What data in your company is okay to be stolen? The answer is usually, none of it, of course! However obvious it may seem that all of your company’s data is valuable data that should be protected, it is certainly no small task to do so.

Last month, as a Platinum Sponsor, we held a discussion panel around this topic at the Lunch and Learn hosted by the Arizona Technology Council at Appointment Plus.

The Panelists

Arnold Jee, CEO of Rare Labs
Gary Bennett, Chief Architect of Rare Labs
Howard Asher, Executive Managing Director, Regulatory Affairs Certified Advisor
Geoff Odell, CEO of Trusted-HIT

Data Breach

The consequence of falling behind the curve on cyber security is often a breach – the severity of which can vary. While no size of breach should be acceptable, some large breaches have had a massive negative impact on several major companies.

Retail Data Breaches

Target
• Compromised POS terminals related to swiping magnetic strips on credit cards
• Impact: 70 million customers affected

Honda – Canada
• Myhonda and myacura websites hacked
• Impact: 283,000 names, addresses, VIN numbers taken

TK/TJ Maxx
• Largest retail breach: data stolen from wi-fi network of debit/credit card information
• Impact: 94 million users’ data stolen

Healthcare Data Breaches

Anthem
• Employment information compromised
• Impact: 80 million names, DoBs, member IDs / SSNs, addresses and employment information

South Carolina Government
• Inside job – accessed to personal information and Medicaid beneficiaries
• Impact: 6.4 million affected

UK’s National Health Service
• Laptop with unencrypted records was missing from storage room. Was not reported
until 3 weeks later
• Impact: 8 million patients exposed

Media Data Breaches

Sony Entertainment
• User accounts, music codes/coupons, employee information, film scripts
• Impact: over 100 terabytes of data leaked

Washington Post
• Hackers broke into job posting website
• Impact: 1.2 million users’ IDs and email addresses

Twitter
• Hackers accessed the website
• Impact: 250K usernames, emails, addresses, and session tokens exposed

Cost of Data Breach

Aside from losing face, companies that have been breached also are left with hefty costs to repair the damages. Take a look at these dizzying numbers.

Incident Detection & Escalation Cost: $600,000/breach
Notification Costs: $560,000/breach
Post Data Breach Costs: $1,640,000/breach
Lost Business Costs: $3,720,000/breach

Broken down on a per user scale, data breaches can cost the affected company anywhere from $175 to $400 per user, depending on the industry.

Challenges in IT

Securing a product or company is much more easily said than done. These are some of the biggest challenges that your IT team will face regarding cyber security.

  1. Endpoints are evolving and always changing
  2. Staying current (Infrastructure, software, VOIP, Patches, etc.)
  3. High financial and human capital investments
  4. Do more with less, and have faster delivery
  5. Offensive – Hackers
  6. Defensive – Lack of a plan

Building a Project : Where to Start

So, maybe we’ve spooked you a bit with the costs and difficulties of protecting your company’s data. While cyber security threats definitely deserve a healthy amount of respect, the threats can be minimized. When starting a project, we suggest taking these steps to help ensure that your data is secure.

  1. Create a plan for BEFORE, DURING, and AFTER your product is
    deployed – utilize the Threat Modeling methodology
  2. Understand the risks – regulated or not for your application
  3. Rank your security objectives and then those of your application (MVP’s)
  4. Note the movement of data – in transit, at rest, and residing at all stages
  5. Identify vulnerabilities – Wear the ‘Hat’ of a defender and attacker.
  6. Build countermeasures: Preventative, Detective, and Corrective

In addition to taking these steps, here are a few pro-tips that may assist you in securing data:

  1. Look for architecture solutions where security is a top concern (UI/UX, Middle, Backend)
  2. Ensure architecture follows best practices (Microsoft and OWASP)
  3. Perform security probes and analysis in early stages of development
  4. Partner with a development team with security expertise, ensure your own staff receive the training they need to keep up with changing security threats

 

To stay up-to-date on all things Rare Labs, be sure to follow us on Twitter and Facebook! If you have a topic that you’d like us to cover in our blog, drop us a line.