Security

State and Local Governments Face High Costs from Data Breaches

Deborah Snyder, the CISO of New York State, discussed the importance of mitigating data breaches for the public sector.

Mickey McCarter is the senior editor of StateTech Magazine.

New York State CISO Deborah Snyder shared perspective on data breaches during a webinar presented by the National Association of State Chief Information Officers on the Ponemon Institute’s “2018 Cost of a Data Breach Study.”

The veteran CISO has seen her share of challenges related to data breaches, she said, providing a checklist of best practices to mitigate a data breach.

In short, Snyder recommended:

Prepare. Take time to assess business risks, and know the locations of sensitive data.
Pay attention to third parties. Understand how vendors use data and ensure they are being as careful as necessary.
Practice good cyberhygiene. Upgrade and patch software when required.
Monitor logs. But also determine and select events that are “suspicious and actionable.”
Encrypt data. Avoid data loss with encryption.
Train users. Persuade users to do the right thing, and pay attention to insider threats.
Share stories. Put cyber-risks in terms that shareholders understand.

The last point is particularly compelling. Snyder advised her audience to take the time to relate the risks of data breaches to business customers in a way they understand.

“Turn that into a story that is fundamentally relatable to your executive in your governor’s office or your chief financial officer,” Snyder said. Elected officials understand the consequences of political fallout over a breach, while CFOs understand that breaches cost money.

“Help make it personal,” Snyder suggested.

Ponemon Study Reveals Data Breach Costs for the Public Sector

Larry Ponemon, chairman and founder of the Ponemon Institute, joined the NASCIO webinar to share results of the institute’s 2018 annual data breach survey, which is in its 13th year.

Globally, the survey concluded the odds of a data breach today to be 1 in 4, with a 27 percent probability that an organization will experience a data breach over a two-year period. The average total cost of a data breach was $3.86 million, up 6.4 percent from last year, and the average total loss for a stolen record was $148, up 4.8 percent from last year.

In the United States alone, the average total cost of a data breach was $7.9 million, up 7 percent from 2017, and the average cost of a stolen record was $233, up 3 percent.

For public sector organizations specifically, the total average cost of a data breach was $2.3 million, with an average cost of $75 per record.

Top factors decreasing risk include encryption, employee training and building an incident response team. And the risk factors increasing the chances of data breaches were third-party involvement, compliance failure and extensive cloud mitigation, Ponemon said.

Overall, the mean time to identify a breach was 190 days, and the mean time to contain a breach was 57 days, according to the survey.

With regard to state and local governments, “detection and escalation of breaches are the biggest consideration,” Ponemon said.

He urged management for business continuity to be involved in breach mitigation early, and rapid notification of regulators and victims in the event of a breach. State government reputations can take a hit if they have an insufficient response to a breach, Ponemon said, noting North Carolina “did a great job of communicating” with people after a significant data breach recently.