Three Key Answers To Your Data Breach Questions
Verizon recently came out with its annual analysis of Data Breach Incidents Reports and it is a much read for at least one employee at every credit union. (http://www.verizonenterprise.com/DBIR/2015/?&keyword=p6922139308&gclid=CJXf_83Z-sQCFQqOaQodiIwAyw).
How effectively you deal with data breaches is an increasingly important factor in determining your credit union’s bottom-line. Verizon’s report is the best I have seen when it comes to providing an objective analysis of data breach trends. Here are my takeaways from the report:
Is greater information sharing the answer? One of the best ways to mitigate the negative consequences of data breaches is to get the word out about compromises as quickly as possible. We need more sharing of information. But rather than facilitating sharing within a given industry, the report concludes that greater emphasis has to be placed on sharing between industries that share common characteristics. In fact, it concludes that “our standard practice of organizing information-sharing groups and activities according to broad industries is less than optimal. It might even be counterproductive.” Greater inter-industry coordination is the type of mission that only government can facilitate and it’s fraught with a host of privacy issues. We are talking about sharing information about members over an array of businesses and industries inconceivable when Gramm–Leach–Bliley was passed.
Just how much are all of these data breaches costing us? The report attempts to quantify how much data breaches cost. It estimates that the average loss for a breach of 1,000 records is between $52,000 and $87,000. However, estimates vary widely based on the size of the breach, so the report also provides a chart on page 30 of the report providing a range of estimated costs based on the size of the breach.
Think of how valuable this information is and could be, particularly as the estimates get more accurate. For example, is it worth switching to EMV technology? Maybe, maybe not, depending on the scope and size of your potential data breach exposure. At least no one has to be groping around completely in the dark when making these decisions.
Is there anything that you can cost effectively do to help prevent or mitigate breaches? Here is some good news. Despite all the technological sophistication that goes into carrying out and preventing data breaches, a tremendous amount of data breach protection can be achieved by educating your own workforce and being as careful as you can be about who has access to information that could facilitate data breaches. For example, the report estimates that 55% of incidents stemmed from “privilege abuse.” In addition, employees aren’t all that quick when it comes to reporting data breaches. Perhaps it’s time for those “welcome to the new job” overviews HR gives to the new hires to include a talk about reporting potential phishing attacks. Another interesting factoid is that many data breaches involve compromises of software for which patches were available but not installed.