When we talk about data security, we often have to use vague terms. We can only really quote threats in terms of “surface area” exposed to attack, “danger level”, and so forth - this is due to the nature of how corporations and entities often handle their breach data, preferring to “hide” the extent and nature of damage rather than to confirm the efficacy of threatening agents.
While this is a generality, there are some specific data sets that we can use to discuss the actual, real damages done to corporations. While specific threats are often hidden, the actual monetary costs are often reported and considered part of operational costs. In this way, we do in fact have hard data that we can look at.
In this piece, we’re going to do just that. We’ll look at some instances of successful breaches, and the cost incurred to the attack. We’ll talk about how these issues could have been mitigated, and how the involved companies, corporations, and entities failed to do so. And, hopefully, we’ll create a strong resource that demonstrates exactly what data insecurity can cost.
Outliers and Edge Cases
Part of the difficulty in this process is the fact that actual damage calculations often occupy edge cases and collect a fair number of outliers. Many reports have calculated extreme cases, such as the Ponemon Institute Study of 2015, which calculated average costs within the millions of dollars. Other studies, such as the Rand Survey, calculated the average costs as less than $200,000 USD.
The fact is that both numbers were calculated in vastly different ways, and thus represent very different realities. There is no “common” or “average” data breach - some breaches hit mom and pop shops, costing a few thousand in remediation, while others can take down entire networks for large name entertainment organizations, costing hundreds of thousands in initial remediation, then further costs due to lawsuits and fines.
Therefore, the actual valuation of losses is lost in “averaging out” costs, because it doesn’t represent the actual, real threat - simply put, your potential losses exponentially increase with the greater share of data you host. Compounded costs associated with European Union security laws, United States healthcare laws such as HIPAA, and other such fees and fines can take a relatively small cost and magnify it dramatically.
Large Failure - Playstation Network Data Breach
In 2011, Sony suffered a massive data breach that caused not only the exposure of 77 million accounts, but the exposure of non-secured network information, credentials, and access methodologies.
Because Sony failed to encrypt their data on the server side and, in many cases, resorted to storing credentials in plaintext, user identification details, addresses, credit card information, and more were exposed in the initial attack. The unencrypted data paths also exposed critical network paths and methodologies to the attackers, allowing for the entire system to be taken down.
While it’s hard to estimate what the actual cost of the breach was in terms of public relations, the actual cost of mediation, that is the cost to provide identity theft insurance to affected customers, to investigate the intrusion, and to fix the server issues that caused and then later were caused by the intrusion, was pegged at $171 million USD.
What Went Wrong
In commenting on the breach, Graham Lee, a software security author out of Oxford, perfectly encapsulated the issue with Sony’s servers at the time of the breach:
“The whole reason a password is useful is that it’s only known to the person who set the password on the account. If the provider stores passwords unencrypted, then it’s very easy for somebody else - not just an external attacker, but members of staff or contractors working on Sony’s site - to get access and discover those passwords, potentially using them for nefarious means.”
The scary thing about it is this - storing passwords in the way Sony did is not common amongst larger corporations, but unfortunately is still very common amongst inexperienced server administrators and smaller shops and companies. While it’s often a solution chosen out of laziness, it can also be one out of inexperience, meaning it’s an error that’s quite easy to make, but has drastic consequences.
Lucky for Sony, they were not in the healthcare industry, as this would have incurred massive fees. Penalties for HIPAA violations scale depending on negligence, with each instance ranging from $100 to $50,000 USD per identified violation.
Because Sony had 77 million users exposed, and arguably could have been considered “negligent” in their handling (though this is a legal term, not one that can be stated categorically in this piece), if they had exposed healthcare records, they could have easily been fined the maximum penalty of $1.5 million per year per provision.
Small Failure - Small Businesses and Scaling Costs
While it’s quite easy to address a monolithic failure like that at Sony, the bulk of data breaches - estimated to be between 50-60% of all data breaches - are those that hit small businesses. The problems with these kinds of breaches is that the amount of damage can still be astronomical, but harder to deal with given the average revenue a small business might earn.
According to a recent study by Kapersky Labs, the average loss for a small business from a security breach, in terms of direct losses, is $38,000. Add to this the $8,000 dollars in indirect costs for training, staff hiring to remediate, etc, and you’re looking at a total cost of $46,000 dollars.
While this amount is certainly less impactful than the millions Sony had to shell out, it’s not that much better from the point of view of a small business. Owning a small store means you command a smaller revenue, and whereas Sony, or Microsoft, or any big name company might be able to shell out $1.5 million without breaking a sweat, a small business in the current economic climate might see $46,000 of unexpected costs as a death knell.
Small Business Mitigation
Given this, and given the stringent budgeting that small businesses often face, what are some solutions that can be applied? We know what went wrong with the Sony hack, and what generally goes wrong with larger companies, but how can this be extrapolated down to the small business level?
Honestly, not much must change in the approach. Data is data, regardless of the amount, type, or frequency of handling, and thus data security will typically be a universal component of any company. Storing passwords in plaintext, whether it’s 77 million users or 6,000, is not a great way to go about things. Properly encrypting data is important for any business, small or large, and should be one of the first things any “connected” business looks at.
That’s not to say these losses are all due to improper encryption, however.
The Rotten Truth - We’re Seeing One Picture
When we talk about data breaches, especially from the perspective of writers and journalists, we often like to use buzzwords like “hacking”. The truth is, while a good amount of breaches every year are from hacking, there’s a huge amount from other, secondarily considered sources as well.
In 2015, there were 14,467,995 reported individuals impacted by data breaches. Of this, 12,521,559, or roughly 86%, were related directly to hacking.
That only paints half the picture, though. The rest of the losses were due to easily preventable actions that should not have occurred. You can’t really predict a hack - people will always hack, whether for political or economic gain. Theft, improper disposal, and unauthorized disclosure can be predicted, however, using basic situational analysis.
Companies can take the following steps to mitigate losses from disposal, theft, disclosure, and unauthorized access:
- When deleting data, ensure you are using a standards-compliant solution such as Clarabyte. Ensuring data is actually deleted is the number one step that can be taken to ensure data is not breached moving forward, and is often the lion’s share of stolen data unrelated to direct hacking.
- Do not place high value items in physically accessible locations. Server cabinets should be locked and monitored to prevent theft, and personal laptops should be kept secure and local at all times to prevent unauthorized leaks.
- Proper authorization and authentication systems, such as those based in OAuth 2.0, should be applied to servers to ensure only the people who need to access data can access data.
Following these simple principles can not only save you a headache - they could save you millions.