The Data Behind Data Security
We often mention how tokenization can help you achieve PCI compliance and avoid data breaches. However, without context, those facts don’t mean much. After all, if you don’t know how prevalent or damaging data breaches and PCI violations can be, it doesn’t seem like a big deal to protect yourself from them.
With that in mind, some of the latest industry research shows the consequences of poor security practices, and what you can do to avoid making the same mistakes.
Part 1: Data Breaches Over Time
This data from the Privacy Rights Clearinghouse website shows the frequency of data breaches over time. Last year, 2012, the United States had more reported data breaches than ever before. The number of reported breaches was 682 last year, involving at least 27 million sensitive records – more records than there are people living in Texas.
More telling is the total number of breaches since 2005: 3,557 reported incidents, involving a total of more than 607 million sensitive records and pieces of data. That’s more than twice as many people as there are in the entire country, meaning many people had multiple records compromised – Social Security numbers, credit card and banking info, HIPAA records, and so on.
Keep in mind, too, that all these figures refer only to reported data breaches – and that the total number of records involved in many large breaches is unknown. In reality, the true number of data breaches that occur each year, and the scale of those breaches, is unknown and probably impossible to calculate.
Part 2: Data Breaches By Industry (2012)
In 2012, data breaches occurred across a number of industries, but the biggest offender was businesses, where 265 total breaches were reported, or 39% of the 682 mentioned above. Closely following was the medical industry with 224 data breaches, or 33% of the total. This is particularly concerning because these industries routinely use a wide variety of sensitive information, such as Social Security numbers and other identifying values, insurance data, banking information, credit card numbers, and so on.
Part 3: Data Breaches By Cause (2012)
In this chart we can see the different causes of data breaches, again for the 683 that were reported in 2012. Hacking was the biggest cause of breaches – 230 in total, or 34%. Another, possibly surprising, cause of a large proportion of data breaches was the simple loss of a device or records –a misplaced or stolen computer, records file, thumb drive, server, or what have you. 222 breaches, 33% of the total, were caused this way in 2012.
This wouldn’t seem so bad if it weren’t for another corresponding statistic, coming from the 2012 Verizon Data Breach Investigations Report. According to their research, a full 96% of the applicable organizations that experienced a data breach were not PCI compliant – in other words, their security standards and practices weren’t up to snuff.
Part 4: The Cost of a Data Breach
Every year, the Ponemon Institute releases a study examining the costs of data breaches. The 2013 study, using 54 cases of data breach from 2012, calculated the following costs incurred by companies that experienced data breaches:
- Breached organizations see average cost of $188 per customer record compromised.
- They also see an average total cost to the company, including lost business costs, of $5.4 million.
- The organization loses an average of $3.03 million in business after a data breach.
- Organizations with codified, formal response plans for data breaches saved up to $42 per breached record over companies without response plans.
In short, the Ponemon study shows that a data breach can break a business, especially smaller companies that don’t have a great deal of revenue. And when considering that these breaches can come from malicious outside sources or a variety of internal causes, the need for comprehensive data security and response plans becomes clear.
So What Can You Do?
The most important thing to do is take steps to secure your data. The most common solution is secure encryption, and that provides an adequate degree of protection for most users. However, since encryption can eventually be cracked given enough time, it’s not ideal – and encrypted data is still subject to PCI compliance.
Another solution is tokenization, where your sensitive data is stored off-site in a highly secure electronic vault. In your own system, the data you need is replaced with “tokens,” placeholder values that represent real information without being subject to compliance or security problems. This can be a more comprehensive solution, especially for businesses that deal with a large volume of sensitive data.
Also, devising a response plan is very important. In the event of a data breach, you must be able to conduct an investigation into the cause and have a notification system set up to let customers know what happened. Also, appointing an information security officer and keeping an overall strong security stance after a breach can reduce your total losses.
There is no one strategy for recovering from a data breach – but there are plenty of ways to help prevent them from happening. Stay educated and be conscious of your own security, and you drastically reduce your own risk.
TokenEx is an enterprise data tokenization service that provides data security solutions to companies of all sizes. If you would like to learn about how tokenization can help your business reduce the risk of data breach, contact us today and begin tokenizing your data today.