new credit cards issued, and change their user names and passwords. But sometimes it's not quite so straightforward. Sometimes the larger problem is detecting the breach rather than dealing with it. Yahoo is now reviled around the world for missing a data breach for 2 years — a breach that affected a half billion people. It raises the fear that other organizations, large and small, can fall victim to the same fate. There are several data breach monitoring websites, such as Leakbase, that uncover data from hacks, such as the 2012 Dropbox scandal and several attacks on entertainment sites. Websites like Leakbase have volunteers who are devoted to finding where stolen information may be hiding across the vast expanse of the web. The data is worth little once steps can be taken to correct the imbalance, so hackers have to get to work quickly to begin using the data to run scams or sell the information off to the right buyer. Typically, the only way this data surfaces is after it's been around long enough to be resold several times before someone inevitably posts it to the wrong website - where it's found and exposed by a legitimate source. It's to everyone's benefit that there are independent people performing this service, but it would be better if the hacked companies could detect the breach at the time it occurs.

Health is Valuable

About $5.6 billion was lost in the health industry in 2015 to hackers. Experts estimate that about $6 billion will be lost this year. These breaches affect insurance companies, patients, employees, and even visitors to the hospital cafeteria. Banner Health in Arizona recently had 3.7 million contact records compromised, and had to contact each and every person affected by mail to inform them of what happened and how they can deal with the fallout. Medical records sell extremely well on the Dark Web, mainly because the details let criminals perpetrate insurance fraud on a large scale. For those dealing with PHI and HIPAA, it's especially important to be aware of the aftermath of damages, as they have far-reaching consequences that compromise the hacked organization and all of their affiliates. Also, breaches can lead to penalties and fines that a company can ill afford. The HITECH Act was designed to complement HIPAA and hold those who lose health data accountable through higher fines and public ownership of the mistake. Imagine how long it took Banner Health to coordinate and deal with informing 3.7 million people that their information was stolen. They had to issue a press release, perform an investigation on what happened, create documentation and report the details to Health and Human Services. There are literally dozens of tasks to take care of, all placing heavy demands on an industry that is stretched to capacity as it is.

Small Business

A merchant who knows little about technology is a hacker's dream target, and unfortunately hackers have a lot of opportunities to strike unsuspecting business owners. The average merchant does not have the time or motivation to discover exactly how credit card numbers are tokenized, and yet they face constant pressure from both the government and their customers to implement better security. The average cost of a major breach is $4 million, according to the Ponemon Institute, and it's about $86,000 for a small company. Typically this money goes to IT staff who have to fix the security that failed, which means digging into computer systems that may not have been analyzed or updated for months. Small businesses are prone to using a variety of technological tools that often were not designed to be used together, making it harder to spot where the problem lies. Even if a breach is detected from the moment it occurs, a small business will still pay about $28,000 on average. As you might imagine, the costs of a breach will climb higher in the case of a medium-sized business. Even 7 days without detection can triple these numbers, so time is truly of the essence.

A Tale of Two Reputations

You may have noticed that Home Depot, Sony and Target haven't gone out of business even after their widely publicized attacks. In fact, their stocks continued to perform well despite the negative press. But that shouldn't lead you to conclude that companies can walk away from their customers without repercussions. First, these huge corporations already had the resources to devote to handling the consequences, and had the means to perform damage control fairly quickly. You likely don't have a team to mobilize like they did. It was found that customers do take into account security breaches when rating a brand, and weigh it the same way they would if the company was reputed for having poor customer service or harming the environment. Unsurprisingly, their opinion was correlated with the severity of their real world consequences. Most of those affected in the Target scandal had to get new credit cards, as opposed to spending months trying to convince multiple officials that they are who they say they are. But 46% of businesses who were breached reported that their reputation was affected, and smaller businesses are much more likely to be affected by a reputation loss.

Understanding Your Role

There's a lot that can be done for security, and it starts with implementing a better culture. Technology can be difficult to understand, but a business can't continue to rely on it if they are unable to give it the respect it demands. What's worse is that many merchants fall prey to buying solutions that are never enforced properly because they are too complex. One of the best measures a business can take is to effectively use encryption as a key element of their defense. When you have proper encryption, you do not have to let customers know that their information was stolen, even if you do suffer from a hack. This is because the data isn’t actually stolen if it has been encrypted, as a hacker will only have access to a string of useless characters that cannot be deciphered, sold or used in a scam. Encryption satisfies the HIPAA and PCI DSS requirements, and can significantly cut down on the costs associated with a hack. Best of all, there is encryption software available that anyone can be trained to use. The bottom line is that most businesses will have a very difficult time recovering from a cyber attack, so it makes financial sense to seek out the right solution before it happens.

 

To learn how encryption can lower the cost of regulatory compliance while enhancing security, download our white paper Reducing the Cost of Regulatory Compliance with Encryption

 

Topics: Enterprise Data Protection, encryption, data breach