How Much Does a Data Breach Actually Cost?

The average cost of a data breach involving fewer than 10,000 records was $5 million

The American public has become so inured to data breaches that it’s difficult to remember them all. Infamous breaches like the ones at Target and Sony become almost forgettable when confronted with the recently disclosed half-billion accounts compromised at Yahoo in 2014.

The numbers are simply staggering. It is estimated over 900,000,000 records of personally identifiable information (PII) have been stolen in the U.S. over the past few years. Keeping a memory of all the hacks and when they happened may require the use of complex data visualization.

But while the public memory of these events may be fuzzy, the cost for the organizations involved is not. When a data breach happens, executives lose their jobs and billion-dollar mergers are put in jeopardy. And the underlying reason these drastic steps occur is because data breaches cost organizations enormous sums of money to fix.

 

What’s the cost of a data breach?

Given the large numbers involved, it can seem a challenge to attempt to calculate the total price tag of a widespread data breach. It is, however, possible to review the data and establish some benchmarks, as has been done in the 2016 Data Breach Study by the Ponemon Institute and IBM.

According to the report, the total average cost for a breach is $7 million. Only in 2011 was there a higher average cost, $7.24 million. Unfortunately, this year saw the highest average cost per record, costing companies an average of $221 per compromised record.

Looking at that number more closely yields an important piece of information—companies spend more on the indirect costs than direct costs of a data breach.

In this case, direct costs refer to the amount spent to minimize the consequences of a data breach and to assist victims. Indirect costs are defined as the amount spent on existing internal resources to deal with the data breach.

Using that measure, only $76 per record represents the direct cost to the organization, including items such as legal fees and technological investments. The far greater portion, $145, reflects the indirect costs of a data breach, including the damage to an organization’s reputation and increased customer churn rate.

Certain industries are more vulnerable to churn and, consequently, have higher data breach costs. Financial, healthcare, technology, life sciences and service companies all experience higher churn rates after a breach. Heavily regulated industries such as insurance also suffer higher costs than average. Knowing this helps explain why these industries put so much investment in securing their information.

It’s clear customers value their personal data and hesitate to do business with an organization that cannot keep it secure. With this in mind, the first order of business for an organization that suffers a data breach is to move to retain and regain their customers’ trust.

 

Data breaches are more common than you think

While big hacks like the ones at Yahoo, Sony, and Target grab the headlines and public attention, data breaches have become so commonplace that many never reach a wider public audience.

That’s because 500 million accounts hacked at Yahoo in 2014 easily overshadows the 2016 average data breach size of 29,611 records. The number of breach records per typical incident in this year range from 5,125 to 101,520 records.

Knowing these numbers gives one a sense of how to measure their relative size. Because when it comes to measuring the cost of a data breach, size matters. It’s intuitive and true—the more records lost, the higher the cost.

According to the same Ponemon study, the average cost of a data breach involving fewer than 10,000 records was nearly $5 million, while a breach of more than 50,000 records had an average cost of $13 million.

Reviewing the numbers, it’s clear data breaches are a real and growing financial threat to businesses. The good news is it is a cost that can be avoided with a proactive investment in cybersecurity measures. Knowing the potential and average cost also gives business owners an idea of how much to budget to secure their information.

 

This article was originally featured in NetworkWorld>
Image credit Thinkstock >

Towerwall CEO Michelle Drolet Voted “Outstanding Woman” by Worcester Business Journal

This year’s winners represent “the best of what professionals in the region can be”

BOSTON – October 25, 2016 – Towerwall (www.towerwall.com), a data security services provider for small to mid-size businesses, today announced that its founder and CEO Michelle Drolet was voted among six other local business leaders as “2016 Outstanding Women in Business” by the Worcester Business Journal.

“The winners were selected on their career achievements, ability to transcend both male- and female-dominated professions, their contributions to the Central Massachusetts community, and their mentorship of young professionals in the region,” reported the Journal.

Founded in 1993 and based in Framingham, Massachusetts, Towerwall provides organizations such as AMG, Middlesex Savings Bank, Becker College, CannaCare, Allegro MicroSystems and Smith & Wesson, with IT security technology services required for secure business-class networks.

