skip to main content
Back to all blog posts

Posted in: Data Security/Privacy

Dec 1, 2016

7 Ways to Help Your Organization Prevent Costly Data Breaches

By Amy Marcen-Gaudaur and Aaron Baer

Businesses spend an estimated $84 billion each year defending their data against cyberattacks. However, a recent report by Accenture (the "Report") highlights the stark disconnect between these costly protection measures and their efficacy. The Report is based on the results of a survey conducted by Accenture of 2,000 executives from 12 industries and 15 countries across North America, South America, Europe and the Asia-Pacific region.

According to the Report, the failure rate of data breach prevention is "alarmingly high." Approximately one-third of targeted data breach attempts against corporations are successful, yet three-quarters of executives have not lost confidence in their cybersecurity strategies.

The "alarmingly high" failure rate is further exacerbated by the "sheer volume" of cyberattacks being conducted. On average, organizations are subject to more than a hundred targeted breach attempts each year, in addition to the thousands (and sometimes millions) of random breach attempts prevented each week. This means that these organizations can expect, on average, two to three successful attacks per month.

Accenture estimates that data theft currently costs organizations an aggregate of $2 trillion per year and that this number could potentially reach as high as $90 trillion by 2030 if trends continue. As we recently reported on The Spotlight, the average cost of a data breach for a Canadian company exceeds $6 million.

Why do Typical Strategies Fail?

While a majority of those surveyed for the Report admitted that it typically takes "months" to detect successful attacks, 17% confessed that such identification often takes a year or longer. This lag not only prevents organizations from properly responding to specific breaches, but also makes building an effective cybersecurity strategy nearly impossible. By the time a breach is identified, the data is already gone. By the time the vulnerability is identified, another thief has deployed a different strategy.

Further compounding the issue is the presence of both internal and external threats. Different protective strategies are required to deal with internal and external data theft, and the Report shows that most organizations have a difficult time prioritizing resources to properly protect against both.

Facing Reality - Data Breach Prevention Strategies

In the face of these gloomy statistics, those charged with a corporate cybersecurity mandate may be wondering how to survive in this increasingly risky landscape. The Report suggests the following:

  1. Define cybersecurity success
  2. Pressure-test security capabilities the way adversaries do
  3. Protect from the inside out
  4. Invest to innovate and outmaneuver
  5. Make security everyone's job
  6. Lead from the top
  7. Build on past lessons

In order to implement these strategies, it is critical that businesses provide the necessary training to employees at all levels of the company. Law firms with expertise in privacy and data breach prevention provide a vital service in this regard.

Third party service providers are often the weakest entry port for data breaches. Well-drafted contracts contain, amongst other things: (i) representations and warranties from the service provider that its cybersecurity meets the desired standards; (ii) covenants that the service provider will notify the business immediately upon discovering a potential breach; (iii) audit rights; and (iv) indemnification provisions that protect the business from bearing the economic burden of a data breach.

Organizations need to recognize the true scale of the cyberattacks they face, adapt to the changing landscape, and incorporate these best practices to protect their bottom line from the costs of data breaches.

Related Categories

Related Blogs

Posted in: Data Protection | Privacy | Data Security/Privacy

Insights TheSpotlight
New Notification Requirements for Data Breaches By Stephen Crawford Apr 13, 2018 As of November 1, 2018, if your organization suffers a data breach, new reporting requirements will be in place that may require you to notify consumers and the Privacy Commissioner of the breach – or else face a fine of up to $100,000.

Posted in: Data Security/Privacy

Insights TheSpotlight
Phishing Risk Deemed Sufficient in Alberta to Trigger “Real Risk Of Significant Harm” Threshold By Steve J. Tenai Mar 13, 2018 Since 2010, Alberta’s Personal Information Protection Act (“PIPA”) requires private sector organizations to notify the Office of the Information and Privacy Commissioner (“OIPC”) of a breach of personal information where a “reasonable person would con...

Posted in: Data Security/Privacy

Insights TheSpotlight
Cybersecurity Disclosure Guidance for Public Companies By Steve J. Tenai Mar 01, 2018 On February 21, 2018, the United States Securities and Exchange Commission issued interpretive guidance on cybersecurity disclosure obligations for public companies subject to U.S. securities laws. The Guidance underscores that public companies should inform investors about material cybersecurity...