NEW VIDEO: Security Weekly - How to protect AWS metadata services (used in Capital One breach). Watch now!

5 Steps to Prevent a Costly Data Breach

Data breaches are bad. In today’s digitally-driven world, many people consider breaches inevitable, but businesses also understand that deploying preventative measures to avoid a data breach and detection methods to find and stop a breach quickly are top priorities when it comes to managing cyber risk. Still, quantifying just how damaging a data breach may be is a challenge.

The Ponemon Institute and IBM issue their Cost of a Data Breach Study each year to help put context around the financial implications of a data breach. Doing so allows organizations to create risk models for their cybersecurity program, something that’s historically been hard to do because, when it comes to security, the absence of an event is progress. Turning “nothing happened” into “I need a bigger budget” has vexed security practitioners for years. The information in the Ponemon study is a good starting point, but turning those raw numbers into an operable security program is another task altogether.

A look at the data

According to the 2018 “Cost of a Data Breach” report, the current average total cost of a breach is $3.86 million USD globally. This is a 6.4% increase over the previous tracking period (2016-2017) and a 1.6% increase over a 5-year global average. While a 1.6% increase may not look impressive, security practitioners should ask themselves: could my organization sustain a $3 million USD loss if our systems were breached?

It’s also important to note that the costs of a breach are higher in certain geographic regions than others. For instance, the average total cost of a data breach in the US was $7.91 million USD (up from $7.35 million in 2017) compared to $1.24 million USD in Brazil. Therefore, looking at the costs in aggregate may be misleading depending on where the affected organization is located. The reasons for the wide variation in cost include regional regulatory requirements, detection and escalation costs (forensics, 3rd party assessments, audits, crisis management, etc.), post-breach response costs (help desk support, communications, legal fees, product discounts, etc.), notification costs, and customer churn.

Companies should dive into the Ponemon data to create benchmarks based on their geography, industry, and company size. In the meantime, suffice it to say, prevention and rapid detection of security incidents is preferable to a declared breach. The longer a breach goes undetected, the higher the cost to the organization. In fact, according to the Ponemon report, “companies that contained a breach in less than 30 days saved over $1 million vs. those that took more than 30 days to resolve.” For some organizations, perhaps $1 million is chump change, a mere market adjustment. For most, though, saving that money—or more if dealing with a mega breach—makes a significant impact on business operations.

Download our free eBook, Achieving Zero Trust Security  in your Cloud, today!

Protecting against data breach costs

Preventing a breach is the best case scenario, but even the most diligent and well-funded organizations can’t avoid every vulnerability, every phish, and every system glitch. While managing a cybersecurity program is complex, here are the top 5 ways organizations can mitigate the potential for and costs of a data breach:

Learn your networks

Between network sprawl, cloud and container adoption, shadow IT, IoT, BYOD, and myriad other acronymed business use cases, organizations often don’t have full visibility into what’s communicating on their networks, much less where sensitive information resides, and how or with what it’s communicating.

To manage networks, organizations must:

  • Achieve a full visibility into all assets present and communicating
  • Map data and application flows
  • Establish baseline “normal” activity per the business

The above steps are essential to identifying (then stopping) anomalous behavior. Asset inventories and communication mapping can be automated so that the organization always maintains an up-to-date, real-time view into what’s happening on their networks, regardless of infrastructure or deployment.  

Implement segmentation

Flat, overly permissive networks have been the conduit for many mega breaches. If an attacker can successfully penetrate the perimeter using a system vulnerability (e.g., unpatched Apache Struts) or targeted phishing email that results in stolen valid user credentials, they gain access to the “crown jewels.” But only if additional protections haven’t been placed around them.

Network segmentation and microsegmentation place barriers in front of data, systems, applications, hosts, and other valuable system resources and prevent lateral movement. Creating secure zones which can only be accessed through zero trust permissions (end user and system) ensures that adversaries can’t tamper with the network or gain unauthorized access to sensitive data which, if leaked, destroyed, or stolen could cost the company millions in breach costs.

Control access to sensitive data and systems

Pursuant to the point above, tightly controlling access to system resources is a key to preventing data breaches. Most security and network practitioners automatically think “end user” when they think about access, but it’s important to remember that system resources require access permissions to function properly.

As such, companies should implement least privilege access for all users and systems communicating on and across their networks. Limiting who/what has access to resources reduces the probability of a breach and makes it easier to detect when an adversary is attempting access. To bolster protection, organizations should also consider time-bound sessions, especially for administrative access. Admins should be required to re-authenticate using two-factor authentication after a certain period of time, thereby reducing the amount of dwell time an attacker can achieve. (Remember our static from above regarding mean time to identify a data breach.)

Encrypt (at least) sensitive data

Looking back through the highly publicized breaches over the last ten years, it’s amazing that so many big name, profitable companies continue to store customer data, financial data, health data, passwords, and other (often regulated) sensitive data in clear text. Encrypting data and databases is the best way to prevent a data breach, even if an attacker is able to achieve system compromise. In other words, you may not be able to keep attackers out of your networks entirely, but if the attacker can’t find what they’re after (because it’s encrypted) you’ve avoided a breach.

Assess risk

Automated and manual testing of systems and resources is the only way to understand your network risk. Vulnerability assessments, penetration testing, and audits should be continuous and (optimally) performed by both internal and external testers. Internal users know your systems and business requirements inside and out, while external parties have the worldview of the threat landscape.

Networks change all the time, so any assessment will be a point-in-time snapshot only. This is why testing and assessments must be ongoing and conducted from different points of view. Motivated attackers will patiently conduct reconnaissance; defenders must put equal weight into understanding system and process vulnerabilities and threats, then take the time to create and execute remediation plans. Not every found vulnerability requires a patch, but preventing an intrusion and/or data breach—and skirting multimillion dollar cleanup costs—requires that organizations be fully aware of the biggest risks to their networks and attend to those that pose the greatest threat.

Katherine Teitler, Director of Content

Written by Katherine Teitler, Director of Content

Katherine Teitler leads content strategy and development for Edgewise Networks. In her role as Director of Content she is a storyteller; a translator; and liaison between sales, marketing, and the customer. Prior to Edgewise, Katherine was the Director of Content for MISTI, a global training and events company, where she was in charge of digital content strategy and programming for the company's cybersecurity events, and the Director of Content at IANS, where she built, managed, and contributed to the company's research portal.