There may be a larger number of data breaches attributable to employee errors, but those caused by malware or spyware are most expensive, note survey findings released by San Francisco-based
Beazley Insurances Services.
Beazley Insurance – which analyzed 1,500 data breaches serviced by the company in 2013 and 2014 – reports the two most common sources of breaches were unintended disclosure, while breaches due to malware or spyware are, on average, 4.5 times more costly than unintended disclosure.
Unintended disclosure includes actions such as misdirected e-mails and faxes, as well as the physical loss of paper records – representing 31% and 24%, respectively, notes a statement last week from Beazley Insurance, whose lines include professional indemnity, property, marine, reinsurance, accident and life, political risks and contingency business.
From 2013 to 2014, Beazley Insurance reports it has seen a 10% increase in breaches attributable to someone inside the company, either an employee or contractor.
“Most breaches occur because of human error. Training is a critical step in breach preparedness. It is important to train employees to spot the indicators of a phishing email,” the statement notes.
At 11%, malware and spyware-related breaches accounted for a smaller portion of total breaches, but breaches due to malware or hacking are on the rise, climbing 20% from 2013 to August 2014, notes Beazley Insurance.
Beyond the increase, these breaches are more costly. “Due to heavy forensics costs (money spent to find out exactly how the breach occurred) these breaches are on average 4.5 times more costly than the largest loss category, unintended disclosure,” the company statement adds.
Preventing breaches
The majority of data breaches are avoidable with appropriate training and security measures in place, argues Katherine Keefe, head of Beazley Breach Response (BBR) Services, citing a particular need for encryption services for both large-scale computer networks and mobile services as a cornerstone of cloud security.
“With more information being stored electronically and in the cloud, the risk of data breaches is growing,” Keefe says in the statement. “Consumers expect their privacy will be protected, and a data breach can have serious reputational and financial impact,” she says.
Beazley Insurance cites findings from the March 2013 study by Economist Intelligence Unit (EIU), which involved consumers in 24 countries, that found 18% of respondents had been a victim of a data breach, and of those, 38% reported they no longer did business with the organization “because of the data breach.”
Reputational and financial impact can be minimized by a considered response should a data breach occur, the statement notes.
Steve Visser, managing director of the disputes and investigations practice for Navigant Consulting Inc., a partner to Beazley's BBR Services, emphasizes the need to properly understand the cause and extent of a breach. “We have seen companies react too quickly without fully understanding the breach. That could result in them misinforming their customers or the public,” Visser explains.
Among other things, the EIU survey from 2013 also found that 60% of respondents said they have sometimes not purchased a product or service because of concerns about the security of their information; 46% of respondents who had suffered a data breach had advised friends and family to be careful of sharing data with the organization; and incentives for businesses to protect personal data were seen as inadequate by almost 70% of respondents, with little variation among European, American and Asian respondents.
Beazley Insurance offers the following five tips to avoid data breaches:
• encrypt devices – encryption is a safe harbor under virtually every breach notification law (more than 73% of the serviced breaches in 2013 involving portable devices could have been prevented with encryption);
• automate patch management – staying on top of the latest available software patches and moving to automated patch management can protect against a breach;
• enforce password complexity – computer systems can now systematically cycle through all permutations of potential passwords;
• be alert to phishing – most breaches occur because of human error, so training is a critical step in breach preparedness; and
• double check before hitting send – double-checking the contents of a file, e-mail address or mailing details can really save, especially when sending data to outside vendors.
