Introduction
What’s the cost of data loss? Depends on who you ask. A recent study from EMC suggests that data loss and downtime cost a total of $1.7 trillion each year, while Verizon tackles the concept from a per-record perspective, claiming an average cost of just 58 cents for each lost or stolen file. Of course, money is just one part of the loss equation: What about time and productivity? Ultimately, the real cost of data loss isn’t an easy number to pin down, but here’s a quick look at some of the top data risks faced by companies, along with strategies to prepare and prevent:
Big Numbers
According to Security Week, the volume of lost enterprise data has increased 400 percent in the last two years. Trends such as big data, cloud computing and the rise of mobile devices in the workplace are partly to blame — EMC reports that 62 percent of companies surveyed said these new data environments are challenging to protect, while 71 percent said they weren’t confident in their ability to recover data after a loss. All this adds up to $1.7 trillion lost each year.
IT Web, meanwhile, reports that the cost of data breaches and data loss will top $2.1 trillion by 2019 as more consumer and enterprise data is digitized. Juniper Research reported that the majority of these data breaches will come from existing network infrastructure and IT systems, rather than new deployments or emerging technologies, and a recent Verizon report suggests that “small” data breaches which see less than 100 records lost come with an average cost of $18,120 to $35,730, but in a worst-case scenario could reach $555,660. Large data breaches (100 million records or more) cost an average of $5 million to $15.6 million and top out at $200 million.
Bottom line? While experts don’t agree on exact numbers — or how to measure the cost of data loss — it’s clear that losing information comes with a significant financial penalty. Even under “ideal” conditions, the theft or destruction of data can wipe out revenue and put companies out of business, and that’s just the beginning.
Pushing Past Price
When it comes to data loss, money is the first talking point: After all, companies can’t stay in business if monetary losses climb too high, but this only scratches the surface. Consider, for example, the cost of “slow time” rather than downtime; this occurs when networks become slow or unresponsive, forcing employees to work offline or severely reducing their productivity. Documents open during this slow time may be abandoned, causing small-scale data loss with a big impact, since companies are still paying for network services and employee wages even when IT infrastructure doesn’t respond.
In addition, time is lost during any data breach or leak, since recovery is typically measured in hours or days. During the recovery process, no new work can be completed and your company is losing money. Recovery efforts can also stop any product or service development, delaying your time-to-market and impacting estimated ROI.
There’s also the matter of compliance. Both federal legislation such as HIPAA and private standards like PCI-DSS demand specific data handling requirements; data loss may prompt a monetary fine or investigation into your information storage and retrieval best practices. In some cases, this may result in a legal challenge from compliance authorities or consumers, causing the cost of a data breach to increase yet again. It’s also worth considering the human impact of data loss. If systems continually fail or struggle to retrieve data, employees may begin to take shortcuts or make assumptions based on previously available information simply to complete projects and meet deadlines. The result can be anything from minor inconvenience if actual data doesn’t meet expectations — an app that needs to be tweaked or repackaged, for example — to major fallout if new projects have gaping security holes.
Threat Vectors
Just as cost isn’t the only consequence of data loss, there are multiple ways for a company to lose information. Data breaches caused by malicious actors make headlines, and while this is a possible threat vector, companies must also be aware of risks posed by insiders. In some cases, these are disgruntled former employees who still have access to network systems, but more often, they’re employees with good intentions who accidentally breach data security policies or do so under the auspices of “shadow IT”; trying to complete assigned tasks using technology services which aren’t approved by local IT admins. Data loss can also occur due to hardware failure, software compatibility issues or the interaction of legacy and cloud systems.
Solving For X
With a host of costs and causes, it often seems impossible for companies to fight the scourge of data loss. Though while it’s foolhardy to suggest that businesses can avoid every misstep and keep every piece of information safe, there are a number of ways to lower the odds of a significant breach.
According to CIO, companies need to start with the basics: Regular data backups. These can be done on site or using a cloud-based storage facility; the benefit to going cloud is speedier recovery time in the event of loss. Employees must also be educated on the importance of data loss prevention (DLP) and given practical strategies to avoid common mistakes, for example opening unknown email attachments or downloading apps from unfamiliar sources. It’s also worth developing a set of data classification standards to identify data that is critical for day-to-day operations and ensure this information has the highest restoration priority in the event of a loss. Access is another way to protect your data: Ensure that only employees and executives directly tied to a project have access to pertinent information — the fewer points of compromise, the less likely a breach or loss.
Digging Deeper
It’s also worth developing loss prevention strategies designed for emerging technology trends such as big data and mobile. With analytics tools now offering the possibility of both predictive and prescriptive insights, companies are eager to store as much data as possible for as long as needed. The result is data “silos” which, if breached, contain massive amounts of both personal and business-critical information. Protecting this data means developing a robust encryption strategy that sees data encrypted not just when it’s being moved outside company networks to cloud-based analytics services, but also at rest on local servers or when moving through internal corporate infrastructure. Total encryption ensures that even lost or stolen data can’t be compromised and is worth nothing to malicious actors.
Mobile devices, meanwhile, present another unique issue. Many employees prefer to use personal devices to access company files and now demand the ability to work at home and in the office. As a result, highly sensitive information is often transmitted over home wireless networks or even public connections, putting this data at risk. Here, loss prevention centers around two policies: Network control and authentication. Data should only be transmitted across secure networks and users should be required to use at least two-factor authentication to lower the chance of access if a mobile device is lost or stolen.
The real cost of data loss? It’s a combination of money, time and reduced productivity. Avoiding data loss means identifying common threat vectors, building a DLP policy to address these problems and designing agile solutions to meet emerging data access trends.
