By Tolgay Kizilelma, Chief Information Security Officer, UC Agriculture and Natural Resources. Technology is an integral part of our daily lives, which means cybersecurity and cyber-risk are becoming ever more important. With the growth in digital information and increased reliance on IT, cyber-risk is growing significantly, and the cost of data breaches is rising as well. Educational institutions that fully understand the myriad ways that data breaches incur costs, may have more incentive to protect their most important asset – information.
Why cyber-risk is growing
The reasons are numerous for the increase in cyber-risk: Sophisticated attack tools and strategies are easily obtainable. Broadband access is ubiquitous, and countless people are on the go with smartphones and high-speed connections.
Cybersecurity incidents can have a serious impact on an organization, whether due to attacks initiated by cybercriminals, hackers, malicious insiders, or nation/state hacktivists; due to systems with improper design, testing, and implementation; or due to human error as a result of a lack of training and/or supervision. According to the 2016 Ponemon study, 50% of data breach causes in the United States are malicious or criminal attacks, 27% are system glitches, and 23% are human error, costing $236, $213, and $197 per capita, respectively.
Unlike the profit-driven private sector, higher education is particularly vulnerable, due to its open and inviting culture, which often means open networks. In such an environment, it is important to make informed, risk-aware decisions to protect organizational assets and to comply with laws and regulations. The goal is to prioritize risk without trying to address every threat or vulnerability, given the organization’s limited resources.
Know your assets
In dealing with cyber-risk, it is critical to define and know your important and valuable assets. In an educational organization, data (information) is one of its key assets. Through interactions with stakeholders, educational institutions collect, produce, and use data that might be considered sensitive by law. They must comply not only with HIPAA, FERPA, and PCI-DSS, but also with many other federal laws and regulations. The Higher Education Compliance Alliance provides a variety of resources for these compliance requirements.
Know the true cost of breaches
It is relatively easy to calculate the value of tangible assets and associated costs. But how do we account for the reputation of an organization or the economic potential of the research linked to intellectual property and knowledge transfer? What about the costs associated with downtime or other operational impacts of security incidents, which may prevent basic institutional activities from taking place?
Noncompliance with legislation and/or contracts can create legal costs including attorney fees, prosecution, penalties, and withdrawal of existing and future funds – a serious financial impact. Understanding the cost of a breach in these terms is part of our risk management process.
Every data breach incurs many costs: There are costs associated with the discovery and immediate response of the breach; these include conducting investigations and forensics, determining potential victims, forming the incident response team, and crisis management efforts (including public relations outreach).
Notification costs include determining which regulations apply and communicating with required or affected parties. After the data breach is discovered, costs associated with identity protection, auditing, consulting, and legal services are assumed. Adding to the damage are the costs of lost business, increased retention costs, opportunity costs, reputation losses, and diminished goodwill.
In the area of compliance, the financial consequences are even greater. Consider such situations as the Oregon Health and Science University $2.7 million settlement on July 18, 2016; and the University of Mississippi Medical Center $2.75 million settlement on July 21, 2016. These types of breaches impact many people. Auburn University’s SSN exposure on April 8, 2015, affected over 360,000 students; and the University of Maryland’s data breach on February 19, 2014, affected 310,000 faculty, staff, and students. The consequences are real.
Security controls put in place make a difference. The 2016 Ponemon study indicates that in the United States, having an incident response team reduces the overall per capita cost of a data breach by $26, while use of encryption reduces it by $19, awareness training by $15, and appointing a Chief Information Security Officer (CISO) by $8. On the other hand, engaging consultants increases the costs by $5, lost and stolen devices increase costs by $9, migrating IT services extensively to the cloud increases costs by $15, and involving third-parties to handle security breaches increases costs by $20.
The same study indicates the average per capita cost of a data breach in various industries in the United States is increasing: $201 in 2014, $217 in 2015, and $221 in 2016. Heavily regulated industries have the highest costs. The health care industry has a per capita cost of $402, followed by life sciences at $301 and education at $220. These costs help explain why in 2016 the costs related to data breaches ranged from $4.9 million for less than 10,000 compromised records to $13.1 million for more than 50,000 records.
Choose to protect important assets
The bottom line is that information – health, personal, financial – is valuable. Gone are the days when attackers go after easy targets and insecure networks. We all remember the old line. “How fast do you need to run when you are being chased by a grizzly bear?” Answer: “Only a little faster than the slowest person in your group.” Now we must ask, “What if you are carrying a jar of honey that the bear wants. How valuable is that honey for you and what will you do to protect it?”