Organizations can reduce the cost of breaches when they have the right processes and protections in place to minimize exposure, a new study concludes.
The root causes of the breaches were hacking/malware (35%), unauthorized access (27%) and physical theft (23%).
31% of companies estimated their post-breach costs ranged from $1,000 to $100,000; 31% said losses were more than $1 million; 27% reported losses from $500,000 to $50 million, and 23% experienced losses from $100,000 to $500,000. Only 8% said costs were greater than $100 million.
81% of companies had a data classification program prior to breaches, keeping the cost of clean-up low for the majority of companies.
Slightly more than 23% of companies needed one day to one week, one week to one month, and one to three months to fully remediate breaches. 38% said it took three months or longer to fully remediate their breaches.
Less than 35% had no lingering effects after remediation, while 4% don’t know of lingering effects. The remaining respondents experienced effects for one month or more.
62% of companies had to notify customers, while 64% said their breach did not receive media attention.
Sensitive financial data was breached in 42% of the breaches; 27% of those companies still pay for credit monitoring services, 23% for information hotlines and 19% for credit card reissuance fees.
50% of companies used in-house services only, while 46% used a combination of in-house and third-party services and 4% relied on external consulting support.
73% of companies also used internal counsel, while 19% hired outside counsel that specialized in post-breach services.
More than 50% of companies said cyber-insurance was not applicable because they did not have a policy (28%) or they were self-insured (28%). Additionally, 16% said their total losses were covered, while 12% said losses were only partially covered.
58% of companies invested in new tools for forensics and data recovery as part of the breach response, priced from $3,500 to $300,000. More than 70% also added a mix of administrative, physical and technical controls.
Pre-breach recommendations: catalog major business processes; identify processes that handle critical or sensitive data; create an access control system; identify what assets hold or carry that data; determine what data is likely to be stolen, and determine the types of disruptions.