SoylentNews

upstart writes:

Submitted via IRC for chromas

The true cost of a data breach

From the implementation of the General Data Protection Regulation (GDPR) back in May, which fundamentally changed the rulebook for storing data of EU citizens at least to the Butlin’s hack, 2018 has been a very significant year for cybersecurity.  

One of the biggest changes centred around transparency, specifically businesses being forced to reveal within 72 hours if they have suffered a breach. While the US has had this type of policy for a while, businesses in the EU were not required to publicly state when a breach occurred, leaving them free to keep significant news like this from their customers. But now that things have changed, and it’s starting to heat up in the EU.

The first thing anyone thinks of when considering the cost of something is how can it be calculated in monetary value. Up until now, it’s been difficult to pinpoint the exact cost of a data breach, given many companies are not too willing to unveil the money they’ve spent cleaning up the mess left behind after being hit, or the drop in sales figures. There are some indications though that can help give a guidance. Studies such as the annual Ponemon Institute’s Cost of a Data Breach report aims to paint a clearer picture – indicating the average cost is currently $3.62 million globally ($141 for each piece of data) and as much as $7.35 million in the US.

[...] As well as business suffering from a clear financial hit, the transparency aspect of GDPR has increased the potential for companies to suffer reputationally as well. As consumers become more aware of the increasing number of breaches out there, they are starting to understand they have the power in the relationship, particularly with GDPR enabling points like the ‘right to be forgotten’.

Companies need to realise that if they get breached, consumers will simply go to another brand they consider to be more secure. Take the case of TalkTalk as a great example. Following its well-publicised data breach, the company lost around 100,000 customers, who simply deemed that they could not trust the business to keep their details safe. In this case the CEO also had to step down, a growing consequence that is beginning to develop with senior management usually in the firing line when a breach occurs.

[...] So, with regulation making things more transparent and media headlines making consumers more aware, how can businesses avoid being the next Equifax or TalkTalk?

The simple answer is there needs to be a change of mindset when it comes to security in the business world. Businesses can no longer adopt a ‘it won’t happen to us’ approach or ‘my perimeter can’t be breached’ mentality. The focus must be on securing the most sensitive data a business has at its core. Too many companies attempt to secure the outside and leave the data exposed, meaning if a hacker was to break in, they can almost help themselves. Encrypting data at rest and in motion, securely managing the encryption keys and storing them securely, while also managing and controlling user access, are vital steps for businesses to take to protect themselves.

Original Submission