Do You TRUST an Organization After it Suffers a Breach?

Written by

In the last couple of years, there has been a continual stream of concerning data security breaches. In fact, the Ponemon Institute Data Breach report recently published in July 2018 highlighted that the average cost of a data breach has hit an all-time high of $3.86m, increasing by 10% since 2014.

For the first time it also reported on costs associated with a mega breach (ranging from one million to 50 million records lost) stating that the cost of these types of breaches has nearly doubled in the past five years.

However, according to the report, the hidden or indirect costs of a breach, including notifying customers and then subsequent loss of business, frequently far outweighed the direct costs of fines and legal undertakings. Knowing where these costs lie and how to reduce them is critical to lowering the overall cost of a breach.

How loss of customer trust impacts the ‘total cost of a breach’ 
Harder to measure is the impact a breach has on customer trust. When notified that their data has been breached, how do customers feel about the brand and what impact does this have on loyalty? 

The report identified that loss of customer trust can translate to serious financial consequences. For example, companies that lost less than 1% of existing customers incurred an average total cost of $2.8m (£2.1m), while companies that experienced a churn rate of greater than 4% lost $6m (£4.5m) on average. 

However, evidence shows that those organizations that have worked to improve customer trust both in advance and in the aftermath of a data breach have reduced the number of lost customers, ultimately reducing the cost of the breach.

For example, when a business deployed a senior-level leader, such as a chief privacy officer (CPO) or chief information security officer (CISO), to direct customer trust initiatives, they lost fewer customers and, again, minimized the financial consequences of a breach. Additionally, organizations that offered identity protection to data-breach victims kept more customers than those that did not. 

Human error is a major cause of data breaches
Back to the report again and this showed that not all breaches are down to hackers or technology going wrong; over a quarter (27%) were caused by human error – either negligent employees or contractors. 

So how does this happen? Take email, for example. One of the most relied-upon methods of communication by businesses globally, around 269 billion emails are sent every day. Given our reliance on email and the fact the technology was developed decades ago, you would probably expect organizations to have perfected their email security measures.

Well, the reality is very different. Here at Egress we have undertaken countless surveys into user behavior and when we ask them to share times when they’ve sent an email to the wrong person, we are inundated with real-life examples.

Sometimes users are simply left embarrassed, but there are an alarming number of users exposing personal and corporate data to unauthorized access. What’s worrying is that this mistake is so easy to make. Think about your own experience – how many times have you sent an email in error to the wrong recipient?

Often, a user’s best defense has been to send an Outlook recall or similar message. However, when we consider the types of data employees share both internally and externally, simply asking someone not to read an email really isn’t good enough.

What’s more, email isn’t the only way employees can share information with unauthorized recipients, both accidentally and maliciously. 

In an attempt to combat the rise of shadow IT and specifically as a response to internet file sharing applications, businesses have tried to lock down access to external sites. Yet, for many organizations, this is a Catch 22: you need communication channels to be available for work processes yet in doing so you could expose your organization to risk.

Plus, if experience has taught us anything, it is that the user will always find a way to share information - even if it isn’t necessarily approved by the business.

Putting the user at the heart of data security
So what is the answer? The first step in solving this problem is to put users at the heart of data security. Technologies and methods of communication are continually changing but users (and their abilities to make mistakes!) remain constant.

By taking a user-centric approach, organizations can wrap security technology and measures around a user to provide a safety net for when they inevitably make mistakes. This needs to be more than just training, which although important, varies in its impact if users won’t engage with the security technologies at their disposal.

Using machine learning, it is possible to develop technologies with user engagement at their core. Back to the email example, this can involve learning from historic interactions such the different groups of recipients users normally share data with. If in future the user then adds an incorrect person to an email thread, an alert can warn them they are about to make a mistake. Additionally, when users choose to override these alerts, administrators can be made aware of potential data breaches.

As the Ponemon Report highlighted, there are no signs of data breaches abating, but the insider threat is just as real as external threats. Organizations therefore need to take a proactive approach to building security around users to reduce the 27% of breaches caused by human error, ultimately reducing the likelihood of a breach and all the costs associated.

Here are six recommendations to help ensure you have the right protection and practices in place:

  1. Don’t view data security as a back office operational process, put the tools into the hands of the user
  2. Embed security and encryption in your day-to-day processes
  3. Look at user-centric data protection solutions that are simple and easy to operate
  4. Educate, train and encourage users to embrace security solutions as opposed to seeing security as an obstruction
  5. Make technology more relevant to users, so that you empower users and make them productive
  6. Use tools like machine learning to help detect threats by monitoring behavioral patterns.

What’s hot on Infosecurity Magazine?