It may sound like fearmongering, but if a diverse group of businesses like Ashley Madison, Sony, and JPMorgan Chase can get hacked, truly every business is a potential target.

How much would a data breach cost your business? According to a Ponemon Institute analysis sponsored by IBM, the average total cost is about $3.8 million. That's an increase of 23 percent from 2013. 

In an interview with Harvard Business Review, vice president of IBM security Marc van Zadelhoff says criminals are increasingly becoming organized, resulting in breaches that are more costly than if perpetrated by an activist or the result of, say, a lost laptop. 

"It becomes more expensive because [criminals] steal more, they're more persistent, they're stealthy, they stick around, they're harder to detect and harder to get rid of," he says. "It's like a more difficult virus in your body. The best advanced attacks on our organization are just harder to inoculate against, and harder to get out of the system."

According to the report, the average cost per record stolen due to criminal attacks increased to $170 in 2015 from $159 last year. With the average data breach resulting in 10,000 stolen records, the cost can add up quickly--even without factoring in lost reputation, loss of customers, and business interruption. Find out more interesting facts about hacks and van Zadelhoff's advice below.

What is the most valuable information?

Van Zadelhoff says organized criminals go after high-value targets. In a lot of cases, health care information is the big prize being sought. He says a person's full health record can be worth $50 on the black market, while a credit card or social security number can go for as little as a $1. But the real money is in leveraging the information to social engineer the person whose information was stolen.

"They might impersonate a bank, saying, 'Hey, I know you're about to go and get an operation, don't forget to transfer some money by clicking here,' or whatever," he says. "And then you think, 'Well, they know I'm having an operation tomorrow, so they must be a legitimate bank.' So the initial crime results in more valuable data leaving the building."

What do businesses need to protect?

Every business has a trove of unique data it collects. Employees have high-value health records that you need to protect, but you should not stop there. "Businesses of all types and sizes must seek to understand what types of information they have that would be of most value to hackers, as well as what would be most damaging to their company, employees, and customers if a breach occurs," van Zadelhoff tells HBR. "By taking this first step of defining what is most important and where it resides, organizations can then personalize their security programs to adequately protect their unique 'crown jewels.'"

How can you reduce the potential cost of a breach?

Training employees in security measures can lower the cost of a breach, the report finds. Van Zadelhoff says this should include every employee, not just the IT staff. "Employees can be seen as the Achilles heel of cybersecurity; mistakes by those with access to a company's systems are the catalyst for 95 percent of all incidents," he says. "It can be as simple as accidentally clicking on a malicious link or failing to question the authenticity of a phone call or banking website."

IBM simulates phishing email attacks on employees without giving prior warning, van Zadelhoff says. The company will find out about an employee's upcoming vacation and send an email that says something like, "Click here to confirm your travel." When the employee clicks the link, he receives a message explaining it was a phishing attack. 

"If you have employees aware and a little bit paranoid, it can make a big difference," van Zadelhoff says. "And often the more senior employees at an organization are the ones that are just less socially aware, in terms of Facebook and LinkedIn and all these things. They can be quite susceptible to still clicking on things, or assuming that if someone sends you an email and it has a couple of pieces of data that are accurate, that it must be legitimate."

Published on: Jul 28, 2015