Sébastien Pavie, Regional Director META, Enterprise and Cybersecurity, explores the true cost of a data breach and why there needs to be a change of mindset when it comes to security in the business world.
Every day, more and more companies are harnessing the power of cloud and Digital Transformation, leaving them potentially more susceptible to cyberattacks. According to data from the 2018 Breach Level Index report from Gemalto, more than six million data records are lost or stolen per day globally. Only 4% of breaches were secure breaches where encryption was used and the stolen data was rendered useless.
A data breach occurs when a cybercriminal successfully infiltrates a data source and extracts sensitive information. This can be done physically by accessing a computer or network to steal local files or by bypassing network security remotely. The latter is often the method used to target companies.
Despite an overall decline in the number of data breaches, Gemalto’s Breach Level Index data suggests security incidents are getting faster and larger in scope. Companies from a wide range of industries, from insurance to transport, are continuously targeted for bits of valuable customer data. In a region with higher than average use of apps and Internet services, the expectation is that companies are doing all that is necessary to keep their data safe. Many times, companies would rather gamble and take the ‘it won’t happen to us’ approach than realise there is a very good chance that it indeed will happen to them at some point without the necessary measures in place.
2018 saw major data breaches across different industries in the GCC. The Telecommunications Regulatory Authority (TRA) in the UAE reported a total of 274 cyberattacks targeted at government, semi-government and private sector entities in the first half of 2018. An increasing number of data and cyberbreaches in the Gulf have intensified the discussions around data protection and privacy, triggering several initiatives within the public and private sectors.
Businesses in the GCC have recently taken cue from the European Union’s General Data Protection Regulation (GDPR) and have been working to put in place policies and measures to comply with the new requirements and to avoid the hefty fines due to non-compliance. While the legislation stems from the European Union, it affects every company that trades with the bloc or has EU residents as customers.
All breaches, regardless of size, ultimately cost a company either in financial terms or reputational damage or both.
A financial hit
It is difficult to determine the monetary value of the cost of a breach given that many companies are reluctant to share the value of expenditure incurred to recover from a hit or the value of a decline in sales or subscribers to a service in the wake of the breach.
In the case of international hotel chain, Marriott, over 300 million customer records including passport details, birth dates, addresses, phone numbers and email addresses were exposed. The hackers also accessed payment card data for an undisclosed number of customers. The incident caused a plunge in the company’s share price falling as much as 6% before ending the day 5.6% down, shaving about US$2.4 billion off equity value.
Regionally, a petrochemical company with a plant in Saudi Arabia was hit by a cyberassault designed to not only destroy data or shut down the plant but to sabotage the firm’s operations and trigger an explosion. Due to the breach, there was a big increase in spend to upgrade IT infrastructure and security and to pay legal fees and government fines – all of which is just the beginning.
Moving forward, we should start to see a clearer picture of the tangible financial cost of a data breach through legislation like GDPR, which can fine companies up to 4% of their global turnover, if they are found to have suffered a breach.
The true cost of a data breach is not just a financial one. The extensive list of tangible and intangible costs includes the erosion of customer trust, which can be the most detrimental factor to an organisation’s success.
The reputational impact
The prevailing sentiment in the region is that a data breach is not that big a deal, with the focus remaining firmly on dealing with the breach as and when it arises as opposed to an anticipation and prevention approach. According to Gemalto’s Breach Level Index, the global trend highlights social media as the top source for data breaches, accounting for over 56% of records breached. In the UAE, it is more through app-based platform attacks.
Last year, cybercriminals stole data of 14 million customers of a ride service company, including names, email addresses, phone numbers and trip details in the Middle East, North Africa and South Asia. While the breach involved access to the data storage system for 14 million riders and 558,800 drivers, the company said it hasn’t seen any evidence of fraud or misuse. Companies need to face the very real threat that customers will migrate to more secure companies if they feel their data is compromised and their trust misplaced.
Due to GDPR’s requirement for complete transparency in the event of a breach, there is an increased likelihood for companies to suffer reputational damage, as they are bound to reveal the details. Consumers are becoming increasingly aware not only of the incidents occurring but of the power they hold when it comes to companies taking responsibility.
Mitigating the risks and costs of a breach
There needs to be a change of mindset when it comes to security in the business world. Businesses need to steer away from the mentality that their data cannot be stolen or that they are untouchable. The focus must be on securing the most sensitive data a business has at its core. Too many companies attempt to secure the outside and leave the data exposed, meaning if a hacker was to break in, they can help themselves to whatever they want. Encrypting data at rest and in motion, securely managing the encryption keys and storing them securely, while also managing and controlling user access, are vital steps for businesses to take to protect themselves at every level.
With nearly every business using the cloud and with the continued emergence of IoT, businesses have never been presented with such incredible opportunities of growth, but with that comes an increased risk of attack. By implementing solutions such as encryption, businesses can essentially adopt what is known as a ‘secure breach’ strategy, whereby even if their perimeter is breached, their data can’t be accessed.
Investing in this strategy moving forward is the only way businesses can protect themselves from the financial and reputational consequences that are being seen more frequently now globally and in the region. The true cost of a data breach may still be difficult to calculate in exact terms and vary depending on the business but companies shouldn’t be running the risk of incurring these costs in the first place.