The Cost of Not Securing Your Data!
Unless you’ve been hiding under a rock, everyone in the modern world is aware of the unprecedented speed of development of the digital economy. The exponential growth in areas of big data, cloud computing and artificial intelligence poses serious challenges for customers and companies with regards protecting private data. Data breaches remain a top threat for Chief Information Security Officers the world over particularly since many governments having introduced legislation for the protection of customer information. As users of digital services continue to grow, there is a need to provide more and more legitimate access to their data. This then provides greater opportunity for malicious attackers to gain access to that data. For the consumer it becomes a nightmare to know when and when not to provide their personal information.
A 2019 report conducted by IBM Security and Ponemon Institute on the Cost of a Data Breach declares that the global average cost of a data breach is $3.92 million, a 1.5 percent increase from the year before. A data breach not only takes a lot of time and money to fix, sometimes the bug cannot even be completely remedied. This in turn directly affects customers’ trust with the company which will impact the business’ bottom line.
Let’s look at the commercial impact of the largest data breach in the hotel industry as an example. On November 30, 2018, Marriott International the largest global hotel chain, issued a security bulletin that announced the guest reservation database of its Starwood hotel had leaked information. Marriott and Starwood had announced their merger earlier that year. It is believed that details of nearly 500 million Marriott customers had been accessed by cyber criminals. The leaked data include hotel visitors’ information such as name, mailing address, phone number, email address, passport number, Starwood VIP customer information (SVIP), date of birth, and gender. Marriot highlighted that some of the leaked information also includes credit card numbers and expiration dates.
According to a report, Marriott discovered the data breach on September 8, 2018 and successfully blocked the intrusion in just two days. However, tracing the stolen data took more than two months for security experts and they recovered only part of the data with limited leakage information pertaining to the customer. Based on the concerns about possible backdoors and Trojans in Starwood’s system, Marriott decided to completely abandon Starwood’s IT systems.
Murphy, Falcon & Murphy, a law firm in Baltimore USA, has filed a national class action lawsuit against Marriott International, claiming USD 12.5 billion or $25 for each customer whose privacy may be compromised. Murphy noted: “Marriott’s actions have damaged all aspects of the customer’s personal identity, making them vulnerable to identity theft, fraud and injury in the next few years. We will continue to work hard until Marriott resolves the problem and properly compensates the victim’s loss.”
A data breach not only affects the personal interests of each customer but also brings irreparable financial losses to the company. After releasing the security bulletin, Marriott’s share price fell more than 6%. At the same time, the loyalty membership plan that Marriott had high hopes for saw numbers reduced by 25%. According to the Ponemon Data Breach Cost Report – “50 million records will bring up to $350 million in losses”, based on this, Marriott International Group may suffer a loss of $3.5 billion in this incident, including technology, security, and legal costs. Moreover, in July 2019, the UK Information Commissioner’s Office imposed a huge fine of GBP99.2 million (USD1.24 billion) on Marriott Group in accordance with the GDPR.
The amount being spent of IT security is naturally seeing significant growth. In fact, Gartner predicts that the overall global spend on information security will exceed USD124B in 2019. Colin Giles, COO of Xcalibyte, believes that the amount spent on IT security is important but beyond just the cost, at the heart of creating a secure environment is the need to foster a culture of developing applications with a quality first approach and a security by design mindset. This needs to start at the top of an organization and become pervasive throughout the whole company’s business processes. This supports the reduction of vulnerabilities and ensures product quality and in-turn protects the reputation of the company. This then reduces costs and potential losses that result from any potential breach and the any impact on reputation that ensues.
Imagine for a moment what kind of financial implications a data breach of your customer data would have on your company and then decide if you need to re-examine your security measures. According to Gartner’s report, 75% of hacker attacks occur at the WEB application layer. Since most of the security incidents caused by inefficient application layer protection are due to code writing defects in the Software Development Life Cycle(SDLC), it is believed that by applying Shift left testing into the SDLC, where defect detection starts at an early stage, developers are able to deliver higher quality code with fewer vulnerabilities. Also, the report of “Relative Cost of Fixing Defects” conducted by IBM System Science Institute points out that compared to the coding stage, the fixing cost is doubled at the standard testing phase and is 15 times greater at the post-release stage. By reviewing，identifying and fixing defects early in the Software Development Life Cycle (SDLC), companies can minimize the impact on efficiency, productivity and creativity. Security is no longer a function that is owned and governed by IT as a back-office function. Rather it must be addressed from the top as a key pillar of doing business in this digital age.