How much is your data actually worth?
By Jamie Wilson, Founder and Managing Director of Cryptoloc
As our world gets smaller, and our systems for sharing information become increasingly interconnected, breaches are becoming an inevitability. It’s no longer a matter of if, but when, your data will come under attack – but do you have any idea how precious your data actually is?
The criminals who steal data – whether for the purpose of blackmail, identity theft, extortion or even espionage – are finding themselves competing in an increasingly crowded marketplace. Over the course of the global coronavirus pandemic, as the lines between our personal and professional lives and devices blurred like never before and ransomware proliferated, hackers became more active and empowered than ever.
According to Privacy Affairs’ latest Dark Web Price Index, the stolen data market grew significantly larger in both volume and variety over the last year, with more credit card data, personal information and documents on offer.
As the supply of stolen data has grown, prices for each individual piece of data have plummeted. Hacked credit card details that would have sold for US$240 in 2021 are going for US$120 in 2022, for instance, and stolen online banking logins are down from US$120 to US$65.
But this hasn’t discouraged cybercriminals. Instead, dark web sites have begun resorting to traditional marketing tactics like two-for-one discounts on stolen data, creating a bulk sales mentality that places an even greater imperative on cybercrime cartels to amass large quantities of data.
This makes it even more likely that your data will be stolen, because even if your organisation isn’t specifically targeted, you could be caught up in an increasingly common smash-and-grab raid – like the attack on Microsoft that exposed around a quarter of a million email systems last year.
And while the value of each piece of data on the dark web is decreasing for cybercriminals, cyber attacks are just getting costlier for the businesses the data is stolen from.
How much is your data worth to your business?
Not sure how much your data is worth? The exact answer is impossible to quantify definitively, as it will change from one business and one piece of data to another, but it’s clear that having your data stolen can have devastating consequences.
According to the Cost of a Data Breach Report 2021 from IBM and Ponemon, which studied the impacts of 537 real breaches across 17 countries and regions, the per-record cost to a business of a data breach sits at US$161 per record on average – a 10.3 per cent increase from 2020 to 2021.
For a personally identifiable piece of customer data, the cost goes up to US$180 per record. Not only is this the costliest type of record, it’s also the most commonly compromised, appearing in 44 per cent of all breaches in the study.
For a personally identifiable piece of employee data, the cost sits at US$176 per record. Intellectual property costs US$169 per record, while anonymised customer data will set you back US$157 per record.
But it’s extremely unlikely that a cybercriminal would go to the effort of hacking your business for one piece of data. In that sense, it’s more instructive to look at the average cost of a data breach in total – which currently sits at a staggering US$4.24M.
For ransomware breaches, in which cybercriminals encrypt files on a device and demand a ransom in exchange for their encryption, the average cost goes up to US$4.62M, while data breaches caused by business email compromise have an average cost of US$5.01M.
Breaches are costliest in the heavily regulated healthcare industry (US$9.23M) – a logical outcome, given the heightened sensitivity of medical records. By comparison, the ‘cheapest’ breaches are in less regulated industries such as hospitality (US$3.03M).
Mega breaches involving at least 50 million records were excluded from the study to avoid blowing up the average, but a separate section of the report noted that these types of attacks cost 100 times more than the average breach.
The report found the average breach takes 287 days to identify and contain, with the cost increasing the longer the breach remains unidentified. So when it comes to cybercrime, time really is money.
IBM and Ponemon broke the average cost of a breach up into four broad categories – detection and escalation (29 per cent), notification (6 per cent), post-breach response (27 per cent) and lost business cost (38 per cent). Lost business costs include business disruption and revenue losses from system downtime; the cost of lost customers; reputation losses; and diminished goodwill.
A 2019 Deloitte report determined that up to 90 per cent of the total costs in a cyberattack occur beneath the surface – that the disruption to a business’ operations, as well as insurance premium increases, credit rating impact, loss of customer relationships and brand devaluation are the real killers in the long run.
