Understanding Data Breach Costs and Cybersecurity Measures

On a near weekly basis, I read about breaches where much of the exfiltrated data was old data that the organization had no real reason to retain. See, e.g., https://lnkd.in/eaX53AWQ and https://lnkd.in/e4pVA6bT. According to IBM's 2023 Cost of a Data Breach Report, breaches cost organizations an average of $165 per record breached. Report at 2. That means that purging 100,000 records of unnecessary data could save you $16.5M in the event of a breach. Here are five tips: 1. PRACTICE DATA MINIMIZATION: Organizations should practice "data minimization." This means only collecting data that you have a good business reason for collecting and purging unneeded data when it is no longer needed. 2. ARCHIEVE DATA OFFLINE: In one recent example, the breached company apparently "ceased operations in December 2022 but, to comply with legal obligations, . . . maintained an archived copy of data previously stored on its computer systems." See https://lnkd.in/e4pVA6bT. To the extent you are only retaining old data is to satisfy regulatory requirements or just "in an abundance of caution," consider storing the data completely offline, so it is less likely to be breached. 3. CONDUCT A DATA MAPPING: These days it is common for data records to be duplicated in many places across an organization. Thus, consider conducting a regular "data mapping" to ensure that you know where all of your sensitive data is located, that you are adequately protecting it, and that you are purging it when appropriate. 4. IMPLEMENT A WRITTEN POLICY: Be sure to document your data retention and destruction policy in a written policy, and train your employees on the policy regularly. Remember to update the policy to reflect the changing realities in your organization. 5. OVERSEE THE DESTRUCTION OF DATA: Finally, when you destroy data, take reasonable steps to ensure that the data is actually being destroyed. One bank was recently fined $60M for failing to properly oversee a vendor responsible for purging personal data from digital devices. See https://lnkd.in/eutKzpU7.

If you take nothing else from the IBM "Cost of a Data Breach" report, take this... The top 10 factors that *reduced* the overall cost of a data breach were: 1) Robust security testing during the development lifecycle 2) Security focused employee training 3) A documented and tested incident response plan 4) AI and ML integrated into the security monitoring and detection process 5) A dedicated incident response team 6) Encryption for data at rest and in transit 7) A centralized logging system (SIEM) 8) A security monitoring system/team using SOAR tools 9) Proactive threat hunting 10) An up-to-date threat intelligence feed If you are working on any of these projects, you are potentially saving your company hundreds of thousands of dollars. Unfortunately, penetration testing didn't represent itself well, as it fell to 12th place on this list. In 2024, hopefully we will have fewer vulnerability scans that call themselves pentests and we can make it higher on this list. #databreach #databreachprevention #databreaches2023 #security #cybersecurity

Cyber Coffee Break I like to have a clear conscience and be able to sleep at night. That is why I write stand-alone cyber policies with no less than $1,000,000 aggregate. Is it enough? This year's goal it to no longer write less than $2,000,000 and to get my existing SMB clients to increase their limits. Why? Using one of the breaches that I was personally involved in: A physicians group of 3,000 clients is breached by business e-mail compromise. If it cost $300,000 for incident and crisis services costs, $300,000 for the HIPPA fine, $100,000 for forensics and data recovery, and $300,000 for business interruption--there is nothing left for defense of lawsuits, reputational harm, liability that could be imposed by the lawsuits and did we fail to mention the possible cost of the ransom? In this case, there was no ransom. They just wanted people's health information which can be sold for as much as $1000 per person on the dark web. We are talking the possibility of threat actors making as much as $3 billion dollars from one breach. We need to get serious with our understanding of the depth of the damages that may occur. A ransom, if requested, is normally one 1/3 of the cost of the claim. The total fallout from this claim is not yet known. How many patients were lost and how many will have their information used that may file suit is not yet all known. And for those of you still adding $50,000 Data Breach endorsements to your clients policies or selling low limits, better up your E & O.

What are the costs of data breaches? Consider new evidence from my working paper, "From Bits to Bonds: The Economic Ripple of Local Cyberattacks on Municipalities." Let's dive in. 🔒 🔑 Takeaway: Together with Christian T. Lundblad, Lefteris Andreadis, Christodoulos Louca, and Elena Kalotychou, we leverage data from the municipal bond market to assess the costs of data breaches. Our empirical strategy compares yields in counties before versus after a data breach, allowing for heterogeneity in the intensity of them. We find that affected counties face ~$249,100 in additional annual interest costs per county, scaling to an estimated ~$336 million impact on the entire market/year. 💼 Methodologically, our empirical approach makes a major refinement from past work that has leveraged aggregate time series variation, rather than disaggregate. That allows us to control for a wide array of time-varying shocks, isolating variation among bonds in the same county (or similar) before versus after data breaches. The cost of issuing debt goes up, and we document ripple effects in the secondary market. 🌐 Information dissemination functions as a mechanism behind these results - that is, data breaches that get more coverage than others have a greater effect on markets (consistent with my recent research with Max Smeets and Lennart Maschmeyer in the Journal of Peace Research). We also find that the increase in the cost of financing for municipalities leads to greater resource constraints - areas cut back on spending as a result, and that can have grave consequences for its citizens. "Investing in human capital to enhance cybersecurity expertise emerges as a critical countermeasure, with effects predominantly concentrated in counties demonstrating a higher willingness to invest in cyber protection," we note. Our research provide a comprehensive understanding of the dynamics at play in the municipal bond market in the face of cybersecurity threats, highlighting the necessity for municipalities, investors, and policymakers to foster a proactive approach towards managing cybersecurity risks. Read the full paper - link in comments. #Cybersecurity #MunicipalBonds #InvestorPerception #Finance