Data Breach Costs and Security Essentials
Key Points
- A data breach costs on average $4.35 million globally and $9.44 million in the United States, highlighting the huge financial risk of poor data security.
- Effective data security starts with a governance framework that defines a data‑security policy, classification levels, and the specific protections required for each sensitivity tier.
- Building and continuously updating a data catalog that maps where all data—including the most sensitive “keys to the kingdom”—resides is essential for discovery, protection, compliance, detection, and response.
Sections
- Why Data Security Matters - The presenter uses breach cost statistics—$4.35 M globally, $9.44 M in the U.S., and 83% of firms experiencing multiple breaches—to illustrate the urgency of data security and preview upcoming topics such as governance, discovery, protection, compliance, detection, response, and cost‑reduction strategies.
- Data Discovery and DLP Strategy - The speaker outlines moving from planning to discovery, emphasizing the need to locate both structured and unstructured sensitive data across databases, files, emails, and network traffic, and introduces Data Loss Prevention technology for real‑time protection.
- Comprehensive Data Security Strategies - The speaker outlines the need for quantum‑resistant encryption, strong access controls, reliable backups, and regulatory compliance to safeguard data against advanced attacks, ransomware, and disaster scenarios.
- Detection and Response Overview - The speaker outlines how monitoring, user behavior analytics, and alert generation enable the detection of data misuse, followed by case-based investigation as the response.
- Five Strategies Cutting Breach Costs - The speaker explains a data‑security ecosystem and then reveals the survey‑identified top five practices—AI‑driven detection, DevSecOps, incident response, cryptography, and an additional measure—that most reduce the financial impact of a data breach.
Full Transcript
# Data Breach Costs and Security Essentials **Source:** [https://www.youtube.com/watch?v=UpkqXK0B2E0](https://www.youtube.com/watch?v=UpkqXK0B2E0) **Duration:** 00:14:42 ## Summary - A data breach costs on average $4.35 million globally and $9.44 million in the United States, highlighting the huge financial risk of poor data security. - Effective data security starts with a governance framework that defines a data‑security policy, classification levels, and the specific protections required for each sensitivity tier. - Building and continuously updating a data catalog that maps where all data—including the most sensitive “keys to the kingdom”—resides is essential for discovery, protection, compliance, detection, and response. ## Sections - [00:00:00](https://www.youtube.com/watch?v=UpkqXK0B2E0&t=0s) **Why Data Security Matters** - The presenter uses breach cost statistics—$4.35 M globally, $9.44 M in the U.S., and 83% of firms experiencing multiple breaches—to illustrate the urgency of data security and preview upcoming topics such as governance, discovery, protection, compliance, detection, response, and cost‑reduction strategies. - [00:03:07](https://www.youtube.com/watch?v=UpkqXK0B2E0&t=187s) **Data Discovery and DLP Strategy** - The speaker outlines moving from planning to discovery, emphasizing the need to locate both structured and unstructured sensitive data across databases, files, emails, and network traffic, and introduces Data Loss Prevention technology for real‑time protection. - [00:06:14](https://www.youtube.com/watch?v=UpkqXK0B2E0&t=374s) **Comprehensive Data Security Strategies** - The speaker outlines the need for quantum‑resistant encryption, strong access controls, reliable backups, and regulatory compliance to safeguard data against advanced attacks, ransomware, and disaster scenarios. - [00:09:16](https://www.youtube.com/watch?v=UpkqXK0B2E0&t=556s) **Detection and Response Overview** - The speaker outlines how monitoring, user behavior analytics, and alert generation enable the detection of data misuse, followed by case-based investigation as the response. - [00:12:22](https://www.youtube.com/watch?v=UpkqXK0B2E0&t=742s) **Five Strategies Cutting Breach Costs** - The speaker explains a data‑security ecosystem and then reveals the survey‑identified top five practices—AI‑driven detection, DevSecOps, incident response, cryptography, and an additional measure—that most reduce the financial impact of a data breach. ## Full Transcript
4.35 million.
9.44 million.
83%. What do those numbers have to do with data security?
I'll tell you in a minute.
Welcome back to the Cyber Security Architecture series, where in the first few videos
we talked about principles, fundamentals, about the various domains of cybersecurity.
We covered identity and access.
We looked at the endpoint, the network, applications in the last video.
Today, we're going to talk about data security, which is what these numbers have to do with.
So the first one, 4.35 million.
Well, according to the Ponemon Institute, that's the average cost of a data
breach worldwide.
That's a lot of money every time somebody breaks in,
that's what it's costing the organization on average.
And by the way, that's taking out some of the really large numbers that might have skewed the average.
So this is the baseline that we're looking at,
9.44 million--cost of a data breach
in the US. Twice as much,
if you're in the US, if you get hit with this. And 83%, what does that have to do with anything?
That is the number of organizations that have been hit by more than one data breach.
So this is answering the question "Why do we need to care about data security?"
Now we're going to talk about in the rest of the video about some of these aspects,
about governance, about discovery, about protection, compliance, detection, response.
Hang around to the end.
And I'm going to tell you the top five things that this survey found
will reduce the cost of a data breach for you.
