Large-scale data breaches continue to fill the tabloids and make rounds on nightly news circuits. Various public entities, such as Target, Home Depot and Anthem, Inc., have been the victims of costly data breaches in recent years (including financial costs, records lost, and negative public perception). Ponemon Institute, an organization that conducts independent research on privacy, data protection and information security, reported in its ‘2017 Cost of Data Breach’ study that, thus far in 2017, the average data breach is estimated to cost companies $3.6M, exposing on average 24,000 records.
The increasing amount of information and data contained on cyber networks provides cyber criminals continued opportunity for data breaches and access to information they have not had in previous years. A study performed by DXC Technology (formerly CSC, a digital IT services and solutions company) projects that over one-third of all data will either live in or pass through the cloud by 2020. It’s no surprise that with the increased reliance and utilization on cyber networks comes an increase for potential data breaches and cyberattacks. A study performed by Audit Analytics supports the increase in opportunity meeting action, as there were 60 data breaches during 2016, compared to only 38 in 2012. Given the conclusions of these studies, you might as if companies are doing enough to protect against future potential data breaches.
Publicly traded entities have slowly begun implementing various measures to reduce their exposure to data breaches, including appointing cybersecurity experts as directors of the company, as well as implementing incident response teams designed to eliminate or mitigate potential cyberattacks. The aforementioned Ponemon study suggests having board involvement in cybersecurity matters reduces the average cost of a breach by 3%, while the implementation of an incident response team can reduce the average cost of a breach by 13%. In 2016, there were 23 appointments of new directors with cybersecurity experience compared to only 5 of these types of individuals in 2012.
Although having experienced cybersecurity directors is one way to help mitigate risk and reduce costs of potential breaches, it is important to have a company-wide policy to educate employees and stress the importance of being vigilant with detecting and communicating cybersecurity threats. In general, companies still appear to be reactive regarding these threats, as opposed to being proactive. What kind of “active” will you be when it comes to protecting your company?