Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

cost of a data breach

Cybercriminals see a 9% year on year improved yield on stolen records from $136 to $145

IBM and Ponemon have released their ninth annual Cost of Data Breach Study: Global Study. According to the research, the average total cost of a data breach for the companies participating in this research increased 15% to $3.5 million. The average cost paid for each lost or stolen record containing sensitive and confidential information increased more than 9% from $136 in 2013 to $145 in this year’s study. 

For the first time, the study looks at the likelihood of a company having one or more data breach occurrences in the next 24 months. Based on the experiences of companies participating in the research, Ponemon believe they can predict the probability of a data breach based on two factors:

  1. How many records were lost or stolen
  2. The company’s industry

According to the findings, organizations in India and Brazil are more likely to have a data breach involving a minimum of 10,000 records. In contrast, organizations in Germany and Australia are least likely to have a breach. In all cases, it is more likely a company will have a breach involving 10,000 or fewer records than a mega breach involving more than 100,000 records.

In this year’s study, 314 companies representing the following 11 countries participated:-

  1. Australia
  2. Brazil
  3. France
  4. Germany
  5. India
  6. Italy
  7. Japan
  8. Saudi Arabia (Saudi Arabia and the United Arab Emirates were combined as the Arabian region)
  9. United Arab Emirates
  10. United Kingdom
  11. United States

All participating organizations experienced a data breach ranging from a low of approximately 2,415 to slightly more than 100,000 compromised records. Ponemon define a compromised record as one that identifies the individual whose information has been lost or stolen in a data breach.

As the findings reveal, the consolidated average per capita cost of data breach (compiled for eleven countries and converted to US dollars) differs widely among the countries. Many of these cost differences can be attributed to the types of attacks and threats organizations face as well as the data protection regulations and laws in their respective countries.

In this year’s global study, the average consolidated data breach increased from $136 to $145

However, German and US organizations on average experienced much higher costs at $195 and $201, respectively.

Ponemon Institute conducted its first Cost of Data Breach study in the United States nine years ago. Since then, they have expanded the study to include the United Kingdom, Germany, France, Australia, India, Italy, Japan, Brazil and, for the first time this year, United Emirates and Saudi Arabia. To date, 1,279 business and government (public sector) organizations have participated in the benchmarking process since the inception of this research series.

This year’s study examines the costs incurred by 314 companies in 16 industry sectors after those companies experienced the loss or theft of protected personal data. It is important to note the costs presented in this research are not hypothetical but are from actual data loss incidents. They are based upon cost estimates provided by the 1,690 individuals interviewed over a ten-month period in the companies that are represented in this research.

The following are the key findings, measured in US dollars:

  • The most and least expensive breaches. German and US companies had the most costly data breaches ($201 and $195 per record, respectively). These countries also experienced the highest total cost (US at $5.85 million and Germany at $4.74 million). The least costly breaches occurred in Brazil and India ($70 and $51, respectively). In Brazil, the average total cost for a company was $1.61 million and in India it was $1.37 million. 
  • Size of data breaches. On average, U.S. and Arabian region companies had data breaches that resulted in the greatest number of exposed or compromised records (29,087 and 28,690 records, respectively). On average, Japanese and Italian companies had the smallest number of breached records (18,615 and 19,034 records, respectively). 
  • Causes of data breaches differ among countries. Companies in the Arabian region and in Germany were most likely to experience a malicious or criminal attack, followed by France and Japan. Companies in India were the most likely to experience a data breach caused by a system glitch or business process failure and UK companies were more likely to have a breach caused by human error. 
  • The most costly data breaches were malicious and criminal attacks. Consolidated findings show that malicious or criminal attacks are the most costly data breaches incidents in all ten countries. U.S. and German companies experience the most expensive data breach incidents at $246 and $215 per compromised records, respectively. Brazil and India had the least costly data breach caused by malicious or criminal attackers at $77 and $60 per capita, respectively. 
  • Factors that decreased and increased the cost of a data breach. Having a strong security posture, incident response plan and CISO appointment reduced the cost per record by $14.14, $12.77 and $6.59, respectively. Factors that increased the cost were those that were caused by lost or stolen devices (+ $16.10), third party involvement in the breach (+ $14.80), quick notification (+ $10.45) and engagement of consultants (+ $2.10). 
  • Business continuity management reduced the cost of a breach. For the first time, the research reveals that having business continuity management involved in the remediation of the breach can reduce the cost by an average of $8.98 per compromised record. 
  • Countries that lost the most customers following a data breach. France and Italy had the highest rate of abnormal customer turnover or churn following a data breach. In contrast, the Arabian region and India had the lowest rate of abnormal churn. 
  • Countries that spent the most and least on detection and escalation. On average, German and French organizations spent the most on detection and escalation activities such as investigating and assessing the data breach ($1.3 million and $1.1 million, respectively). Organizations in India and the Arabian region spent the least on detection and escalation at $320,763 and $353,735 respectively. 
  • Countries that spent the most and least on notification. Typical notification costs include IT activities associated with the creation of contact databases, determination of all regulatory requirements, engagement of outside experts and other efforts to make sure victims are alerted to the fact that their personal information has been compromised. U.S. and German organizations on average spent the most ($509,237 and $317,635 respectively). Brazil and India spent the least amount on notification ($53,772 and $19,841, respectively). 
  • Will your organization have a data breach? As part of understanding the potential risk to an organization’s sensitive and confidential information, we thought it would be helpful to understand the probability that an organization will have a data breach. To do this, we extrapolate a subjective probability distribution for the entire sample of participating companies on the likelihood of a material data breach happening over the next two years. The results show that a probability of a material data breach involving a minimum of 10,000 records is more than 22%. In addition to overall aggregated results, we find that the probability or likelihood of data breach varies considerably by country. India and Brazil have the highest estimated probability of occurrence.

