Costs of data theft

Although the attack may have come as a great shock to the site's 37 million users, the majority of the general public increasingly seems to regard such attacks as normal. But what impact does a data leak really have? One well-known example is the Sony Pictures company: After falling victim to a cyberattack in 2014, it estimated the costs incurred in the course of the data leak at the equivalent of around 31 million euros for the entire fiscal year. Repairing the damage caused can therefore be costly, because as a rule, restoring financial and IT systems entails additional man-hours and expenses for hardware, software and system houses. However, this probably only quantifies the technical side of the damage.

What are the costs of data theft?

The Ponemon Institute attempted to determine the true cost of a data leak in a study. The report quantified the costs as follows:

• The direct costs of data theft for companies amount to an average of around 65 euros per user whose data has been compromised. If the indirect costs due to the loss of users are added, this results in an average of 125 euros per user. This is a new record of 190 euros per registered attack.
• Data theft costs companies an average of 5.7 million euros. In 2013, the value was still at 4.6 million.
• The amount of costs for error review and additional expenses incurred has increased from 366,000 to 542,000 euros. This suggests that costs for investigations and inquiries, review and assessment services, management of a crisis team, and communication with stakeholders and management have increased.
• Increased expenses are also incurred after a data theft, for example for additional help desk staff shifts, processing incoming requests, investigation and recovery work, and legal expenses. These costs increased from €1.39 million to €1.42 million in this year's study.

There is no doubt that data theft is costly in financial terms. However, it can cost companies twice as much in lost customer trust. To avoid becoming the next victim of data theft, organizations should therefore make the security of critical and personal data a top priority.

Watch, Watch, Watch

In addition to implementing effective security structures, employers are well advised to create awareness of data security among their workforce. For hackers who want to gain possession of company data, it is often more promising to run their attacks through employees instead of through the well-protected firewall. Employers should therefore create an awareness of "social engineering" among their employees. These are manipulative attacks that can take on a variety of forms - in other words, IT security trickery. For example, criminals use false identities to request passwords or collect information with which they can reset passwords. Individualized phishing e-mails are the most widespread. One such e-mail recently damaged the network of the German Bundestag to such an extent that it had to be reset at a cost of millions and shut down for several days. The hacker sends a credible-looking e-mail, possibly to a large number of e-mail accounts. If even one employee clicks on the insidious link in it, the attacker gains access to the network.

There are a number of precautions companies and employees can take to protect themselves from these attacks. The number one rule for employees is to stay alert. They need to question any unexpected incoming email with attachments or links. If the content looks too good to be true, it probably is.

Zero Trust

Companies that want to protect themselves against the worst-case scenario must understand that, in principle, anyone and anything can pose a threat. This is not paranoia, but recognition that criminals have a vested financial interest in data and will exploit any gap or vulnerability that presents itself.

Against this background, every piece of hardware or software used represents a potential gateway for hackers. Companies can implement a zero-trust environment technically by implementing a firewall. The prevailing attitude that actions would normally be trusted is abolished. Every action is scrutinized with the same level of distrust, regardless of who performs it. Organizations must ensure that no device used by employees can access critical parts of the network or sensitive data undetected. If such an operation is discovered, it must be thoroughly investigated with the goal of remediating it.

Simple precautions for safeguarding

The general public associates data theft mainly with attacks on large organizations and governments. However, this does not mean that only these can be the target of a hacker attack. Many small and medium-sized companies have plans and documents that are highly interesting and valuable for competitors or negotiating partners at home and abroad. Many smaller companies store information from large corporations to process their orders. And even the smallest digital startups with just a few employees often already have thousands of credit card details stored. Companies of all sizes therefore have a few simple precautions to take to protect their network:

• be suspicious and educate about potential security threats: Security software is the most important layer of defense against attacks. But the workforce can make an additional valuable contribution by questioning and, if necessary, reporting all suspicious incidents on the web or in the e-mail inbox.
• Set up a zero-trust environment: It becomes much more difficult for hackers to penetrate the system and hide if relevant processes are meticulously checked as if under a microscope, regardless of which user initiated them.
• Budget for IT security: Instead of paying for repairs, fines, legal fees, and communications after a data theft, companies should use a fraction of that amount to prevent it from happening. You need to make sure you have the necessary hardware and software in place to make data theft more difficult and prevent it from happening. The Ponemon Institute figures above can help quantify the risk and determine the amount.

Author: Wieland Alge, Vice President and General Manager EMEA at Barracuda Networks