So stay tuned for that.
First of all, we're going to cover governance and discovery.
So think of this as a data security ecosystem.
We're going to fill this thing out.
These are the technologies that go into allowing us to secure our data.
First of all, we have to have some sort of governance plan.
This is our way of saying this is what we want to do.
If I don't define where the finish line is, I can expect people to end up there.
So first of all, we're going to have a policy, a data security policy, and in that,
we're going to spell out what kinds of things are sensitive and what kinds of things aren't.
We're going to spell out a classification criteria
that says this is keys to the kingdom and this is the lunchroom menu.
Nobody needs to protect that.
We don't really care, that sort of thing.
We need to spell out that criteria.
We need to also spell out what kinds of protections go with those different levels of sensitivity.
So we may have confidential, unclassified.
We may have super confidential, super top secret, super
duper top secret, whatever your classification scheme is.
But you need to spell out what those are.
We can't expect the users in our company
to protect the data if we haven't spelled out what those guidelines are.
So it all starts with this governance policy classification.
Build a catalog that tells us this is where the data is.
This is where the really sensitive stuff is, and you want to know where that is all the time.
We're going to be updating that as well.
And then build a resilience plan that says if we lose data, how do we recover?
So we'll talk a little more about that later as well.
So that's the first stage is build the plan, then we're going to move into discovery.
Now, I've said this is what I want to do to cover our data and protect it.
Now let's go find where the data is.
A couple of different places that we can look for data types--databases.
That's where we expect that's going to be structured data in most cases.
That's we're going to see a lot of the keys to the kingdom.
But don't overlook this other area.
Files, emails, spreadsheets,
all kinds of other things that make up unstructured data.
We need to be able to discover sensitive content in unstructured data as well.
In other words, in places where we might not otherwise look.
We expect the keys to the kingdom to be in the very sensitive database.
But what if somebody makes a copy of that?
What if somebody excerpts parts of it and emails it to someone?
Now we've got sensitive data flying around a lot of other places,
and I'd like to look on the network and see as this data is moving around as well,
and maybe discover when there are certain types of issues that we could be running into.
And one of those discovery things will help us in particular
with a thing called data loss protection.
So DLP is a technology that's important that allows us to discover this stuff
in real time on various systems and as data is flowing across our networks.
Okay.
Now, we've covered the why of data security.
These numbers down here should be sufficient motivation for you.
How do we do governance and discovery, some of the general technologies there.
Now, let's talk about protection and compliance.
I figured out how I need to secure things and where the stuff is. Now
how am I going to actually protect it?
Well, encryption is a huge part of that.
That is, I scramble the data so that only I can read it and the bad guys can't.
And I need to be able to do that for data at rest.
Like sitting in a database, for instance, or data at motion.
Data that's in motion could be moving from one user to another,
could be on a web server, and then being served up over across the Internet.
So there's I wouldn't need to be able to keep the data secure all the time at rest
and in motion if I'm going to be encrypting data.
The other thing I need to be able to do a really good job of is managing the keys.
If you lose the keys, you lose the data.
So remember that we want to generate keys in a random way.
If anyone can predict the way keys are generated, then all bets are off.
They can read all your data.
So it has to be done randomly and we need to be able to keep it.
We also need to be able to keep up with the lifecycle of a key. That is, don't encrypt at once and forget it.
It's not encrypt and forget, it's encrypt and then continuously follow the lifecycle and re-encrypt
at appropriate times.
We have keys that we rotate in and we rotate out.
Another aspect of all this that you need to be paying attention
to is this notion of quantum-safe crypto.
Quantum computers are going to be able to break all of our existing cryptography in the next number of years.
We don't know exactly when, but it's not that far off.
And so we're going to need to keep an eye on this space right here so that we use new algorithms
that will keep our data safe against the quantum threat that would be out there if someone had a quantum computer
and started trying to crack all of our data that we had previously secured.
Access control is another part of data security.
Access control is also part of identity and access management, which was the first of the seven domains that we covered.
But it relates here as well, because it doesn't matter how strong I've encrypted the information.
If a user that has access to this set their password
to the word "password", then it doesn't matter because they're getting in.
If we don't have a good way of authenticating and authorizing users,
then all of this strong crypto isn't going to matter.
So access controls need to be there. Backup.
If we face in particular a disaster recovery scenario or a ransomware
type scenario where someone says, I've got your data and I'm not giving it back.
Well, the best defense against that is saying, guess what, ransomware guy.
I've also got a copy of my data and I'll just restore it and you can go pound sand.
So this is the type of protection that we need
not only to keep the data from prying eyes, but also keep the data
so that we have a level of resilience that I mentioned earlier
in case of attack or disaster or things of that sort.
Also, I need to be able to ensure
that I am complying to some of the industry regulations that might exist.
The Generalized Data Protection Regulation in Europe, GDPR
we have in the US, HIPAA for health care information.
There are lots of regulations in lots of industries and lots of parts of the world.
It's essentially, if you've got any information about somebody,
there's a chance that you have would be subject to one of these regulatory requirements.
