Unless you’ve been living in a cave somewhere, you’ve certainly heard news about stolen and hacked data, commonly referred to as data breaches. They occur with great regularity, and there is no indication that the frequency of data breaches is slowing down. Organizations must take more aggressive actions to prevent the sensitive information in their care from being stolen and abused.
The Prevalence of Data Breaches
Data breaches have been in the news now for close to 2 decades. The Privacy Rights Clearinghouse (www.pri
vacyrights.org/ar/ChronDataBreaches.htm) began tracking data breach activity on Feb. 15, 2005, which is the date of a significant data breach at ChoicePoint, a consumer data aggregator (www.aclu.org/other/faq-choicepoint). This breach represents a turning point because it involved the personal information of more than 165,000 consumers, and it resulted in at least 800 cases of identity theft. ChoicePoint wound up paying $15 million in FTC fines to settle charges that it failed to protect consumers’ personal information.
Since the ChoicePoint breach in 2005, there have been more than 8,000 data breaches impacting more than 11.5 billion total records containing sensitive personal information. Last year, there were more than 800 data breaches that impacted more than a billion records. And, in the first 2 months of this year (2019) alone, there were 39 data breaches that impacted more than a million records.
There is no slowdown in terms of data being breached and stolen. Gemalto, a digital security firm, has reported that more than 6 million records are lost or stolen every day. That translates to 75 records breached every second. In fact, in the time it took for you to read this paragraph, more than 4,000 records were lost or stolen!
Nobody wants their information to be stolen or lost, so it makes sense for organizations to combat data breaches. But if you consider all of the mitigating factors, the importance of protecting data from breaches becomes even more important.
Data breaches impact customer loyalty. Most consumers will not continue to do business with companies that have had sensitive data stolen. Furthermore, there are industry and government regulations that demand organizations protect sensitive data. But, according to Gemalto’s “2015 Breach Level Index,” 75% of customers do not believe that companies are taking the responsibility to protect their data all that seriously. Clearly, there are problems here.
The Cost of a Data Breach
Irrespective of customer expectations, a data breach impacts the bottom line. The average cost of a data breach increased by 6.4% in 2018 over the previous year, with the average cost per breach event being almost $4 million, according to the Ponemon Institute’s “2018 Cost of a Data Breach Study.”
These factors range from the amount of data involved, regulatory fines and legal costs, the cost of notifying customers and providing credit monitoring, to the loss of your company’s reputation, which can be a significant concern.
So the average cost of a data breach may be about $4 million, but the actual cost for each data breach can vary widely from that average. The Verizon “2015 Data Breach Investigations Report” indicated that a breach impacting 1,000 records will cost anywhere between $52,000 and $87,000. But the cost-per-breach event scales higher as the number of records increases. The same report shows that a breach impacting 10 million records will cost between $2.1 million and $5.2 million. In other words, the cost escalates quickly as the number of records breached increases.
What Can Be Done?
And where are thieves looking for this data? Honestly, wherever it exists. But a primary target is database servers because that is where a lot of the most interesting personally identifiable data exists. It’s information such as names, addresses, phone numbers, Social Security numbers, financial data, and so on. Where does your organization store these things? Probably in a database.
The frequency of attacks between 2009 and 2015 shows that databases are a prime target area, so it is important to be able to monitor and protect your database servers from attacks and breaches.
What can we do to enact proper controls on our databases to comply with regulations and comba data breaches? There are many answers to this question. First of all, make sure that your databases are protected using the security and authorization controls that come with the DBMS (or an equivalent capability). And keep up with the employees as they leave the company or transfer departments by changing their authority as needed.
You can also use encryption on your data at rest and in transit, as well as on your backup files. Keep your DBMS current on maintenance by applying critical patches quickly, and implement a database auditing capability.
Database auditing is the process of monitoring access to, and modification of, selected database objects and resources within operational databases and retaining a detailed record of the access where said record can be used to proactively trigger actions and can be retrieved and analyzed as needed. There are a lot of considerations in terms of how to implement and administer database auditing that are beyond the scope of this month’s column, but I discussed some of them in an August 2016 article, “Improving IT Security With Database Auditing Techniques” (www.dbta.com/Columns/DBA-Corner/Improving-IT-Security-With-Database-Auditing-Techniques-112755.aspx).
The Bottom Line
Data breaches are common and costly. So it makes sense to spend some time and money up-front to better secure your data ... and also to spend some time and money to be able to monitor and audit access to your databases and systems.