Technology and Connectivity: You Are at Risk

By Nick Sabbatini, CPA, Audit Manager

It’s a fact of life. People love being connected. If you haven’t noticed the throngs of people staring, tapping, and swiping their mobile devices in public places, chances are you’ve been too intent on the electric glow of your own personal device to notice. And, really, with the entire internet at our fingertips and a never ending line of apps offering tailored entertainment, personal management, and connectivity to our business lives, few people these days are immune to the benefits of technological advances and connectivity. This is true for business entities, as well.

The unrelenting advancement of technology, continuous connectivity, and the Internet of Things has allowed for increased productivity and efficiency.

Modern technology and connectivity provides numerous potential benefits, such as automated processes and monitoring, expedited realization of cash flows, the ability to easily capture and analyze mass amounts of data, cost reductions due to efficiencies and centralization, real-time access to system information, customers, vendors, and contractors, and a general increase in business speed and agility. These benefits are truly amazing.

Are companies doing enough to protect their technology infrastructure?

In light of recent record-breaking data breaches, including the Target breach of 2013 and the 2014 breach of the Office of Personnel Management (OPM) database, it appears that the answer to that question may be, “no.”

Because business entities typically have large amounts of sensitive data (personal and customer data, as well as IP and other trade secrets) they are prime targets for data breaches, and are especially at risk of significant harm. As sensitive data can be the lifeline of business, the breach of this data can result in substantial losses. Data breaches very often damage brand image and inevitably lead to significant monetary loss.

In its 2015 annual study regarding the cost of data breaches, the Ponemon Institute spoke with 350 companies in 11 countries and estimated the average total cost of a data breach at $3.8 million (an increase of 23% from 2013). This suggests an average cost of $154 per compromised record. However, the study shows that this amount can vary from industry to industry. For instance, while retailers have a slightly higher average of $165 per compromised record, an entity in the healthcare industry should expect costs of roughly $363 per record. Furthermore, it is important to note that these amounts are only estimated averages, and actual costs could be much higher. Target, whose 2013 data breach compromised up to 70 million credit and debit cards, has incurred upwards of $252 million in costs, with an additional $67 million settlement paid to Visa and a similar deal being worked out with MasterCard. Similarly, the 2014 breach of the OPM database, in which over 21.5 million records were compromised, potentially affecting up to 275 million people given that each record contained information on family, friends, and associates, is expected to cost upwards of $500 million for reactionary implementation of new cybersecurity and monitoring contracts alone.

It’s not just large national, international, or governmental entities that are at risk.

While these types of record-breaking cases easily grab one’s attention, many more smaller-scale breaches occur on a regular basis. The fact is, as noted in another Ponemon Institute study, data breaches are occurring more often than reported. A sizable portion of these breaches are not discovered immediately and may take considerable time to resolve. According to this study, 45% of respondents suffered one or more data breaches within a two-year period, with roughly half of all respondents reporting damages to reputation, brand value and marketplace image, as well as lost time and productivity due to the breaches. One-third of the respondents noted a breach that took two years or more to discover, with 28% of the respondents reporting a period of two years or more required to resolve the breach. Moreover, 20% of those participating in the study could not determine whether or not the breach was ever resolved, and over half of the respondents never determined how the breach occurred. If we assume the study’s sample population is representative of the larger population, roughly half of all companies have already experienced a data breach, whether or not the breach is known, or should expect a breach in the immediate future. The threat is real, and no business is immune from attack.

For more on what on whether or not data breaches can be prevented, this topic will be covered further in an upcoming blog post.