So I need to be able to report on am I complying with that? Just as much,
I need to be able to report when I'm not complying because if I don't know that, then one of the costs
that goes into these data breaches are the fines that go along with it and with GDPR in particular.
It's very substantial.
And if you think because you're operating a company that's not in the in Europe,
in the European Union, that you're exempt from this.
Think again.
If you've got European citizen data, even if you don't operate there, you could potentially be subject to that.
Check with your lawyers to find out.
And then a policy.
I need an ability to retain records, but only as long as
is necessary according to the law or other regulation.
It really doesn't do us good to keep a lot of information and just store everything forever.
So what we need to do, though, is the law will require that we store data for a certain period of time
and we want to store it for that long and probably not longer because it gets more expensive.
And the longer we're holding this data, the longer we're holding the burden
that if in fact, we have one of these breaches, we could be held liable.
So it's best not to have it in the first place if you don't really need it.
Okay.
Now, we've covered the first bunch of security protections that are needed
about governance, about discovery and things of that sort.
Now we're going to take a look at two more-- detection and response. Security is about prevention, detection and response.
These first ones are mostly about the prevention.
This is about the detection and response. Detection.
Now, what does that involve?
Well, I need to be able to monitor my systems and see how data is being used.
How is it moving around my organization, who's using it, under what conditions?
And in fact, I also may want to use a technology called user behavior analytics (UBA)
that will monitor users and the way that they're looking at the data,
if they're downloading normally a thousand files a day and suddenly they start
downloading a million files in a day, then that could be suspicious.
Or if someone who normally doesn't access certain data starts
having a lot of interest in that data, then that could be an issue.
If someone is doing something different than their peer group, then that could be an issue.
So that's what user behavior analytics is looking for, those kind of cases.
So we're trying to detect misuse and abuse of the data.
And ultimately, I'm going to generate alerts that are going to go up to some console
and someone then can go take an action on that.
And the action is our response part.
So one of the things I might do is open a case
and then assign that case to someone and then they begin an investigation.
We might guide all of those efforts with something called a dynamic playbook.
A dynamic playbook would tell you, this is what just happened.
Now you need to do the following steps.
And based upon the results of those steps, I'm going to specify other steps for you to follow.
So that's the dynamic nature of it, as opposed to just a
a hardcoded script that someone follows.
This is more like a dynamic script that they can follow. But it leads people through
and allows them to automate the recovery
and orchestration and automation of these problems.
What's the difference between those two?
In a perfect world, I'd automate all of my responses.
But we don't live in a perfect world because we see a lot of these things
that are first of a kind type of situations. A first of a kind,
I can't automate because I don't know what I should have done because I've never seen it before.
Orchestrate is what I have to do in a lot of these cases where basically
I'm looking for certain things and I'm providing guidance,
but like an orchestra, the conductor of the orchestra is conducting who's going to come in,
when do the trumpets come in,
when do the the saxophones come in. This sort of thing.
They're going to basically direct all of this, and that's what we're going to do in our response.
So think about those things.
We're going to talk about these actually in more detail in our next two videos
where we're going to talk about security monitoring and security response.
Okay.
Now we've done a quick flyover view of data security.
We started off talking about governance, setting the plan and saying this is what we intend to do.
And if we don't have that right, we can't expect to do the other parts right.
Then we move into discovery, find out where all the data is that we need to apply those policies to.
Then we're going to put those protections in place.
Then we're going to check our compliance and see if, in fact we're doing what we intended to do.
We're going to look for anomalies.
Then we're going to respond when we find those and feed that information back into our policy.
So the whole thing then becomes this ecosystem
of data security, and it involves a lot of different technologies.
So that's in general how we want to do this.
And now what I told you is if you would stay to the end,
I'm going to tell you the top five things and you can see them here already.
So no need for a drum roll.
But according to the cost of data breach survey, these were the top
five things that reduced the cost of a data breach.
Number one, I using artificial intelligence was top on the list.
And in fact we started using AI a good deal already in this detect phase.
You'll hear more about that in the future videos as we as we cover that in the next one.
But you can expect to see AI be infused in all of these different spaces.
So look for that moving forward.
DevSecOps. That was a big part of the discussion in the previous video on application security.
If you missed that, make sure you go back and check that out.
But that breaks down the walls between dev[elopment], sec[urity] and ops organizations
and put security in a shift left position. Incident response.
We talked about that here.
That's this response capability and it's going to be the subject of our video two videos from now.
So again, stay tuned for that. Cryptography.
We've talked about that here in this particular space.
And as I said, if you can't encrypt the data, you can't protect it.
And then ultimately employee training,
because at the end of the day, it's not all about the technology.
There's an end user and the user, the human, is
almost always the weakest link in any security system.
So don't ignore this part.
If you do, it's at your own peril.
Okay. There we go.
Those are the top five things that you can do to reduce the cost of a data breach,
to reduce the likelihood that it ever happens to you in the first place.
Make sure you have a good plan for doing all of these things.
All right.
Now, in the next video, we will cover
monitoring and then the following video security response.
So make sure you stay tuned to check those out--[click] like, subscribe,
and hit the notify button so you'll know and not miss any videos in the series.