Just recently, a major cyber attack on the state-run health insurance provider of the Philippines resulted in the leaking of subscribers’ data. This happened after the government refused to pay the $300,000 ransom sought by the perpetrator, which was identified as the Medusa hacking group. Data of millions of citizens are now in the hands of threat actors, prompting the Philippine government to issue a warning to brace for a deluge of scams and other attacks using the stolen data.
Major attacks on databases are not new. Even the United States and other more technologically advanced countries have suffered from several embarrassing cyber breaches over the past few years. However, what these attacks repeatedly prove is that the worst consequences could have been avoided or the attack could have been prevented altogether if only organizations observed cybersecurity best practices and used the right defensive solutions.
Using best practices in data security
The rampancy of data attacks calls for enhanced data security. On a positive note, there are already numerous solutions to make this possible. Organizations can quickly adopt more effective and efficient data security systems from existing technologies. Also, it helps that there are sensible regulations that promote data safety and security. Security firms, industry associations, nonprofit institutions, and government agencies have also been collaborating to develop data protection frameworks to guide everyone toward efficient and secure data handling.
Organizations need not build their data security systems from scratch. They can take advantage of existing solutions, frameworks, and best practices to achieve database compliance and dependable security. Doing this should have been a no-brainer for everyone. Unfortunately, this is far from what is happening in reality.
Many organizations fail to observe the best practices in collecting, storing, and dispensing their data for various reasons. For one, they do not have enough resources to implement sophisticated data security. There is also the problem of cybersecurity skills shortage. Even if organizations have enough allocation for security, the lack of expertise and experience poses serious difficulties. Additionally, many organizations continue to be reactive when it comes to cybersecurity, despite security experts’ incessant push to achieve proactivity.
Tools, solutions, platforms, frameworks, and even regulations to combat data attacks are readily available. They have proven their effectiveness over the years. They may not be infallible, but with proper implementation, they are enough to prevent the worst consequences of cyber threats.
Data security fabric (DSF) solutions, for example, allow organizations to optimize their security visibility and data risk management capabilities. They provide effective protection against a host of threats including brute force attacks, code injection, credential highjacking, and insider threats. They also make it possible to automate and orchestrate responses to threats. At the same time, DSF solutions help organizations comply with relevant regulations by consolidating reporting operations, keeping data audit records, and facilitating IT forensics.
Data: A favorite cyber attack target
Amid a continuously changing cyber threat landscape, many of the most prominent attacks tend to target data. Ransomware, for example, is about forcing the victim to pay some amount for them to recover their data. The attack on the state-run insurer in the Philippines is also centered on data, particularly a form of extortion that leverages the cruciality of keeping data private and secure. Other common attacks such as phishing, drive-by compromise, data exfiltration, SQL injection, and man-in-the-middle also focus on data.
Indubitably, data is a crucial asset among organizations that threat actors covet. However, not many view it as such that they seem to have no sense of urgency in instituting data security measures. That’s why it is reassuring that there are laws and regulations aimed at compelling everyone to be more prudent with their data handling. Some of the well-known data protection regulations include the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), and the Sarbanes-Oxley (SOX) act.
Governments are acknowledging the importance of securing data. It is high time for everyone to pay more attention to data security and invest in the right tools and the implementation of sensible security frameworks and best practices.
Data protection and breach costs
Organizations spend around 12 percent of their IT budgets on cybersecurity. In dollar values, this translates to yearly cybersecurity spending of around $404,000 (for organizations with annual revenues lower than $50 million) to $7.4 million (for those earning at least $2 billion per year). These numbers certainly sound overwhelming, especially under the current economic situation. However, all the expenditure on cybersecurity is justifiable given the cost of data breaches.
To clarify, the numbers above refer to the average overall annual cost of cybersecurity for every organization. It is difficult to separate the specific costs for data security since data security and other cybersecurity solutions usually have overlapping functions.
Once the cybersecurity costs are compared to the cost of data breaches, it should not be difficult to see why it makes sense to invest in data security to prevent breaches or at least minimize the damages. Numbers compiled by Statista show that the average cost of a data breach in 2023 is $9.48 million. This is a per-incident value, which means the costs go higher as more data breaches are encountered.
Moreover, the costs of data breaches are not limited to pecuniary losses. Organizations also suffer from reputational damage, which can sometimes be more devastating than the financial losses. The loss of customer trust causes a significant erosion of competitiveness and even the possibility of bankruptcy. Also, there are penalties imposed on data security regulation violations that lead to breaches regardless of the severity of the breach.
The takeaway
Organizations must treat data security as an urgent concern. Perceiving the introduction of data privacy and security laws as an inconvenience and added cost of operation is counterproductive and potentially self-defeating. Data compliance may sound like a burden, but it has been helping organizations avoid data breaches or mitigate the damages. There are costs in achieving adequate data security, but the damage resulting from data attacks is considerably higher.