A community activist, Michelle Drolet received a citation from State Senators Karen Spilka for her community service. Twice she has received a Cyber Citizenship award for community support and participation. She has also been involved with the School-to-Career program, an intern and externship program, the Women’s Independent Network, Young Women and Minorities in Science and Technology, a girl’s mentorship program, and the Athena Award.

Michelle is the Co-founder of the Information Security Summit at Mass Bay Community College, now in its fourth year. She publishes a monthly column in Network World called “InfoSec at your Service,” offering strategies to help organizations achieve security integrity. Her articles have also appeared in Cloud Computing, SC Magazine, Wired.com and Worcester Business Journal.

“WBJ strives to use this honor for social change, by showcasing the power of women in business. As the long-time underrepresented gender in the professional world, it remains vital to the causes of gender equality and economic growth (since businesses with better female representation in leadership positions typically outperform those without) that we hold up examples for men and women to follow.”

WBJ will host their Outstanding Women in Business luncheon Nov. 18 at Tuckerman Hall in Worcester.

For more information on the 2016 Women in Business honorees, please visit: http://www.wbjournal.com/article/20161024/PRINTEDITION/310219995/1002

 

About Towerwall

Founded in 1993 and based in Framingham, Massachusetts, Towerwall provides organizations such as AMG, Middlesex Savings Bank, Becker College, CannaCare, Allegro MicroSystems and Smith & Wesson, with IT security technology services required for secure business-class networks.  Strategic partnerships with Sophos, Varonis, AlienVault, Websense,  Snoopwall, Qualys, and many other nationally-recognized security vendors allows Towerwall to offer its customers an integrated approach to solving their security needs by coupling best-of-breed technology with top-notch integration services. For more information please call (774) 204-0700 or email us at info@towerwall.com.

 

Media Contact:

Victor Cruz
Principal, MediaPR
vcruz@mediapr.net

Towerwall named Cyber Security Leader 2016 by Cyber Defense Magazine

We are honored to be named a Cyber Security Leader 2016 by Cyber Defense Magazine

We are excited to share the list other worth leaders in cyber security. Click here to see the full list of winners.

Click here to read the latest edition of Cyber Defense Magazine >

For nearly 25 years, our dedicated team of professionals have helped scores of companies safeguard their data and leverage their investment in IT with advanced information security solutions and services. Call me today to personally discuss your security needs and schedule a free assessment.

– Michelle Drolet
md@towerwall.com
774.204.0700

Watch our recent webinar: Ransomware Today

Last week we hosted an informative webinar on today’s ransomware threats with our security partner Sophos. Watch a recording of the webinar below.

I am sure you are seeing the explosion of ransomware in the headlines. Businesses of every size are targets and analysts estimate ransomware is on pace to be a $1B/year crime in 2016. Sophos Intercept X is their newly released anti-exploit tool, which stops hackers at the door and prevents zero-day attacks and exploits before they hit your system. Intercept X is designed to run alongside your existing AV and improve protection against advanced threats.

Watch the Webinar

10 Things I Know About: Pot Compliance

10) Nothing hazy about the laws

Marijuana (or cannabis) is one of the most highly regulated industries in the world, and Massachusetts has the strictest rules governing its production, retailing, grow, testing and security operations.

9) You can be raided.

Marijuana businesses must comply with federal, state, city and county regulations and requirements. Despite medical-use legality in the commonwealth, the U.S. Drug Enforcement Agency can raid a registered dispensary at will since the plant is classified Schedule I, illegal at the federal level. Insurers have lined up to offer raid insurance.

8) Schedule 1 defined

Despite university research proving its medicinal benefits, pot is still classified Schedule 1, defined as “drugs with no currently accepted medical use and a high potential for abuse.” Other Schedule 1 drugs include heroin, LSD and ecstasy.

7) Banking on smoke

Although difficult to find, more than 300 state banks and credit unions are banking marijuana businesses. In 2015, marijuana sales exceeded $5 billion.

6) Roll your own democracy.

