The All-in Cost of a Data Breach
An annual report of the cost of data breaches, IBM, Cost of a Data Breach 2021, quantified some of the direct and indirect costs. The study examined breaches containing as few as 2,000 compromised records so it is relevant to auto dealers large and small.
On average, the overall average cost per record compromised in the 2021 study was $161, an increase from $146 per lost or stolen record in the 2020 report year. So, if 10,000 records were compromised, the all-in cost would be $1,610,000,
Compromised credentials, such as when a hacker gets access to a user’s system credentials and gets into your system, were the largest cause of NPI breaches. Email compromise such as phishing attacks, social engineering, and malicious insiders were leading examples of how costly data breaches began. Lost business accounted for 38% of the cost. This includes increased customer turnover, lost revenue due to system downtime and diversion of management talent, and the increasing cost of acquiring new business due to diminished reputation.
Employees working remotely was cited as one reason for the increase in data breaches last year. IT changes such as cloud migration and remote work, increased the costs. Organizations having more than 50% of their workforce working remotely incurred $750,000 in higher costs compared to organizations that did not, a difference of 16.6%. It also took companies with more than 50% of employees working remotely an average of 58 days longer to identify and contain a breach. It took an average of 287 days to identify and contain a breach. The longer the delay, the greater the costs.
Ransomware attacks were also quantified by the study. Ransomware occurs when a criminal takes over and encrypts your system data and refuses to turn over the encryption key unless you pay a ransom. Ransomware attacks cost an average of $4.62 million, more expensive than the average data breach ($4.24 million). These costs included escalation, notification, lost business, and response costs, but did not include the cost of the ransom.
Costs can be characterized in four categories. i) Detection and escalation including forensics, audit, containment, and system fixes; ii) Notifications to regulators, law enforcement, affected consumers, and other third parties; iii) Post-breach response – costs of credit monitoring for affected consumers, help desk and inbound communications, PR, legal expenditures, fines, and litigation defense and resolution; and iv) Lost business – business disruption and revenue losses
Safeguards Steps You Can Take to Reduce the Risk
There is no magic bullet that can ensure you will never suffer a security breach. However, you can take steps to reduce the risk and, if you are ever breached, you will be judged largely by the prudence of the steps you took. Here are ten basic steps (not a comprehensive list) that all dealers should take:
- Education - All your people are at risk for being compromised. Any employee can click on a phishing link in an email or text message that will enable a hacker to follow them into your system. It is critical that all personnel be trained upon hire and at least annually thereafter on best safeguards practices from not clicking on links or unknown attachments to keeping paper records containing NPI locked up and not out in the open (clean desk policy) and never giving out personal information or system access credentials. Lock your computer when you walk away from it.
- System Protections - Your IT people should put NPI on a separate stand-alone server that is not connected to the Internet and requires the dual factor authentication to access. Your system should permit “read only” access to the NPI server and not allow information to be combined or downloaded onto external devices such as USBs or external hard drives.
- Credentials - Not everyone in your organization needs access to NPI.Chances are that more people have access to it than need NPI to do their jobs. Limit permissions to only those you need NPI and give them only the minimum permission they need. Authenticate people with dual factor authentication, something they know (like a password) and something they have (like a security code sent to a personal smartphone). And require a sign-in separately for the NPI server from a sign-in to your system generally.
- Tracking Access to NPI - For electronic records, your IT people can set up a system that tracks each user’s access to NPI. You can see each user’s pattern of access frequency. If that pattern spikes at any time, it may be a sign that someone has compromised their credentials and is using them unlawfully. You will then have the ability to shut the user down or re-credential. For paper records, having a library system in which users must record taking and returning files will help make sure files don’t disappear or be accessed too frequently which may also suggest a malicious purpose.
- Passwords - Compromised passwords are one way that hackers access your system. You should require personnel to use complex passwords. Preferably 10 or more characters, a combination of Upper case, lower case, numerals, and symbols. Force password changes every 90 days and prohibit reuse of passwords. Employees should not share passwords or write them down in a way that can be seen. As noted above, use dual factor authentication for access to the NPI server.
- Whitelisting and Blacklisting Web Sites - Your personnel should not have access using your system to access any website. Web-based email such as gmail, yahoo, icloud and others, are notorious for containing malware-laden content. Only websites necessary for the dealership’s operations should be permitted or “whitelisted.” The system should be set up to deny access to any other sites. The IT staff and your Chief Compliance Officer or security officer should have to sign off before any new website can be whitelisted.
- Install and Update Firewalls and Security Software - It is critical that your system and your NPI server be protected with firewalls and security software. If you are going to allow your personnel to use mobile devices to access your system, use mobile device management (MDM)software on the remote devices. MDM is security software that enables IT departments to implement policies that secure, monitor, and manage end-user mobile devices. This not only includes smartphones, but can extend to tablets, laptops, and even IoT (Internet of Things) devices. Updates should be installed as soon as they are available especially critical updates from the providers.
- Cyber Insurance - Cyber insurance generally covers your business' liability for a data breach involving NPI. In the event of a data breach, it can help cover the costs of notifying customers about the breach; providing credit monitoring or other steps to protect the identity of compromised consumers; recovering compromised data; and repairing damaged computers or systems. The price of cyber insurance has increased substantially over the past few years. Manage the cost through deductibles and coverage limits. Some cyber insurance is better than none.
- Backup Critical Data - This is particularly important given current ransomware attacks in which a hacker gains access to and encrypts your data and refuses to give the encryption key unless you pay a substantial ransom. Hardware failure, viruses, or other causes can make information unavailable as well. Have a secure backup system in place to which only senior officers and IT staff can get access in the event it is necessary to restore systems or data.
- P2P and Social Networks - A peer-to-peer (P2P) network is a network between computers through LAN or the Internet. You should remove any P2P networks and any file-sharing clients that have been installed on your system. Most P2P applications have worldwide sharing turned on by default during installation and run the risk of downloading viruses or malware or having data shared across the Internet.