It can take time for the true impacts of a breach to reveal themselves. In 2021, the National Australia Bank revealed it had paid $686,878 in compensation to customers as the result of a 2019 data breach, which led to the personal account details of about 13,000 customers being uploaded to the dark web.
The costs included the reissuance of government identification documents, as well as subscriptions to independent, enhanced fraud detection services for the affected customers. But the bank also had to hire a team of cyber-intelligence experts to investigate the breach, the cost of which remains unknown.
The IBM and Ponemon report confirms that the costs of a data breach won’t all be felt straight away. While the bulk of an average data breach’s cost (53 per cent) is incurred in the first year, another 31 per cent is incurred in the second year, and the final 16 per cent is incurred more than two years after the event.
And with the recent rise of double extortion – in which cyber criminals not only take control of a system and demand payment for its return, but also threaten to leak the data they’ve stolen unless they receive a separate payment – we’re likely to see data breaches exact a heavy toll for even longer time periods moving forward.
How can you protect your data?
Data breaches are becoming costlier and more common, so it’s more important than ever to ensure your data is protected.
Many businesses are turning to cyber insurance to protect themselves. Cyber insurance typically covers costs related to the loss of data, as well as fines and penalties imposed by regulators, public relations costs, and compensation to third parties for failure to protect their data.
But as breaches become a virtual inevitability and claims for catastrophic cyberattacks become more common, insurers are getting cold feet. Premiums are skyrocketing, and insurers are limiting their coverage, with some capping their coverage at about half of what they used to offer and others refusing to offer cyber insurance policies altogether.
Regardless, cyber insurance is not a cyber security policy. Even the most favourable cyber insurance policy doesn’t prevent breaches, but merely attempts to mitigate the impact after the horse has already bolted.
The best approach is to educate your employees and other members of your organisation about cyber security, and put the appropriate controls and best practices in place, including using multi-factor authentication, implementing zero trust policies, and backing up and encrypting data.
The IBM and Ponemon report found that the use of strong encryption – at least 256 AES, at rest and in transit – was a top mitigating cost factor. Organisations using strong encryption had an average breach cost that was 29.4 per cent lower than those using low standard or no encryption.
When data is safely and securely encrypted, any files a cybercriminal gains access to will be worthless to them without an encryption key. My business, Cryptoloc, has taken this principle even further with our patented three-key encryption technology, which combines three different encryption algorithms into one unique multilayer process.
Built for a world without perimeters, our ISO-certified technology has been deployed across multiple products, including Cryptoloc Secure2Client, which enables users to send fully encrypted documents directly from Microsoft Outlook.
We’ve recently made Secure2Client available on the Salesforce AppExchange, so that marketing, sales, commerce, service and IT teams using Salesforce around the world can encrypt the reports they send to clients and third parties that are sensitive or confidential in nature.
This protects Salesforce users from the potentially catastrophic ramifications of a data breach, while allowing them to continue using the existing application that their business is built around.
We’ve also rolled out a new Ransomware Recovery capability that empowers users to protect and restore their data in real-time in the event of an attack, ensuring they never have to pay a costly ransom for the return of their data.
With Ransomware Recovery, every version of every file a user stores in the Cloud is automatically saved. If they suspect they’ve been the victim of a ransomware attack, they can simply lock down their Cloud temporarily to stop the spread of malware; view their files’ audit trails to determine when the attack occurred; roll back their data to the point before it was corrupted; and then unlock their Cloud.
This ensures users can recover their data as quickly and effectively as possible, minimising costly disruptions to their business, removing the need for a lengthy and expensive investigation, and ensuring they never have to pay a cent to a cybercriminal to get back the data that’s rightfully theirs.
Yes, cyber attacks are inevitable – but victimhood isn’t. If you take the right precautions, you can prevent costly breaches and maintain control of your precious data.