Understanding and preventing data breaches

With reports coming out virtually every second day on serious data breaches around the world and in Australia, it’s time to add up the cost and take serious prevention measures.

These data breaches in the news are just the tip of the iceberg - loss of reputation leads many enterprises to cover up breaches until they are forced, kicking and screaming, to own up. One only has to think of Sony, which took a long time to admit to the extent of the data breaches compromising thousands of customers’ data.

The average cost of significant data breaches reported by Australian organisations was about AU$2 million in 2010, according to qualitative research conducted by Symantec and the Ponemon Institute.

The 2010 Annual Study: Australian Cost of a Data Breach report found the average data breach cost respondents AU$128 per compromised record, an increase of 4% on 2009. The size of the incidents reported ranged from 3200 to 65,000 records and the cost of resolving individual breaches ranged from AU$369,000 to AU$4.2 million.

In the US, law requires that a data breach must be reported. There is no equivalent law in Australia - in fact, Symantec’s Craig Scroggie, VP and Managing Director, Pacific Region, reckons the breach regulations are not too onerous in Australia.

“This report highlights the need for legislative reforms that require companies to notify their customers of a data breach to be fast-tracked in Australia.

“The Australian government has its own regulations and some agencies have gone to great lengths to protect information and some have even gone to the enforcement stage,” said Scroggie.

The Ponemon Institute and Symantec interviewed 19 Australian companies that experienced data breaches, from nine industry sectors.

Scroggie said, “We can let organisations know how they can protect themselves against data loss but organisations generally say they are not quite ready to know the truth about their vulnerabilities, they have bigger priorities and they are just too busy.”

For the first time, the research found mistakes involving third parties were the most frequent cause and most expensive type of breach overall.

Interestingly, bringing in external help to deal with breaches had the second-highest costs, and having experience with data breaches and responding slowly cost a great deal as well.

More than one-third (37%) of companies notified victims within one month of discovering a breach, an increase of six percentage points from last year. Companies that responded quickly to the breach incurred costs of only AU$106 per record, while slower movers experienced much higher costs.

Stuart Irving, CIO of global financial services company Computershare, counts security of information and governance as part of his responsibilities.

“There are two kinds of data breaches: deliberate and accidental. People are still coming to terms with the fact that records are digitised so they are still coming to terms with their obligations to protect the record. There are different regulations globally with the US being one of the highest in upholding people’s privacy.

Irving says education on information security and how to treat data is key in preventing data breaches.

“It’s a fine line between education and nagging people about data security but you have to keep on message until it sinks in.

“The second step is eliminating any unnecessary data. Get it off the servers and store it somewhere where it can’t be accessed.

“The third step is to use all the normal tools available such as malware, AV, access controls, provisioning, web filtering software and change apps to mask sensitive data as well monitoring, penetration testing, disk encryption and making sure mobile devices are protected if they are lost.