Currently, four states (Colorado, Alaska, Oregon and Washington) have made the drug legal for recreational use and 24 more states say that it can be used for medical purposes. Eight states including Massachusetts will consider various forms of marijuana legalization in ballots this November. The Democratic Party endorsed a pathway to legalization and a rescheduling of marijuana to a Schedule II substance.

5) The top dispensary infraction

All marijuana product/inventory is not being reconciled daily to account for all variances.

4) The top cultivation infraction

The facility is missing required information in its standard operating procedures.

3. The top edibles infraction

The facility does not have all required permits required for operation.

2. Rolling organic

Colorado has recalled more than 100,000 marijuana edibles due to prohibited pesticide use. Massachusetts requires organically grown pot.

1) Full compliance

Marijuana business operations must comply with federal agency rules, even though cannabis firms are not federally supported

 

This article was originally posted in the Worcester Business Journal. Read it here.

Join us for our inaugural InfoSec at Your Services Meetup – Wednesday, October 19, 2016

Join us for our inaugural InfoSec at Your Services Meetup!

 

When:

Wednesday, October 19, 2016
6:30 PM to 8:00 PM

Where:

Margaritas Mexican Restaurant
725 Cochituate Rd , Framingham, MA

We will discuss:

Risk Communication Strategy – This biggest risk is the uncommunicated one. Hoarding knowledge doesn’t make you the smartest person in the room.

You will learn:

  • Teach Employees Signs to Look For (October is User Awareness Month)
  • Set a Company-Wide Policy (Share with everyone)
  • Implement a High-Quality SPAM Filter (Talk about Phishing)
  • Keep Your Systems Up-to-Date (Patch)
  • Run Anti-Virus/Malware Software
  • Use Two-Factor Authentication (more is better)

 
Click here for more information and to register >
 

Upcoming Complimentary Partner Webinars

Check out one of the upcoming complimentary partner webinars:

Brute Force Attacks: Keeping the Bots at Bay with AlienVault USM

Tuesday, October 11th 10:00am CST / 4:00 PM BST
Hosted by AlienVault

Brute force attacks are relatively simple for attackers to implement and they can wreak havoc on your organization if you don’t detect them and shut them down quickly. Join us for a live demo, where we’ll demonstrate a brute force attack (simulated, of course!) and show how AlienVault USM can help you detect and investigate these types of attacks.

Click here to register >


Sophos Ransomware Webinar

Wednesday, October 12, 2016 11:00 AM – 12:00 PM EDT
Hosted by Towerwall and Sophos

I am sure you are seeing the explosion of ransomware in the headlines. Businesses of every size are targets and analysts estimate ransomware is on pace to be a $1B/year crime in 2016. Sophos Intercept X is their newly released anti-exploit tool, which stops hackers at the door and prevents zero-day attacks and exploits before they hit your system. Intercept X is designed to run alongside your existing AV and improve protection against advanced threats.

Click here to register >


Varonis Product Demo: New Features to Face New Threats

Thursday, October 13th – 2:00pm EDT
Online Advanced TechTalk

Join us for a free live webcast to find out how Varonis gives you full visibility and control of your enterprise data. This live demo will explore Varonis products, walk you through the latest features (there are plenty), and show you how Varonis can help take your file security and analysis to the next level.

Click here to register >


A Checklist for PCI Compliance

Thursday, Oct 20th – 9:00am EDT
Varonis CPE Educational Webinar

100+ pages of PCI DSS 3.2 are anything but easy to comb through. We will discuss a new approach to understanding PCI DSS 3.2 compliance and provide you with the tools needed to build an airtight PCI program. Did we mention we’ll assign 1 ISC2 CPE credit to each attendee?

Click here to register >


SnoopWall Bi-Weekly Demo Webinar

Bi-Weekly Demo
Hosted by SnoopWall

SnoopWall performs a bi-weekly demo that is open to our partner’s and their customers that features a high level overview of the features and functionality of the NetSHIELD NAC appliance. The demo covers breach prevention, proactive rogue and malware infected asset detection and isolation, auditing for vulnerabilities and management of remote NetSHIELD NAC appliances.

