Is your city prepared for a security breach? If not, it could cost you millions

Security breaches are growing more common and more threatening. A recent breach of U.S. government systems may have put the personal information of every federal employee -- past and present -- in the hands of hackers. Despite the risks, many cities are doing little to shore up their systems.

If cities are concerned about the cost of a security upgrade, perhaps a new report will help them see that the cost of cleaning up after a breach can rapidly dwarf the cost of any up-front investment. As companies have learned, any loss of personal information can result in mitigation costs that quickly balloon into the millions of dollars.

Costs of security breaches are growing fast
The latest annual report from Council Lead Partner IBM and researcher Ponemon Institute found the average data breach cost $3.79 million. That’s a worldwide figure that accounts for the public and private sector. The total cost of data breaches has grown 23% since 2013.

Breaches cost the most in the U.S. and Germany, and the more personal information stolen, the higher the cost of dealing with it. In the U.S., it costs an average of $217 to deal with each record that was improperly accessed. Since even the smallest breaches in the study involved more than 2,000 records, the recovery cost can quickly swell to a half-million dollars or more.

And it’s not a hollow threat. The report finds that nearly half of the security breaches last year were malicious or criminal attacks. They were done by people who want to do harm.

Insurance for cyberattacks?
The astronomical costs of dealing with security breaches have some cities looking for ways to protect themselves financially. In New York, Northport town officials are exploring the idea of buying special cyberattack insurance.

Cities have a lot of personal information in their care and there are virtually unlimited ways hackers could get at it. A city employee using an infected flash drive could easily put all the city’s data at risk.

While Northport has invested in protections, threats do get through. Last year, a hacker scrambled its police department’s files and demanded a ransom to unscramble them.

Its IT security team resolved the threat by using an unscrambled backup, but the town worries about what would happen if personal information were actually stolen. The costs of notifying residents, providing credit monitoring and repair, and patching its systems could quickly consume the town’s budget.

Identifying threats sooner
Meanwhile, Council Lead Partner Microsoft is taking another approach to helping cities mitigate threats. It’s adding Advanced Threat Analytics to its Enterprise Mobility Suite.

Another factor that drives up the cost of a security breach is the amount of time that breach goes undiscovered. The longer the breach goes undetected, the more time hackers have to collect personal information and use it in nefarious ways. The IBM/Ponemon study finds that malicious attacks, on average, go undetected for nearly nine months.

The Microsoft technology is designed to help shorten that gap significantly by analyzing behavior, looking for anything abnormal. By constantly looking for unusual activity, the idea is to identify targeted attacks as soon as they happen so they can be blocked before much damage is done.

Paying more attention to mobility
Council Associate Partner Intel also cautions cities to pay much more attention to mobile devices. In a blog post, a security expert detailed his experiences at the recent Mobile World Congress where there are ever increasing numbers of devices collecting ever increasing amounts of data, although it’s increasingly less clear what they’re doing with it.

The post details how one fitness band maker couldn’t explain where the health data it collects was stored or how it was protected, but the author says consumer devices aren’t the only issue. Smart devices that interact with utilities and other trends make this an important issue for cities, too -- and one they can’t afford to ignore.

###

Kevin Ebi is a staff writer and social media coordinator for the Council. Follow @smartccouncil on Twitter.

More stories …
The privacy blunder that cost a city big (and how to avoid it)
Cities that don’t protect all data run the risk of collecting none
Smart cities, data collection and privacy: Getting it right