 The full report can be obtained here.

Challenges to maintaining a strong security posture

A very interesting piece of research by the Ponemon Institute on behalf of the security vendor Sophos.  A summary of the study is below. 

Cyber security is often not a priority

  • 58% of respondents say that management does not see cyber-attacks as a significant risk
  • 44% say a strong security posture is not a priority.
  • Those two findings reveal the difficulty IT functions face in securing the necessary funding for skilled personnel and technologies. As evidence, 42% of respondents say their budget is not adequate for achieving an effective security posture.
  • While an organization’s IT leaders often depend upon the need to comply with regulations and compliance to make their case for IT security funding, 51% of respondents say it does not lead to a stronger security posture. More important is obtaining management’s support for making security a priority.

Senior management rarely makes decisions about IT security

Who is responsible for determining IT Security Priorities?

  • CIO 32%
  • 31% no one

Lack of in-house expertise hinders the achievement of a strong security posture

  • Organizations represented in this research face a lack of skilled and expert security professionals to manage risks and vulnerabilities. Only 26% of respondents say they have sufficient expertise, with 15% not sure. On average, three employees are fully dedicated to IT security.

Security threats and attacks experienced

“Did our organization have a cyber-attack? I don’t really know.” When asked if they were attacked in the past 12 months

  • 42% of respondents say they were
  • 33% are unsure
  • 1/3 of respondents say they are unsure if an attack has occurred in the past 12 months
  • Of the 42% who say an attack occurred, most likely it was likely the result of phishing and social engineering, denial of service and botnets and advanced malware/zero day attacks.

Data breach incidents are known with greater certainty

More respondents can say with certainty that a data breach occurred in their organization. For purposes of the research, a data breach is the loss or theft of sensitive information about customers, employees, business partners and other third parties. 51% say their organization experienced an incident involving the loss or exposure of sensitive information in the past 12 months although 16% say they are unsure.

More than half of respondents say their organization has had a data breach

  • 51% Cited is a third-party mistake or negligent employee or contractor
  • 44% cannot identify the root cause.

Most organizations say cyber-attacks are increasing or there is no change

  • 76% of respondents say their organizations face more cyber-attacks or at least the same
  • 18% are unable to determine

Most organizations see cyber-attacks as becoming more sophisticated

  • 56% say cyber-attacks are more sophisticated
  • 45% say they are becoming more severe
  • 28% of respondents are uncertain if their organizations are being targeted
  • 25% are unsure if the attacks are more sophisticated
  • 23% do not know if these attacks are becoming more severe.

The research reveals there is often confusion as to what best describes advanced persistent threats (APT). When asked to select the one term that best fits their understanding, only one-third of respondents say they are recurrent low profile targeted attacks but the same percentage of respondents are not sure how to describe them. As a result, there may be uncertainty as to what dedicated technologies are necessary for preventing them.