Click here to register >

Always be Prepared: Monitor, Analyze and Test your Security

Stay vigilant, plan your response and test your defenses with CIS Controls 18, 19 and 20

 

This is the final entry in our series on the 20 Critical Security Controls devised by the Center for Internet Security (CIS) as best practices to help the public and private sectors tighten their cybersecurity.

We started down the path of building a solid security foundation by taking inventory of hardware and software, we looked at vulnerability assessment and administrative privileges, and we discussed how to build malware defenses. We also explored how to create a data recovery plan, how to protect your data, and the importance of monitoring and training employees.

We’ve reached the last three Critical Security Controls, so this article will round off our series with a look at the importance of monitoring software, establishing a response protocol, and conducting pen tests and red team exercises.

 

Critical Control 18: Application Software Security

Vulnerabilities in software offer a potential route into your organization for attackers. Vulnerabilities can be caused by a wide variety of different errors, so you have to take steps to prevent them, detect them and correct them.

When a vulnerability is present in open-source software, it’s more likely to become common knowledge and be exploited by attackers. Consider that 93 percent of organizations use open-source software, and 78 percent run part or all of their operations on it, according to The Tenth Annual Future of Open Source Survey.

——————————————————————–

Understanding the 20 Critical Security Controls:

——————————————————————–

It’s vital to ensure that all the software you use is fully updated to the latest version and patched for the latest security fixes. Web application firewalls should be deployed to inspect traffic and identify common attacks. In-house and third-party software must be stringently tested to identify security weaknesses. Avoid exposing error messages to end users, and don’t allow developers unmonitored access to production environments. Your developers should ideally have some training in secure code writing. A great resource to learn more about web application security is OWASP.

 

Critical Control 19: Incident Response and Management

Assuming you can completely block all attacks is not realistic, no matter how many resources you devote to security. Incidents will occur from time to time, so you must have a framework in place to discover them, contain the damage, purge the attacker and restore your systems. Far too many companies find vulnerabilities or suspicious activity, but they fail to take action swiftly enough to limit the damage.

You need a clear incident response plan with procedures to follow and a hierarchy of roles assigned so that everyone understands their responsibilities. Make sure the key players are empowered to take the necessary actions to deal with an incident. You should also establish standards to ensure that incidents are reported in detail in a timely manner and meet all legal and regulatory requirements. All employees should be aware of who needs to know about an incident, both internally and externally, for it to be resolved. When you have a plan in place, test it with a mock scenario to ensure it works as expected.

 

Critical Control 20: Penetration Tests and Red Team Exercises

The only way to be sure your defenses work is to simulate real-world scenarios and emulate a cyber attack. Hire someone to play the part of an attacker, and have them try to gain access to your systems and data. An experienced security professional can view your organization as an attacker might and find the weak spots to exploit. This will help you to find gaps that need to be plugged.

Internal and external penetration testing should reveal vulnerabilities that attackers might use to breach your systems. With a clear demonstration of where a problem lies, you can plan mitigation. Red team exercises take a holistic view of your defenses, including your policies and processes, to identify where improvements might be made. Both penetration tests and red team exercises should be conducted regularly, and the results should show a steady improvement over time. Always be careful to tidy up afterwards and keep the results confidential.

Your security has to evolve over time because attackers are constantly developing new methods and finding new ways in. Your security standards and your response plan depend upon monitoring, analysis and testing to be truly effective.

We hope this CIS Critical Security Controls series has been useful for you as an introduction to security standards. Follow these best practices, and you can dramatically reduce your potential attack surface and make life much harder for any would-be attacker.

 

This article was originally posted on NetworkWorld.
Image courtesy of Victor Cruz

Join Towerwall & Sophos for a Ransomware Webinar

Wednesday, October 12, 2016 11:00 AM – 12:00 PM EDT

Hosted by Towerwall and Sophos

I am sure you are seeing the explosion of ransomware in the headlines. Businesses of every size are targets and analysts estimate ransomware is on pace to be a $1B/year crime in 2016. Sophos Intercept X is their newly released anti-exploit tool, which stops hackers at the door and prevents zero-day attacks and exploits before they hit your system. Intercept X is designed to run alongside your existing AV and improve protection against advanced threats.

Click here to register >