If you’re not getting support and adequate funding from the C-suite to address insider threats, a recent report highlights a powerful persuasive tool you may have overlooked: money—as in fines (cha-ching), lawsuits (cha-ching) and credit monitoring services (cha-ching) you’ll have to pay as the result of a data breach.
The IDC report, “Endpoint Data Protection for Extensible DLP Strategies,” cites two health-care groups that paid six figures each in fines for data breaches as a result of improper employee behaviors. Here are even more powerful examples of the price your organization could pay for not addressing insider data security threats:
Target insider breach costs could reach $1 billion
Target may have skirted an SEC fine, but the retailer is still paying a hefty price because cyber thieves were able to access customer credit card data via a subcontractor’s systems. Breach costs included $10 million to settle a class action lawsuit, $39 million to financial institutions that had to reimburse customers who lost money, and $67 million to Visa for charges it incurred reissuing compromised cards. For 2014, Target had $191 million in breach costs on its books; estimated totals could reach $1 billion after everything shakes out.
AT&T fined $25 million for employee breach
In 2015, AT&T paid a $25 million fine to the Federal Communications Commission after three call center employees sold information about 68,000 customers to a third party. The cyber thieves used the information to unlock customers’ AT&T phones.
On top of the fine, AT&T was required to do things it should have done in the first place:
- Appoint a senior compliance manager who is a certified privacy professional.
- Conduct a privacy risk assessment.
- Implement an information security program.
- Create a compliance manual and regularly train employees.
- File regular compliance reports with the FCC.
AvMed paid $3 million in settlement
While the health plan company avoided a HIPAA fine, it paid $3 million in settlements to 460,000 customers whose personal information was on two stolen, unencrypted laptops. On top of that were costs to reimburse customers’ actual monetary losses.
In addition, the company had to:
- Provide mandatory security awareness and training programs for all company employees.
- Provide mandatory training on appropriate laptop use and security.
- Upgrade all company laptops with additional security mechanisms, including GPS tracking technology.
- Add new password protocols and full-disk encryption technology on all company desktops and laptops so that electronic data stored on the devices would be encrypted at rest.
- Upgrade physical security to further safeguard workstations from theft.
- Review and revise written policies and procedures to enhance information security.
The lesson here should be obvious. It’s far cheaper to act now—by implementing available endpoint protection technology and instituting a security-aware culture—than to wait for a breach that forces you into action.
As security expert Philip Lieberman noted in the AT&T case, the penalty cost AT&T much more than the steps it should have taken to prevent the insider breach: “The C-level staff will have to explain this to the board as to why they did not implement a control when the cost would be trivial.”