Businesses spend an estimated $84 billion each year defending their data against cyber-attacks. However, a recent report by Accenture (the “Report”) highlights the stark disconnect between these costly protection measures and their efficacy. The Report is based on the results of a survey conducted by Accenture of 2,000 executives from 12 industries and 15 countries across North America, South America, Europe and the Asia-Pacific region.
According to the Report, the failure rate of data breach prevention is “alarmingly high.” Approximately one-third of targeted data breach attempts against corporations are successful, yet three-quarters of executives have not lost confidence in their cybersecurity strategies.
The “alarmingly high” failure rate is further exacerbated by the “sheer volume” of cyber-attacks being conducted. On average, organizations are subject to more than a hundred targeted breach attempts each year, in addition to the thousands (and sometimes millions) of random breach attempts prevented each week. This means that these organizations can expect, on average, two to three successful attacks per month.
Accenture estimates that data theft currently costs organizations an aggregate of $2 trillion per year and that this number could potentially reach as high as $90 trillion by 2030 if trends continue. As we recently reported on The Spotlight, the average cost of a data breach for a Canadian company exceeds $6 million.
Why do Typical Strategies Fail?
While a majority of those surveyed for the Report admitted that it typically takes “months” to detect successful attacks, 17% confessed that such identification often takes a year or longer. This lag not only prevents organizations from properly responding to specific breaches, but also makes building an effective cybersecurity strategy nearly impossible. By the time a breach is identified, the data is already gone. By the time the vulnerability is identified, another thief has deployed a different strategy.
Further compounding the issue is the presence of both internal and external threats. Different protective strategies are required to deal with internal and external data theft, and the Report shows that most organizations have a difficult time prioritizing resources to properly protect against both.
Facing Reality – Data Breach Prevention Strategies
In the face of these gloomy statistics, those charged with a corporate cybersecurity mandate may be wondering how to survive in this increasingly risky landscape. The Report suggests the following:
- Define cybersecurity success
- Pressure-test security capabilities the way adversaries do
- Protect from the inside out
- Invest to innovate and outmaneuver
- Make security everyone’s job
- Lead from the top
- Build on past lessons
In order to implement these strategies, it is critical that businesses provide the necessary training to employees at all levels of the company. Law firms with expertise in privacy and data breach prevention provide a vital service in this regard.
Third party service providers are often the weakest entry port for data breaches. Well-drafted contracts contain, amongst other things: (i) representations and warranties from the service provider that its cybersecurity meets the desired standards; (ii) covenants that the service provider will notify the business immediately upon discovering a potential breach; (iii) audit rights; and (iv) indemnification provisions that protect the business from bearing the economic burden of a data breach.
Organizations need to recognize the true scale of the cyber-attacks they face, adapt to the changing landscape, and incorporate these best practices to protect their bottom line from the costs of data breaches.