Disruptive technology trends

The cloud is important to business operations

  • 72% of respondents do not view security concerns as a significant impediment to cloud adoption within their organizations
  • 77% say the use of cloud applications and IT infrastructure services will increase or stay the same
  • 39% of their organization’s total IT needs are now fulfilled by cloud applications and/or infrastructure services

The use of cloud applications and IT infrastructure is not believed to reduce security

Effectiveness

  • 45% of respondents say the cloud is not considered to have an affect on security posture
  • 12% say it would actually diminish security posture
  • 25% of respondents say they cannot determine if the organization’s security effectiveness would be affected

The use of mobile devices to access business-critical applications will increase

  • 46% of an organization’s business-critical applications are accessed from mobile devices such as smart phones, tablets and others.
  • 69% of respondents expect this usage to increase over the next 12 months.

While respondents do not seem to be worried about cloud security, mobile device security is a concern.

  • 50% of respondents say such use diminishes an organization’s security posture
  • 58% say security concerns are not stopping the adoption of tablets and smart phones within their organization.

BYOD also affects the security posture

  • 26% of mobile devices owned by employees are used to access business-critical applications.
  • 70% of respondents either expect their use to increase or stay the same
  • 71% say security concerns do not seem to be a significant impediment to the adoption of BYOD

BYOD is a concern for respondents

  • 32% say there is no affect on security posture
  • 45% of respondents believe BYOD diminishes an organization’s security effectiveness.

Effectiveness of security technologies

The majority of respondents have faith in their security technologies

  • 54% of respondents say the security technologies currently used by their organization are effective in detecting and blocking most cyber attacks
  • 23% are unsure

Big data analytics and web application firewalls are technologies growing in demand

Today, the top three technologies in use are:

  1. Antivirus
  2. client firewalls
  3. endpoint management

They are likely to remain the top choice over the next three years. The deployment of certain technologies is expected to grow significantly. Investment in big data analytics and web application firewalls will see the greatest increases (28% and 21%, respectively). These technologies are followed by: endpoint management (19% increase), anti-virus and next generation firewalls (both15% increase) and network traffic intelligence and unified threat management (both 14% increase). The percentage of respondents who say the use of IDS and SIEM technologies decreases slightly (6%) over the next three years.

The cost impact of disruptions and damages to IT assets and infrastructure

Damage or theft to IT assets and infrastructure are costly

  1. 1 the cost of damage or theft to IT assets and infrastructure
  2. 2 the cost of disruption to normal operations

The estimated cost of disruption exceeds the cost of damages or theft of IT assets and infrastructure.

Using an extrapolation, we compute an average cost of $670,914 relating to incidents to their IT assets and infrastructure over the past 12 months. Disruption costs are much higher, with an extrapolated average of $937,197

The uncertainty security index

The study reveals that in many instances IT and IT security practitioners participating in this research are uncertain about their organization’s security strategy and the threats they face. Specifically, among participants there is a high degree of uncertainty about the following issues:

  • Did their organization have a cyber-attack during the past year?
  • Did their organization have a data breach? If so, did it involve the loss or exposure of sensitive information?
  • Are the root causes of these data breaches known?
  • Are the cyber-attacks against their organization increasing or decreasing?
  • Have exploits and malware evaded their intrusion detection systems and anti-virus solutions?
  • Do they understand the nature of advanced persistent threats (APTs)?
  • Is the use of BYOD to access business critical applications increasing and does it affect their organization’s security posture?
  • Is the use of cloud applications and/or IT infrastructure services increasing and does it affect the security posture

Uncertainty about how these issues affect an organization’s security posture could lead to making sub-optimal decisions about a security strategy. It also makes it difficult to communicate the business case for investing in the necessary expertise and technologies. Based on the responses to 12 survey questions, we were able to create an “uncertainty index” or score that measures where the highest uncertainty exists. The index ranges from 10 (greatest uncertainty) to 1 (no uncertainty).

U.S. organizations have the highest uncertainty index. This is based on the aggregated results of respondents in the following countries and regions: US, UK, Germany and Asia-Pacific. With an uncertainty score of 3.8, organizations in Germany seem to have the best understanding of their security risks.

Smaller organizations have the most uncertainty. Those organizations with a headcount of less than 100 have the most uncertainty. This is probably due to the lack of in-house expertise. As organizational size increases, the uncertainty index becomes more favourable.

An organization’s leadership team has the most uncertainty. This finding indicates why IT and IT security practitioners say their management is not making cyber security a priority. Based on this finding, the higher the position the more removed the individual could be in understanding the organization’s risk and strategy.

Retailing, education & research and entertainment have the highest uncertainty. The level of uncertainty drops significantly for organizations in the financial services and technology sectors. The high degree of certainty in the financial sector can be attributed to the need to comply with data security regulations.

Blog at WordPress.com.

Up ↑

%d bloggers like this: