Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Data breach

Data Breaches for the first quarter of 2014

Safenet Infographic on Data Breaches in the first quarter of 2014

Hidden Dangers of a Data Breach an Infographic

The Aftermath of a Mega Data Breach

A Ponemon Study sponsored by Experian® explores consumers’ sentiments about data breaches. The goal was to learn the affect data breaches had on consumers’ privacy and data security concerns. A similar study was conducted in 2012 and reveals some interesting trends in consumers’ perceptions.

The study asked consumers who were victims of a data breach questions about their experience. It may not come as a surprise that individuals who have had their personal information lost or stolen increased 100% since the 2012 study when only 25% of individuals surveyed were victims of a data breach.

For purposes of the research, they define a data breach as

the loss or theft of information that can be used to uniquely identify, contact or locate you. This includes, but is not limited to, such information as Social Security number, IP address, driver’s license number, credit card numbers and medical records

797 individuals were surveyed and approximately 400 of these respondents say they were the victims of a data breach. By far, the primary consequence of a data breach is suffering from stress (76% of respondents) followed by having to spend time resolving problems caused by the data breach (39% of respondents).

The most significant findings of the research:-

What companies should do following a data breach

  • 63% of consumers continue to believe that organizations should be obligated to provide identity theft protection
  • 58% believe credit monitoring services should be offered
  • 67% believe compensation such as cash, products or services should be offered

–       These findings are similar to the findings in the 2012 study.

Credit card companies and retail stores sent the most notifications

  • 62% of respondents say they received two data breach notifications involving separate incidents. These notifications can be in the form of a letter, telephone call, email or public notice.

Becoming a victim of a data breach increases fears about becoming an identity theft victim.

  • Prior to having their personal information lost or stolen, 24% say they were extremely or very concerned about becoming a victim of identity theft.
  • Following the data breach, this concern increased significantly to 45%.
  • 48% of respondents say their identity is at risk for years or forever.

How important is media coverage of data breaches?

  • The majority of respondents believe it is important for the media to report details about data breaches. Mainly because it requires companies to be more responsive to victims followed by the creation of greater awareness about how the data breach could affect individuals and alerts potential victims to take action to protect their personal information from identity theft.

Other findings:-

  • 25% of data breach notifications offered identity theft protection such as credit monitoring or fraud resolution services. This is a slight decrease from 2012 when 29% of respondents received such an offer
  • 67% of those receiving a notification wanted the organisation to “Explain the risks or harms that I will experience”
  • 32% said “I ignored the notification(s) and did nothing”
  • 78% were most worried about their Social Security number followed by Password/PIN at 71% and Credit card or bank payment information with 65%
  • 81% of respondents who were victims of a data breach did not have any out of pocket costs. If they did, it averaged about $38
  • 34% say they were able to resolve the consequences of the breach in one day
  • 55% say they have done nothing to protect themselves and their family from identity theft

The full report can be found here.

Retail and Financial Sectors Overly Confident About Breach Detection

Atomic Research have announced the results of a survey sponsored by Tripwire of 102 financial organizations and 151 retail organizations in the U.K., all of which process card payments.

The survey results indicate that recent data breaches have had little impact on the security controls of retail and financial organisations.

35% said it would take as long as two to three days to detect a breach on their systems

However, according to the 2014 Verizon Data Breach Investigations Report, 85% of point-of-sale intrusions took weeks to discover and 43% of web application attacks took months to discover.

It is shocking to see the high level of confidence exhibited by respondents in the wake of the recent series of high-profile cardholder data breaches,” said Tim Erlin, director of IT security and risk strategy for Tripwire, in response to the findings. “6% of respondents said they are confident that their security controls are able to prevent the loss of data files, but this confidence flies in the face of recent evidence to the contrary

The Payment Card Industry Data Security Standard is a security standard that outlines minimum security requirements for organizations that handle cardholder information. When asked how important PCI compliance is to their overall security program, 43% of respondents said it was the backbone of their security program, and 36% said it was half of their security program. However, in order to protect confidential customer data, organisations must apply additional security controls.

Other findings include:

  • 24% of those studied have already suffered a data breach where Personally Identifiable Information (PII) was stolen or accessed by intruders
  • 36% of respondents do not have confidence in their incident response plan
  • 51% of respondents are only somewhat confident that their security controls can detect malicious applications
  • 40% of respondents said they do not believe that recent high profile cardholder breaches have changed the level of attention executives give to security

It is great that recent breaches have increased cybersecurity awareness and internal dialogue. However, the improved internal communication may be biased by a false sense of security,” said Dwayne Melancon, chief technology officer for Tripwire. “For example, 95% of respondents said they would be able to detect a breach on critical systems within a week. In reality, nearly all of the recent publicly disclosed breaches have gone on for months without detection

Furthermore, only 60% of respondents believe their systems have been hardened enough to prevent the kind of data loss similar to that seen in recent high profile breaches,” Melancon continued. “These attitudes seem to indicate a high degree of overconfidence or naiveté among information security practitioners. I believe a number of these organizations may be in for a rude awakening if their systems are targeted by criminals

The Tripwire report can be found here.

BYOD, Cloud and the Internet are the top areas of concern for security threats.

A Dell global security survey reveals “the majority of IT leaders say they do not view these threats as top security concerns and are not prioritizing how to find and address them across the many points of origin”.

Key findings of Dell’s research include:

  • 37% ranked unknown threats as a top security concern in the next five years
  • 64% of respondents agree that organizations will need to restructure/reorganize their IT processes, and be more collaborative with other departments to stay ahead of the next security threat. Of those surveyed in the United States, 85% said this approach is needed, contrasting with Canada at 45% followed by the U.K. at 43%
  • 78% in the Unites States think the federal government plays a positive role in protecting organizations against both internal and external threats, which underscores the need for strong leadership and guidance from public sector organizations in helping secure the private sector
  • 67% of survey respondents say they have increased funds spent on education and training of employees in the past 12 months
  • 50% believe security training for both new and current employees is a priority
  • 54% have increased spending in monitoring services over the past year; this number rises to 72% in the United States

Among the IT decision-makers surveyed, BYOD, cloud and the Internet were the top areas of concern for security threats.

BYOD. A sizable number of respondents highlighted mobility as the root cause of a breach, with increased mobility and user choice flooding networks with access devices that provide many paths for exposing data and applications to risk.

  • 93% of organizations surveyed allow personal devices for work. 31% of end users access the network on personal devices (37% in the United States)
  • 44% of respondents said instituting policies for BYOD security is of high importance in preventing security breaches
  • 57% ranked increased use of mobile devices as a top security concern in the next five years (71% in the U.K.)
  • 24% said misuse of mobile devices/operating system vulnerabilities is the root cause of security breaches

Cloud. Many organizations today use cloud computing, potentially introducing unknown security threats that lead to targeted attacks on organizational data and applications. Survey findings prove these stealthy threats come with high risk.

  • 73% of respondents report their organizations currently use cloud (90% in the United States)
  • 49% ranked increased use of cloud as a top security concern in the next five years, only 22% said moving data to the cloud was a top security concern today
  • In organizations where security is a top priority for next year, 86% are using cloud
  • 21% said cloud apps or service usage are the root cause of their security breaches

Internet. The significance of the unknown threats that result from heavy use of Internet communication and distributed networks is evidenced by

  • 63% of respondents ranked increased reliance upon internet and browser-based applications as a top concern in the next five years.
  • More than one-fifth of respondents consider infection from untrusted remote access (Public Wifi) among the top three security concerns for their organization
  • 47% identified malware, viruses and intrusions often available through web apps, OS patching issues, and other application-related vulnerabilities as the root causes of breaches
  • 70% are currently using email security to prevent outsider attacks from accessing the network via their email channel

76% of IT leaders surveyed (93% in the United States) agree that to combat today’s threats, an organization must protect itself both inside and outside of its perimeters.

The full Dell report can be found here.

Challenges to maintaining a strong security posture

A very interesting piece of research by the Ponemon Institute on behalf of the security vendor Sophos.  A summary of the study is below. 

Cyber security is often not a priority

  • 58% of respondents say that management does not see cyber-attacks as a significant risk
  • 44% say a strong security posture is not a priority.
  • Those two findings reveal the difficulty IT functions face in securing the necessary funding for skilled personnel and technologies. As evidence, 42% of respondents say their budget is not adequate for achieving an effective security posture.
  • While an organization’s IT leaders often depend upon the need to comply with regulations and compliance to make their case for IT security funding, 51% of respondents say it does not lead to a stronger security posture. More important is obtaining management’s support for making security a priority.

Senior management rarely makes decisions about IT security

Who is responsible for determining IT Security Priorities?

  • CIO 32%
  • 31% no one

Lack of in-house expertise hinders the achievement of a strong security posture

  • Organizations represented in this research face a lack of skilled and expert security professionals to manage risks and vulnerabilities. Only 26% of respondents say they have sufficient expertise, with 15% not sure. On average, three employees are fully dedicated to IT security.

Security threats and attacks experienced

“Did our organization have a cyber-attack? I don’t really know.” When asked if they were attacked in the past 12 months

  • 42% of respondents say they were
  • 33% are unsure
  • 1/3 of respondents say they are unsure if an attack has occurred in the past 12 months
  • Of the 42% who say an attack occurred, most likely it was likely the result of phishing and social engineering, denial of service and botnets and advanced malware/zero day attacks.

Data breach incidents are known with greater certainty

More respondents can say with certainty that a data breach occurred in their organization. For purposes of the research, a data breach is the loss or theft of sensitive information about customers, employees, business partners and other third parties. 51% say their organization experienced an incident involving the loss or exposure of sensitive information in the past 12 months although 16% say they are unsure.

More than half of respondents say their organization has had a data breach

  • 51% Cited is a third-party mistake or negligent employee or contractor
  • 44% cannot identify the root cause.

Most organizations say cyber-attacks are increasing or there is no change

  • 76% of respondents say their organizations face more cyber-attacks or at least the same
  • 18% are unable to determine

Most organizations see cyber-attacks as becoming more sophisticated

  • 56% say cyber-attacks are more sophisticated
  • 45% say they are becoming more severe
  • 28% of respondents are uncertain if their organizations are being targeted
  • 25% are unsure if the attacks are more sophisticated
  • 23% do not know if these attacks are becoming more severe.

The research reveals there is often confusion as to what best describes advanced persistent threats (APT). When asked to select the one term that best fits their understanding, only one-third of respondents say they are recurrent low profile targeted attacks but the same percentage of respondents are not sure how to describe them. As a result, there may be uncertainty as to what dedicated technologies are necessary for preventing them.

Disruptive technology trends

The cloud is important to business operations

  • 72% of respondents do not view security concerns as a significant impediment to cloud adoption within their organizations
  • 77% say the use of cloud applications and IT infrastructure services will increase or stay the same
  • 39% of their organization’s total IT needs are now fulfilled by cloud applications and/or infrastructure services

The use of cloud applications and IT infrastructure is not believed to reduce security

Effectiveness

  • 45% of respondents say the cloud is not considered to have an affect on security posture
  • 12% say it would actually diminish security posture
  • 25% of respondents say they cannot determine if the organization’s security effectiveness would be affected

The use of mobile devices to access business-critical applications will increase

  • 46% of an organization’s business-critical applications are accessed from mobile devices such as smart phones, tablets and others.
  • 69% of respondents expect this usage to increase over the next 12 months.

While respondents do not seem to be worried about cloud security, mobile device security is a concern.

  • 50% of respondents say such use diminishes an organization’s security posture
  • 58% say security concerns are not stopping the adoption of tablets and smart phones within their organization.

BYOD also affects the security posture

  • 26% of mobile devices owned by employees are used to access business-critical applications.
  • 70% of respondents either expect their use to increase or stay the same
  • 71% say security concerns do not seem to be a significant impediment to the adoption of BYOD

BYOD is a concern for respondents

  • 32% say there is no affect on security posture
  • 45% of respondents believe BYOD diminishes an organization’s security effectiveness.

Effectiveness of security technologies

The majority of respondents have faith in their security technologies

  • 54% of respondents say the security technologies currently used by their organization are effective in detecting and blocking most cyber attacks
  • 23% are unsure

Big data analytics and web application firewalls are technologies growing in demand

Today, the top three technologies in use are:

  1. Antivirus
  2. client firewalls
  3. endpoint management

They are likely to remain the top choice over the next three years. The deployment of certain technologies is expected to grow significantly. Investment in big data analytics and web application firewalls will see the greatest increases (28% and 21%, respectively). These technologies are followed by: endpoint management (19% increase), anti-virus and next generation firewalls (both15% increase) and network traffic intelligence and unified threat management (both 14% increase). The percentage of respondents who say the use of IDS and SIEM technologies decreases slightly (6%) over the next three years.

The cost impact of disruptions and damages to IT assets and infrastructure

Damage or theft to IT assets and infrastructure are costly

  1. 1 the cost of damage or theft to IT assets and infrastructure
  2. 2 the cost of disruption to normal operations

The estimated cost of disruption exceeds the cost of damages or theft of IT assets and infrastructure.

Using an extrapolation, we compute an average cost of $670,914 relating to incidents to their IT assets and infrastructure over the past 12 months. Disruption costs are much higher, with an extrapolated average of $937,197

The uncertainty security index

The study reveals that in many instances IT and IT security practitioners participating in this research are uncertain about their organization’s security strategy and the threats they face. Specifically, among participants there is a high degree of uncertainty about the following issues:

  • Did their organization have a cyber-attack during the past year?
  • Did their organization have a data breach? If so, did it involve the loss or exposure of sensitive information?
  • Are the root causes of these data breaches known?
  • Are the cyber-attacks against their organization increasing or decreasing?
  • Have exploits and malware evaded their intrusion detection systems and anti-virus solutions?
  • Do they understand the nature of advanced persistent threats (APTs)?
  • Is the use of BYOD to access business critical applications increasing and does it affect their organization’s security posture?
  • Is the use of cloud applications and/or IT infrastructure services increasing and does it affect the security posture

Uncertainty about how these issues affect an organization’s security posture could lead to making sub-optimal decisions about a security strategy. It also makes it difficult to communicate the business case for investing in the necessary expertise and technologies. Based on the responses to 12 survey questions, we were able to create an “uncertainty index” or score that measures where the highest uncertainty exists. The index ranges from 10 (greatest uncertainty) to 1 (no uncertainty).

U.S. organizations have the highest uncertainty index. This is based on the aggregated results of respondents in the following countries and regions: US, UK, Germany and Asia-Pacific. With an uncertainty score of 3.8, organizations in Germany seem to have the best understanding of their security risks.

Smaller organizations have the most uncertainty. Those organizations with a headcount of less than 100 have the most uncertainty. This is probably due to the lack of in-house expertise. As organizational size increases, the uncertainty index becomes more favourable.

An organization’s leadership team has the most uncertainty. This finding indicates why IT and IT security practitioners say their management is not making cyber security a priority. Based on this finding, the higher the position the more removed the individual could be in understanding the organization’s risk and strategy.

Retailing, education & research and entertainment have the highest uncertainty. The level of uncertainty drops significantly for organizations in the financial services and technology sectors. The high degree of certainty in the financial sector can be attributed to the need to comply with data security regulations.

The state of corporate mobile data

The state of corporate data is an interesting Infographic showing the extent data could leak from a corporate network.

druva-insync-mobile-corporate-data-corrected jpeg

Who breached the Data Protection Act in the first half of 2013?

As we have passed the first half of 2013, I thought it would be a good time to publish the entire list of who fell foul of the UK Data Protection Act and were punished by the Information Commissioner (ICO).

There are three types of punishments administered by the ICO

  1. Monetary. The most serious of the actions and one normally reserved for organisational entities.
  2. Undertaking. Typically applied when an organisation has failed to adhere to good business practice and needs the helping guidance of the ICO
  3. Prosecutions. Normally reserved for individuals who have blatantly breached the Act.

Monetary penalty notices

A monetary penalty will only be served in the most serious situations. When deciding the size of a monetary penalty, the ICO takes into account the seriousness of the breach and other factors like the size, financial and other resources of an organisation’s data controller. The ICO can impose a penalty of up to £500,000. It is worth noting that monetary penalties are paid to HM Treasury and not to the ICO. Many argue that the ICO would be a stronger body if it had more money and penalties is a good way to generate more revenue – a self funding government department.

  • 12 July 2013 NHS Surrey. A monetary penalty notice has been served on NHS Surrey following the discovery of sensitive personal data belonging to thousands of patients on hard drives sold on an online auction site. Whilst NHS Surrey has now been dissolved outstanding issues are now being dealt with by the Department of Health.
  • 8 July 2013 Tameside Energy Services Ltd. A monetary penalty notice has been served to Tameside Energy Services Ltd after the Manchester based company blighted the public with unwanted marketing calls.
  • 18 June 2013 Nationwide Energy Services and We Claim You Gain. Monetary penalty notices have been served to Nationwide Energy Services and We Claim You Gain – both companies are part of Save Britain Money Ltd based in Swansea. The penalties were issued after the companies were found to be responsible for over 2,700 complaints to the Telephone Preference Service or reports to the ICO using its online survey, between 26 May 2011 and end of December 2012.
  • 13 June 2013 North Staffordshire Combined Healthcare NHS Trust. A monetary penalty notice has been served to North Staffordshire Combined Healthcare NHS Trust, after several faxes containing sensitive personal data were sent to a member of the public in error.
  • 7 June 2013 Glasgow City Council. A monetary penalty notice has been served to Glasgow City Council, following the loss of two unencrypted laptops, one of which contained the personal information of 20,143 people.
  • 5 June 2013 Halton Borough Council. A monetary penalty notice has been served to Halton Borough Council, in respect of an incident in which the home address of adoptive parents was wrongly disclosed to the birth family.
  • 3 June 2013 Stockport Primary Care Trust. A monetary penalty has been served to Stockport Primary Care Trust following the discovery of a large number of patient records at a site formerly owned by the Trust.
  • 20 March 2013 DM Design Bedroom Ltd. A monetary penalty has been served to DM Design Bedroom Ltd. The company has been the subject of nearly 2,000 complaints to the ICO and the Telephone Preference Service. The company consistently failed to check whether individuals had opted out of receiving marketing calls and responded to just a handful of the complaints received.
  • 15 February 2013 Nursing and Midwifery Council. A monetary penalty has been served to the Nursing and Midwifery Council. The council lost three DVDs related to a nurse’s misconduct hearing, which contained confidential personal information and evidence from two vulnerable children. An ICO investigation found the information was not encrypted.
  • 24 January 2013 Sony Computer Entertainment Europe Limited. A monetary penalty has been served to the entertainment company Sony Computer Entertainment Europe Limited following a serious breach of the Data Protection Act. The penalty comes after the Sony PlayStation Network Platform was hacked in April 2011, compromising the personal information of millions of customers, including their names, addresses, email addresses, dates of birth and account passwords. Customers’ payment card details were also at risk. They failed in their bid to appeal.

Undertakings

Undertakings are formal agreements between an organisation and the ICO to undertake certain actions to avoid future breaches of the Data Protection Act, typically this involves, Encryption, Training and Management Procedures.

  • 16 July 2013 Janet Thomas. An undertaking to comply with the seventh data protection principle has been signed by Janet Thomas. This follows a report made by a member of the public that approximately 7,435 CV files, containing personal data, were being stored unprotected on the website
  • 9 July 2013 Health & Care Professions Council (HCPC). An undertaking to comply with the seventh data protection principle has been signed by the Health & Care Professions Council (HCPC) after an incident in which papers containing personal data were stolen on a train in 2011.
  • 12 June 2013 (issued 10 September 2012) Bedford Borough Council. An undertaking to comply with the seventh data protection principle has been signed by Bedford Borough Council relating to the removal of legacy data from a social care database.
  • 2 June 2013 (issued 18 September 2012) Central Bedfordshire Council. An undertaking to comply with the seventh data protection principle has been signed by Central Bedfordshire Council relating to the removal of legacy data from a social care database and in relation to the preparation of planning application documentation for publication.
  • 31 May 2013 Leeds City Council. A follow up has been completed to provide an assurance that Leeds City Council has appropriately addressed the actions agreed in its undertaking signed November 2012.
  • May Prospect. A follow up has been completed to provide an assurance that Prospect has appropriately addressed the actions agreed in its undertaking signed January 2013.
  • 21 May 2013 (issued 9 November 2011) News Group Newspapers. An undertaking to comply with the seventh data protection principle has been signed by News Group Newspapers, following an attack on the website of The Sun newspaper in 2011.
  • 26 April 2013 The Burnett Practice. An undertaking to comply with the seventh data protection principle has been signed by The Burnett Practice. This follows an investigation whereby an email account used by the practice had been subject to a third party attack. The email account subject to the attack was used to provide test results to patients and included a list of names and email addresses.
  • 4 April 2013 East Riding of Yorkshire Council. An undertaking to comply with the seventh data protection principle has been signed by the East Riding of Yorkshire Council, following incidents last year in which personal data was inappropriately disclosed.
  • 25 January 2013 Mansfield District Council. An undertaking to comply with the seventh data protection principle has been signed by the Managing Director of Mansfield District Council. This follows a number of incidents where personal data of housing benefit claimants was disclosed to the wrong landlord.
  • 16 January 2013 Prospect. An undertaking to comply with the seventh data protection principle has been signed by the union Prospect. This follows an incident in which two files containing personal details of approximately 19,000 members of the union had been sent to an unknown third party email address in error.

Prosecutions

  • 23 May 2013 A former manager of a health service based at a council-run leisure centre in Southampton has been prosecuted under section 55 of the Data Protection Act for unlawfully obtaining sensitive medical information relating to over 2,000 people.
  • 8 April 2013 A Hertfordshire estate agent has been prosecuted under section 17 of the Data Protection Act after failing to notify with the ICO.
  • 12 March 2013 A former receptionist at a GP surgery in Southampton has been prosecuted under section 55 of the Data Protection Act for unlawfully obtaining sensitive medical information relating to her ex-husband’s new wife.

Also read

IT Security Still Not Protecting the Right Assets Despite Increased Spending

Most IT security resources in today’s enterprise are allocated to protecting network assets, even though the majority of enterprises believe a database security breach would be the greatest risk to their business, according to a report issued by CSO Custom Solutions Group and sponsored by Oracle.

In the survey with 110 companies from industries including Financial Services, Government, High Tech, more than two thirds of IT security resources remain allocated to protecting the network layer, while less than one third of the staff and budget resources were allocated to protecting core infrastructure such as databases and applications.

Key findings from the report

  • When comparing the potential damage caused by breaches, most enterprises believed that a database breach would be the most severe as they contain the most vital and valuable information intellectual property as well as sensitive customer, employee, and corporate financial data.
  • An un-balanced and fragmented approach to security has left many organizations’ applications and data vulnerable to attacks both internally and externally.
  • Today’s findings underscore the relevance of Oracle’s “security inside-out” approach which means focusing attention on the organizations most strategic assets which include databases, applications and users.
  • Nearly 66% of respondents said they apply a security inside out strategy, where as 35% base their strategy on end point protection.
  • Even with this fundamental belief in strategy, spending does not truly align as more than 67% of IT security resources including budget and staff time remain allocated to protecting the network layer and less than 23% of resources were allocated to protecting core systems like servers, applications and databases.
  • 44% believed that databases were safe because they were installed deep inside the perimeter.
  • 90% report the same or higher, level of spend compared to 12 months prior. The survey shows that 59% of participants plan to increase security spending in the next year.
  • In 35% of organizations, security spend was influenced by sensational informational sources rather than real organizational risks.
  • 40% of respondents believed that implementing fragmented point solutions created gaps in their security and 42% believe that they have more difficulty preventing new attacks than in the past.

IT Security has to focus attention on the most strategic assets. Organizations cannot continue to spend on the wrong risks and secure themselves out of business. When attackers do break through the perimeter, they can take advantage of weak security controls against the core systems by exploiting privileged user access, vulnerable applications, and accounts with excessive access,” said Mary Ann

Davidson, Chief Security Officer at Oracle. “Organizations have to get the fundamentals right which are database security, application security and identity management.”

“The results of the survey show that the gap between the threat of severe damage to a database attack versus the resources allocated to protecting the database layer is significant, highlighting the disconnect in how organizations are securing their IT infrastructures,” said Tom Schmidt, Managing Editor, CSO Custom Solutions Group.

The full report can be found here.

SMEs are putting larger customers at risk of security breaches

According to Shred-it’s third annual Security Tracker survey SMEs in the UK are putting their own businesses at risk and could also be damaging larger firms they supply services to by not taking enough preventative measures of confidential data.

It’s good business sense for larger companies to ask whether their suppliers have a data protection partner and an information security system in place – not only to prevent sensitive information being lost by a third party but also because the financial and reputational damage of a breach could put that supplier out of business and cause havoc in the supply chain,” warns Robert Guice, Vice President Shred-it EMEA.

The survey reveals SMEs are 10 times less likely to have an information security system set up than is the case with larger businesses.

SMEs continue to hugely underestimate the potential cost of a data breach to them. In terms of financial loss, the Information Commissioner’s Office in the UK can fine companies up to half a million pounds, enough to send many companies into insolvency”, Mr Guice said. “We believe that smaller companies maybe over-estimating the costs involved in making sure confidential information is kept safe

Whilst larger companies may be able to absorb this cost, SMEs risk a huge hit to their bottom line and a tarnished reputation which can impact relationships with customers and other business partners” Mr Guice continued.

There is a worrying gap between the protocols in place between smaller and larger businesses. Whilst companies with revenue over £1m are eight times more likely to use a professional shredding company to dispose of their sensitive documents, 37 per cent of small businesses in the UK have no information security management system in place. Moreover, three in ten (28 per cent) small business owners have never provided any information security training to their employees.

Key findings include

  • 2 in every 5 large businesses suffering a data breach have incurred losses of more than £500,000
  • The average fine is approximately £150,000 – large enough for 30% of companies to have to lay off staff as a result.
  • 77% of larger businesses have an employee directly responsible for managing information security issues at management level (66%) or board level (11%)
  • 48% of SMEs have a nominated person
  • 95% of large businesses have an employee devoted to data protection compared with only 53% of small business owners, suggesting that larger businesses better understand the potential threat of data breaches and have put control systems in place accordingly.
  • 33% of senior business executives and only 4% of small business owners use a professional shredding service
  • 88% of large businesses are more than twice as likely to be aware of the EU Data Protection Directive reforms as small businesses (43%).
  • Although the gap is closer, large businesses are still more likely to be aware of the UK Data Protection Act (92%) than small business owners (72%).
  • With more information being stored in electronic form, it is equally worrying that less than one quarter of large (23%) and small businesses (25%) crush their electronic media – which means the vast majority of UK businesses are inadvertently putting themselves and their customers at risk.
  • Businesses could be giving away private information to fraudsters by not properly disposing of or destroying hard drives. 66% of large business and 49% of small business owners wrongly think that degaussing or wiping a hard drive will remove confidential information kept on them.

.

76% of companies have had a data breach or expect to have a breach

Experian Data Breach Resolution and the Ponemon Institute have released a study that finds that, despite the majority of companies experiencing or anticipating significant cost and business disruption due to a material data breach, they still struggle to take the proper measures to mitigate damage in the wake of an incident.

The report, “Is Your Company Ready for a Big Data Breach?” examines the consequences of data breach incidents and the steps taken to lessen future damage.

Respondents include senior privacy and compliance professionals of organisations that experienced at least one data breach. The top three industries represented are retail, health and pharmaceuticals, and financial services.

A majority of companies we surveyed indicate they have already or are very likely to lose customers and business partners, receive negative publicity and face serious financial consequences due to a data breach,” said Michael Bruemmer, vice president at Experian Data Breach Resolution. “Yet, despite understanding the consequences, many companies struggle to take the right steps to mitigate the fallout following an incident, demonstrating a need for better awareness and investment in the tools that can alleviate negative customer perceptions

The study’s key findings include:

Companies experience and anticipate harm due to breaches Companies that suffer data breaches experience significant costs and business disruption, including the loss of business and trust from customers, negative media attention and legal action.

  • 76% of privacy professionals say their organisation already had or expects to have a material data breach that results in the loss of customers and business partners.
  • 75% say they have had or expect to have such an incident that results in negative public opinion and media coverage.
  • 66% of companies have or believe they will suffer serious financial consequences as a result of an incident.

Despite consequences, incident response remains a challenge Companies struggle to properly handle potential damage due to a data breach and implement technologies to help prevent future incidents, even after suffering an incident.

  • Despite experiencing a breach, not all companies prepare for a future breach.
  • 39% of companies say they have not developed a formal incident breach preparedness plan even after experiencing a breach.
  • 10% of organizations have data breach or cyber insurance.
  • A majority of organisations surveyed do not provide clear communication and notification to victims following an incident.
  • 21% of respondents have communications teams trained to assist in responding to victims.
  • 30% of respondents say their organisations train customer service personnel on how to respond to questions about the data breach incident.
  • 65% also lack mechanisms to verify that contact with each victim was completed, and only 38% have mechanisms for working with victims with special circumstances.
  • The survey also finds that organizations are missing security technology safeguards and tools to prevent or understand the extent of an incident.
  • Encryption is not widely deployed: Less than one-third of respondents say sensitive or confidential personal and business information stored on computers, servers and other storage devices is generally encrypted.
  • Forensics is lacking. Many organizations lack the forensics capabilities to fully understand the nature and extent of the incident.
  • Only 36% have the tools or technologies to assess the size and impact of a data breach.
  • 19% have advanced forensics to determine the nature and root causes of cyberattacks.
  • 25% have the ability to ensure the root cause of the data breach was fully contained.

The study findings show that organizations need to prioritize preventing future breaches and better manage post-breach response,” said Dr. Larry Ponemon, Chairman and founder of the Ponemon Institute. “In addition to improving technical safeguards, it’s clear that companies also should focus more attention on meeting the needs of affected consumers that suffer a data breach

.

Survey reveals companies are taking risks whilst outsourcing consumer data

Experian Data Breach Resolution and the Ponemon Institute survey results identify opportunity for improved data oversight.

The study, “Securing Outsourced Consumer Data”, reveals that many organizations (46%) do not evaluate the security and privacy practices of vendors before sharing sensitive or confidential information.

The survey of almost 750 individuals in organizations that transfer consumer data to third-party vendors. The survey’s aim was to increase understanding of data breach frequency when consumer data is outsourced, to determine what steps are taken to ensure vendors’ data stewardship, and to evaluate privacy and security practices between companies and outsource vendors.

Many companies have higher standards for their in-house data security practices than they have for vendors that they enlist to hold customer information,” said Michael Bruemmer, vice president at Experian Data Breach Resolution. “The standards should be consistent, because not adhering to the same policies leaves companies vulnerable.

When sharing sensitive and confidential consumer information, 49% said that they do not monitor or are unsure whether their organization monitors vendor security and privacy practices.

Additional key findings from the survey include:

  • 56% of respondents acknowledged incidents when their organizations did not act on a vendor’s data breach
  • Outsourcing consumer information demands oversight survey results indicate that organizations that transfer or share consumer data with vendors experience data breaches more often than not
  • 65% of respondents said their organization had a data breach involving the loss or theft of their organization’s information
  • 64% of respondents reported their organization has experienced more than one data breach
  • Training is essential to protect against data breaches. Causes for data breaches can be reduced significantly through enforcement of policies and effective training
  • 45% of respondents reported negligence as the root cause of third-party data breaches
  • 40% of data breaches were the result of lost or stolen devices
  • Security and control procedures need improvement
  • 56% said their organization learned about a data breach accidentally
  • Only 27% said the organization’s security and control procedures uncovered the incident
  • 23% said the vendor’s security and control procedures alerted the organization to a breach

It is imperative that businesses and organizations place a priority on evaluating a vendor’s ability to secure sensitive data said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.

.

What happens after a data breach?

A report by Solera Networks and Ponemon reveals rise in security breaches, with organisations taking months to detect and contain them.

The Ponemon report “The Post Breach Boom”’ commissioned by Solera Networks polled 3,529 IT and IT security professionals in eight countries to understand the steps they are taking in the aftermath of malicious and non-malicious data breaches over the past 24 months.

Highlights of the research include:

Data breaches are on the rise and organizations are unprepared to detect them or resolve them:

  • 54% of respondents said data breaches have increased in both severity
  • 52% said the frequency had increased

Additionally

  • 63% say that knowing the root causes of breaches strengthens their organization’s security posture
  • 40% say they have the tools, personnel and funding to pinpoint the root causes
  • Breaches remain undiscovered and unresolved for months. On average, it is taking companies nearly three months (80 days) to discover a malicious breach and then more than four months (123 days) to resolve it.
  • Security defences are not preventing a large portion of breaches. One third of malicious breaches are not being caught by any of the companies’ defences they are instead discovered when companies are notified by a third party, either law enforcement, a partner, customer or other party or discovered by accident.
  • 34% of non-malicious breaches are discovered accidentally
  • Malicious breaches are targeting key information assets within organization. 42% of malicious breaches targeted applications
  • 36% targeted user accounts

Details of Impact and the cost of breaches from the report

  • On average, malicious breaches cost $840,000, significantly more costly than non-malicious data breaches at $470,000.
  • The average cost of a data breach per compromised record is $194
  • However, if the root cause is the result of a malicious insider or attack the average per record cost climbs to $222
  • While breaches attributed to a negligent insider averages far less at $174 per compromised record

For non-malicious breaches, lost reputation, brand value and image were reported as the most serious consequences by participants. For malicious breaches, organizations suffered lost time and productivity followed by loss of reputation.

Following a malicious breach, organizations more often invested in enabling security technologies (65% vs. 42% of respondents). More often they also made changes to its operations and compliance processes to better prevent and detect future breaches (63% vs. 54%).

Endpoint security and encryption tools were the most popular following a non-malicious breach and SIEM and encryption tools were most frequently purchased following a malicious breach. Breaches drive increased spending on data security, according to 61% of respondents. The average increase is 20%.

52% of respondents say the breach resulted in an increase in spending on forensic capabilities. Among those organizations that spent more the increase was an average of 33%. This represents 13% more than the increase in data security funding.

Security breaches continue to occupy the headlines on a daily basis, making it clear that there is still much work to be done before companies are prepared for the inevitability of today’s advanced targeted attacks,” said John Vecchi, vice president of marketing, Solera Networks. “In a post-prevention world, organizations must shift their focus toward attaining the real-time visibility, context and big data security analytics needed to see, detect, eradicate and respond to advanced malware and zero-day attacks

“Our study confirms that organizations are facing a growing flood of increasingly malicious data breaches, and they don’t have the tools, staff or resources to discover and resolve them,” said Larry Ponemon, chairman and founder, Ponemon Institute. “Meanwhile, months are passing as their key information assets are left exposed. The results demonstrate a clear need for greater and faster visibility as well as a need to know the root cause of the breaches themselves in order to close this persistent window of exposure

.

More Than 12 Million Identity Fraud Victims in 2012, study finds

Javelin Strategy & Research have released their 2013 Identity Fraud Report with some startling results the scariest being “one in four consumers who receive a data breach letter will become the victim of identity fraud.”

This means the days when a breached organisation would try to keep a breach quiet with the hope that it would go away have gone because the odds are far too high to ignore financial impacts that follow Identity Theft. 

This past year was one where there were both successes and setbacks for consumers, institutions and fraudsters,” said Jim Van Dyke, CEO of Javelin Strategy & Research, in a prepared statement. “Consumers and institutions are now starting to act as partners detecting and stopping fraud faster than ever before. But fraudsters are acting quicker than ever before and victimizing more consumers. Consumers must take data breach notifications more seriously and maintain vigilance to safeguard personal information, especially Social Security numbers

Key findings from the study include:

–  $21 billion was stolen in 2012. Higher than in recent years but considerably lower than the $47 billion in 2004

–  Almost 1 in 4 consumers who received a breach notification letter became a victim of identity fraud.

This underscores the need for consumers to take all notifications seriously. Not all breaches are created equal. The study found consumers who had their Social Security number compromised in a data breach were 5 times more likely to be a fraud victim than an average consumer

–  The stolen information was misused for a variety of fraud types, for example credit cards, loans and mobile phone bills and on average was misused for an average of 48 days during 2012 which is down from 55 days in 2011 and 95 days in 2010.

More than 50% of victims were actively detecting fraud using financial alerts, credit monitoring or identity protection services and by monitoring their account

–  15% of all fraud victims changed their online behavior and avoid smaller merchants

While credit card numbers remain the most popular item revealed in a data breach, in reality other information can be more useful to fraudsters. Personal information such as online banking login, username and password were compromised in 10% of incidents and 16% of incidents included Social Security numbers

It’s not just online fraud or data breaches. More than 1.5 million consumers were victims of familiar fraud, which is fraud when victims know the fraudster. Lower income consumers were more likely to be victims of familiar fraud. The information most likely to be taken via familiar fraud includes name, Social Security number, address and checking account numbers

Javelin have produced some guidance for consumers called the “Seven Safety Tips to Protect Consumers”

Javelin Strategy & Research recommends that consumers work in partnership with institutions to minimize their risk and impact of identity fraud by following a three-step approach: Prevention, Detection and Resolution™.

Prevention

1. Keep personal data private—Secure your personal and financial records behind a password or in a locked storage device whether at home, at work and on your mobile device. Familiar fraud is a serious issue with 12 percent of fraud victims knowing the perpetrator personally. Other ways to secure information include: not mailing checks to pay bills, shredding documents, monitoring your accounts weekly, and protecting your computer and mobile device with updated security software. Use a trusted and secure Internet connection (not a public Wi-Fi hotspot) when transmitting personal or financial information, and direct deposit payroll checks.

2. Look for security features—When paying online be sure you have a secure connection. Two ways you can denote a secure connection are to look for “https” and not just http at the start of the merchant’s web address or a bright green box and padlock graphic in the address bar of most browsers. Check for either one of these before entering personal or payment information.

3. Think before you share—Before providing any sensitive information, question who is asking for the information. Why do they need it? How is the information being used? Do not provide the information if you are unsure about the legitimacy of the request. Be careful when clicking on links that then take you to a page asking for personal information. If an organization asks you for your Social Security number to validate your identity, request another question.

Detection

4. Be Proactive—There are many different levels of identity theft protection and consumers should work in partnership with institutions on identity theft prevention. By setting up alerts that can be sent via e-mail and to a mobile device and monitoring accounts online at bank and credit card websites, consumers can take a more proactive role in detecting identity fraud and stopping misuse. In 2012, 50 percent of fraud was first detected by the victims.

5. Enlist others—There are a wide array of services available to consumers who want extra protection and peace of mind including payment transaction alerts, credit monitoring, credit report fraud alerts, credit freezes and database scanning. 3 out of every 5 identity fraud victims did not know the source of their fraud, but many services will now provide alerts directly to a consumer’s smartphone. Some services can be obtained for a fee and others at no cost to the consumers who are victims of a data breach. These services can monitor credit reports, public records and online activity for signs of fraudulent use of personal information.

Resolution

6. Take any data breach notification seriously—If you receive a data breach notification, take it very seriously as you are at a much higher risk according to the 2013 Identity Fraud Report. If you receive an offer from your financial institution or retailer for a free monitoring service after a breach, you should take advantage of the offer, closely monitor your accounts and put a fraud alert on your credit report.

7. Don’t wait. Report problems immediately—If you suspect or uncover fraud, contact your bank, credit union, wireless provider or protection services provider to take advantage of resolution services, loss protections and methods to secure your accounts. A fast response can enhance the likelihood that losses are reduced, and law enforcement can pursue fraudsters so they experience consequences for their actions.

.

Nursing and Midwifery Council fined for breaching the Data Protection Act

The Information Commissioner’s Office has issued a £150,000 fine to the Nursing and Midwifery Council was for breaching the Data Protection Act. 

The Nursing and Midwifery Council lost three DVDs related to a nurse’s misconduct hearing, which contained confidential personal information and evidence from two vulnerable children. 

In October 2011 the DVDs, containing confidential information, was sent to a misconduct hearing via a courier and when the package arrived at the hearing the DVDs were missing and have never found 

After an investigation by the ICO it was found the information was not encrypted. 

David Smith, Deputy Commissioner and Director of Data Protection, said:

It would be nice to think that data breaches of this type are rare, but we’re seeing incidents of personal data being mishandled again and again. While many organisations are aware of the need to keep sensitive paper records secure, they forget that personal data comes in many forms, including audio and video images, all of which must be adequately protected. 

I would urge organisations to take the time today to check their policy on how personal information is handled. Is the policy robust? Does it cover audio and video files containing personal information? And is it being followed in every case? 

If the answer to any of those questions is no, then the organisation risks a data breach that damages public trust and a possible weighty monetary penalty.

The council had been couriering evidence relating to a ‘fitness to practise’ case to the hearing venue. When the packages were received the discs were not present, though the packages showed no signs of tampering. Following the security breach the council carried out extensive searches to find the DVDs, but they’ve never been recovered. 

The Nursing and Midwifery Council’s underlying failure to ensure these discs were encrypted placed sensitive personal information at unnecessary risk. No policy appeared to exist on how the discs should be handled, and so no thought was given as to whether they should be encrypted before being couriered. Had that simple step been taken, the information would have remained secure and we would not have had to issue this penalty.

.

Securing Patient data has improved massively but still has work to do

In it’s recent Winter 2013 Newsletter Experian released the details of the fifth annual Healthcare Information and Management Systems Society (HIMSS) which they sponsored.

The survey found many areas of improvement and highlighted them in the infographic below:

Infographic_-The-security-of-patient-data-in-a-virtual-universe3

Key highlights from the HIMSS study include:

  • Only 38% of the respondents encrypt mobile devices, such as smartphones and tablets, which is worrisome considering their rising use. In fact, there are currently 1.1 billion global smartphone subscribers, representing a 42% year over year growth rate. In addition, there’s been a 29% increase in tablet or e-reader users since 2009.
  • Only 43% of respondents test their data response plans, meaning they don’t know whether their plans work. Organisations should review their response plans regularly and conduct practice runs at least once per year. It’s also a good idea to update the contact list of your response team quarterly and redistribute it.
  • 64% of this year’s respondents encrypt emails, compared to 55% in 2008.
  • Two-thirds conduct a risk analysis at least once per year, compared to 54% in 2008
  • Nearly 25% of the respondents sustained a data breach in the past year alone
  • the high number of breaches has caused 21 million American patients to have their healthcare records exposed to date
  • 90% of the respondents (Hospitals) in a recent study indicating that they conduct formal risk analyses.

.

2013 looks like being a bigger year than 2012 as the ICO starts catching up with the backlog of breaches

2013 has started as 2012 finished off with UK Information Commissioner (ICO) coming down hard on those who breach the Data Protection Act.

So far this January 3 organisations have fallen foul of the ICO:

  1. Sony Computer Entertainment Europe Limited
  2. Mansfield District Council
  3. Prospect Trade Union

Sony Computer Entertainment Europe Limited

Sony Computer Entertainment Europe Limited fined £250,000 after the April 2011 hacking of the Sony PlayStation Network Platform (PSN). That breach resulted in millions of Sony customers having their data stolen including:

  • Names
  • Addresses
  • Email addresses
  • Dates of birth
  • Account passwords
  • Customers’ payment card details were also at risk.

David Smith, Deputy Commissioner and Director of Data Protection, said:

“If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority. In this case that just didn’t happen, and when the database was targeted – albeit in a determined criminal attack – the security measures in place were simply not good enough.

“There’s no disguising that this is a business that should have known better. It is a company that trades on its technical expertise, and there’s no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe.

“The penalty we’ve issued today is clearly substantial, but we make no apologies for that. The case is one of the most serious ever reported to us. It directly affected a huge number of consumers, and at the very least put them at risk of identity theft.

“If there’s any bright side to this it’s that a PR Week poll shortly after the breach found the case had left 77 per cent of consumers more cautious about giving their personal details to other websites. Companies certainly need to get their act together but we all need to be careful about who we disclose our personal information to.”

Mansfield District Council. The council had several incidents of housing benefit claimants personal data being disclosed to the wrong landlord. The ICO has issued a formal undertaking to Mansfield District Council.

Prospect Trade Union. Prospect unfortunately sent two files containing personal details of approximately 19,000 members of the union to an unknown third party email address in error. The ICO has issued a formal undertaking to Prospect.

Both Prospect and Mansfield District Council have agreed “Formal Undertaking”. An undertaking is a detailed and document agreement between the ICO and the organisation that breached the Data Protection Act, specifically how those that have breached the Act will improve their Data Protection regime.

The Sony hack was widely reporting and was a result of an external attack whilst the other two, Prospect and Mansfield District Council were both the result of avoidable human error.

Want to know who was caught in 2012? Read my post 2012 was a big year for the Data Protection Act with record fines and breaches, see the full 2012 list here.

The average cost of a data breach is $8.9m in the US and £2.1m in the UK

The results of the Ponemon 2012 Cost of Cyber Crime Study for the United States, United Kingdom, Germany, Australia and Japan. For the purposes of this post I have summarised the United States and the United Kingdom.

The study, sponsored by HP Enterprise Security, focused on organizations located in the United States and the United Kingdom many are multinational corporations.

Cyber-attacks generally refer to criminal activity conducted via the Internet. These attacks can include stealing an organization’s intellectual property, confiscating online bank accounts, creating and distributing viruses on other computers, posting confidential business information on the Internet and disrupting a country’s critical national infrastructure. Consistent with the previous two studies, the loss or misuse of information is the most significant consequence of a cyber-attack. Based on these findings, organizations need to be more vigilant in protecting their most sensitive and confidential information. 

  • The median annualised cost for 38 UK benchmarked organisations is £2.1 million per year, with a range from £.4 million to £7.7 million each year per company.
  • The median annualized cost for 56 US benchmarked organizations is $8.9 million per year, with a range from $1.4 million to $46 million each year per company. 

UK Summary

Cybercrimes are costly. The study found that the median annualised cost for 38 benchmarked organisations is £2.1 million per year, with a range from £.4 million to £7.7 million each year per company. 

Cybercrime cost varies by organisational size. Results reveal a positive relationship between organisational size (as measured by enterprise seats) and annualised cost. However, based on enterprise seats, Ponemon determined that smaller-sized organisations incur a significantly higher per capita cost than larger-sized organisations (£399 versus £89). 

All industries fall victim to cybercrime, but to different degrees. The average annualised cost of cybercrime appears to vary by industry segment, where defence, utilities and energy and financial service companies experience higher costs than organisations in hospitality, retail and education. 

Cybercrimes are intrusive and common occurrences. The companies participating in our study experienced 41 successful attacks per week, or about 1.1 successful attacks per organisation. 

The most costly cybercrimes are those caused by malicious insider, denial of service and malicious code. These account for more than 44% of all cybercrime costs per organisation on an annual basis. Mitigation of such attacks requires enabling technologies such as SIEM, intrusion prevention systems, application security testing solutions and enterprise GRC solutions. 

Cyber-attacks can get costly if not resolved quickly. Results show a positive relationship between the time to contain an attack and organisational cost. The average time to resolve a cyber-attack was 24 days, with an average cost to participating organisations of £135,744 over this 24-day period. Results show that malicious insider attacks can take more than 50 days on average to contain. 

Disruption to business processes and revenue losses represent the highest external costs. This is followed by theft of information assets. On an annualised basis, disruption to business or lost productivity account for 38% of external costs. Costs associated with revenue losses and theft of information assets represents 53% of external costs. 

Recovery and detection are the most costly internal activities. On an annualised basis, recovery and detection combined account for 55% of the total internal activity cost with cash outlays and labour representing the majority of these costs. 

Deployment of security intelligence systems makes a difference. The cost of cybercrime is moderated by the use of security intelligence systems (including SIEM). Findings suggest companies using security intelligence technologies were more efficient in detecting and containing cyber-attacks. As a result, these companies enjoyed an average cost savings of £.4 million when compared to companies not deploying security intelligence technologies. 

Deployment of enterprise security governance practices moderates the cost of cybercrime. Findings show companies that have adequate resources, appoint a high-level security leader, and employ certified or expert staff experience cybercrime costs that are lower than companies that have not implemented these practices. This so-called “cost savings” for companies deploying good security governance practices is estimated at more than £.3 million, on average. 

A strong security posture moderates the cost of cyber-attacks. Ponemon utilize a well-known metric called the Security Effectiveness Score (SES) to define an organisation’s ability to achieve reasonable security objectives. The higher the SES, the more effective the organisation is in achieving its security objectives. The average cost to mitigate a cyber-attack for organisations with a high SES is substantially lower than organisations with a low SES score.

Summary of US findings

Cybercrimes continue to be very costly for organizations. Ponemon found that the median annualized cost for 56 benchmarked organizations is $8.9 million per year, with a range from $1.4 million to $46 million each year per company. Last year’s median cost per benchmarked organization was $8.4 million. Ponemon observe a $500,000 (6%) increase in median values. 

Cybercrime cost varies by organizational size. Results reveal a positive relationship between organizational size (as measured by enterprise seats) and annualized cost. However, based on enterprise seats, Ponemon determined that small organizations incur a significantly higher per capita cost than larger organizations ($1,324 versus $305). 

All industries fall victim to cybercrime, but to different degrees. The average annualized cost of cybercrime appears to vary by industry segment, where defence, utilities and energy and financial service companies experience higher costs than organizations in retail, hospitality and consumer products. 

Cybercrimes are intrusive and common occurrences. The companies participating in our study experienced 102 successful attacks per week – or 1.8 successful attacks per organization. In last year’s study, an average of 72 successful attacks occurred per week. 

The most costly cybercrimes are those caused by denial of service, malicious insider and web-based attacks. This account for more than 58% of all cybercrime costs per organization on an annual basis.4 Mitigation of such attacks requires enabling technologies such as SIEM, intrusion prevention systems, applications security testing solutions and enterprise GRC solutions. 

Cyber-attacks can get costly if not resolved quickly. Results show a positive relationship between the time to contain an attack and organizational cost. The average time to resolve a cyber-attack was 24 days, with an average cost to participating organizations of $591,780 during this 24-day period. This represents a 42% increase from last year’s estimated average cost of $415,748, which was based upon an 18-day resolution period. Results show that malicious insider attacks can take more than 50 days on average to contain. 

Information theft continues to represent the highest external cost, followed by the costs associated with business disruption. On an annualized basis, information theft accounts for 44% of total external costs (up 4% from 2011). Costs associated with disruption to business or lost productivity account for 30% of external costs (up 1% from 2011). 

Recovery and detection are the most costly internal activities. On an annualized basis, recovery and detection combined account for 47% of the total internal activity cost with cash outlays and labour representing the majority of these costs. 

Deployment of security intelligence systems makes a difference. The cost of cybercrime is moderated by the use of security intelligence systems (including SIEM). Findings suggest companies using security intelligence technologies were more efficient in detecting and containing cyber-attacks. As a result, these companies enjoyed an average cost savings of $1.6 million when compared to companies not deploying security intelligence technologies. 

A strong security posture moderates the cost of cyber-attacks. Ponemon utilize a well-known metric called the Security Effectiveness Score (SES) to define an organization’s ability to achieve reasonable security objectives. The higher the SES, the more effective the organization is in achieving its security objectives. The average cost to mitigate a cyber-attack for organizations with a high SES is substantially lower than organizations with a low SES score. 

Deployment of enterprise security governance practices moderates the cost of cybercrime. Findings show companies that invest in adequate resources, appoint a high-level security leader, and employ certified or expert staff have cybercrime costs that are lower than companies that have not implemented these practices. This so-called “cost savings” for companies deploying good security governance practices is estimated at more than $1 million, on average. 

UK report is here – registration is required. 

US report is here  – registration is required.

.

Almost 50% of organizations report 10 or more significant data breaches a year

Ponemon have revealed the results of a Co3 Systems sponsored survey into Data Loss Management. Ponemon Institute polled more than 100 influencers in the privacy and data protection community across the US.

Key findings of the survey were:-

  • almost 50% of organizations experience ten or more data loss incidents annually that meet the legal criteria that require tracking and reporting
  • more than 60% of the organisations surveyed employ manual, repetitive and time intensive processes to manage these incidents across tasks like notifying customers and informing regulators

“Not only have the number of data breaches reached epidemic proportions, but organizations are hemorrhaging records at staggering volumes,” said Dr. Ponemon. “To start the response process at day zero and square one is not only a recipe for disaster, it is irresponsible business. Privacy has become a hot button issue for everyone from citizen groups to elected officials, and one can only expect protections and regulations to increase. Organizations need to evaluate ways to automate their response process, and tools like Co3 have arrived at just the right time.”

“The Ponemon survey findings, with regards to data breach response and management, highlight the very real challenges firms are grappling with,” said John Bruce, CEO at Co3 Systems. “Organizations realize that the opportunities for loss and exposure — by their own hand or through partners and connected organizations — far outnumber the points of control and protection they can implement. It’s not surprising that more than one third of those surveyed have tried to create their own automated systems to cope with the implications of a breach. Our knowledgebase of regulations and industry best practices produce instant incident response plans based on the unique characteristics of a breach, and our easy-to-use project management interface ensures a timely, decisive and accurate response by any team.”

.

Who has breached the Data Protection Act in 2012? Find the complete list here.

So far 2012 has been a busy year for the Information Commissioners Office (ICO) and with almost three quarters of the year gone I thought I would look at who has fallen foul of the Data Protection Act.

There are normally three types of punishments administered by the ICO

  1. Monetary. The most serious of the actions and one normally reserved for organisational entities.
  2. Undertaking. Typically applied when an organisation has failed to adhere to good business practise and needs the helping guidance of the ICO
  3. Prosecutions. Normally reserved for individuals who have blatantly breached the Act.

In the near future I expect the proposed revised and consolidated European wide Data Protection Act to lead to more activity by the ICO, in the UK and across the other 27 member states. Read my summary of the propose European Data Protection Act here.

Below is a summary of the ICO’s activity in 2012 across all three “punishment” areas.

Monetary penalty notices

A monetary penalty will only be served in the most serious situations. When deciding the size of a monetary penalty, the ICO takes into account the seriousness of the breach and other factors like the size, financial and other resources of an organisation’s data controller. The ICO can impose a penalty of up to £500,000. It is worth noting that monetary penalties are to HM Treasury.

  • 6 August 2012 A monetary penalty of £175,000 was issued to Torbay Care Trust after sensitive personal information relating to 1,373 employees was published on the Trust’s website. Read the details here.
  • 12 July 2012 A monetary penalty of £60,000 was issued to St George’s Healthcare NHS Trust after a vulnerable individual’s sensitive medical details were sent to the wrong address.
  • 5 July 2012 A monetary penalty notice of £150,000 has been served to Welcome Financial Services Limited following a serious breach of the Data Protection Act. The breach led to the personal data of more than half a million customers being lost.
  • 19 June 2012 A monetary penalty notice of £225,000 has been served to Belfast Health and Social Care Trust following a serious breach of the Data Protection Act. The breach led to the sensitive personal data of thousands of patients and staff being compromised. The Trust also failed to report the incident to the ICO.
  • 6 June 2012 A monetary penalty for £90,000 has been served to Telford & Wrekin Council for two serious breaches of the seventh data protection principle. A Social Worker sent a core assessment report to the child’s sibling instead of the mother. The assessment contained confidential and highly sensitive personal data. Whilst investigating the first incident, a second incident was reported to the ICO involving the inappropriate disclosure of foster carer names and addresses to the children’s mother. Both children had to be re-homed.
  • 1 June 2012 A monetary penalty notice for £325,000 has been served on Brighton and Sussex University Hospitals NHS Trust following the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff – including some relating to HIV and Genito Urinary Medicine patients – on hard drives sold on an Internet auction site in October and November 2010. Read the details here.
  • 21 May 2012 A monetary penalty notice for £90,000 has been served on Central London Community Healthcare NHS Trust for a serious contravention of the DPA, which occurred when sensitive personal data was faxed to an incorrect and unidentified number. The contravention was repeated on 45 occasions over a number of weeks and compromised 59 data subjects’ personal data. Read the details here.
  • 15 May 2012 A monetary penalty of £70,000 was issued to the London Borough of Barnet following the loss of sensitive information relating to 15 vulnerable children or young people, during a burglary at an employee’s home. Read the details here.
  • 30 April 2012 A monetary penalty of £70,000 has been issued to the Aneurin Bevan Health Board following an incident where a sensitive report containing explicit details relating to a patient’s health – was sent to the wrong person. Read the details here.
  • 14 March 2012 A monetary penalty of £70,000 was issued to Lancashire Constabulary following the discovery of a missing person’s report containing sensitive personal information about a missing 15 year old girl. Read the details here.
  • 15 February 2012 A monetary penalty of £80,000 has been issued to Cheshire East Council after an email containing sensitive personal information about an individual of concern to the police was distributed to 180 unintended recipients. Read the details here.
  • 13 February 2012 A monetary penalty of £100,000 has been issued to Croydon Council after a bag containing papers relating to the care of a child sex abuse victim was stolen from a London pub. View a PDF of the Croydon Council monetary penalty notice
  • 13 February 2012 A monetary penalty of £80,000 has been issued to Norfolk County Council for disclosing information about allegations against a parent and the welfare of their child to the wrong recipient.
  • 30 January 2012 A monetary penalty of £140,000 was issued to Midlothian Council for disclosing sensitive personal data relating to children and their carers to the wrong recipients on five separate occasions. The penalty is the first that the ICO has served against an organisation in Scotland. Read the details here.

Undertakings

Undertakings are formal agreements between an organisation and the ICO to undertake certain actions to avoid future breaches of the Data Protection Act, typically this involves, Encryption, Training and Management Procedures.

  • 6 August 2012 An undertaking to comply with the seventh data protection principle has been signed by Marston Properties. This follows the loss of 37 staff members’ details when the filing cabinet the information was stored in was sent to a recycling centre and crushed.
  • 13 July 2012 An undertaking to comply with the seventh data protection principle has been signed by West Lancashire Borough Council. This follows the theft of a business continuity bag containing emergency response documents and personal data relating to 370 council employees.
  • 26 June 2012 An undertaking to comply with the seventh data protection principle has been signed by South Yorkshire Police. This follows the inclusion of personal data relating to drug offences, in response to a Freedom of Information request made by a journalist.
  • 23 May 2012 An undertaking to comply with the seventh data protection principle has been signed by Holroyd Howe Independent Ltd. This follows the release of a document containing details of employees’ pay to a former employee.
  • 30 April 2012 An undertaking to comply with the seventh data protection principle has been signed by the Aneurin Bevan Health Board. This follows an incident where a sensitive report – containing explicit details relating to a patient’s health – was sent to the wrong person. This breach was also the subject of a monetary penalty.
  • 25 April 2012 An undertaking to comply with the seventh data protection principle has been signed by Safe and Secure Insurances Services Limited. This follows the purchase of a hard drive from the Internet which contained personal data relating to the company’s clients.
  • 18 April 2012 An Undertaking to comply with the seventh data protection principle has been signed by Brecon Beacons National Park Authority. This follows two data security incidents which relate to the unauthorised disclosure of personal data on the data controller’s website.
  • 17 April 2012 An undertaking to comply with the seventh data protection principle has been signed by Leicestershire County Council, following the theft of a briefcase containing sensitive personal data from a social worker’s home.
  • 17 April 2012 An undertaking to comply with the seventh data protection principle has been signed by Toshiba Information Systems UK Ltd. This follows a web design error that created the potential for unauthorised access to individual’s personal data.
  • 11 April 2012 An undertaking to comply with the seventh data protection principle has been signed by Hertfordshire County Council. This follows the loss of an Attendance and Pupil Support consultation folder in January 2011.
  • 11 April 2012 An undertaking to comply with the seventh data protection principle has been signed by South London Healthcare NHS Trust. This follows the loss of two unencrypted memory sticks, the leaving of a clipboard with ward lists attached in a grocery store and a failure to adequately secure some patient paper files when not in use. All of the information was recovered.
  • 27 March 2012 An Undertaking has been signed by Pharmacyrepublic Ltd following the theft of a patient medication system containing the medication details of 2000 patients. The system, which was supplied by another firm, should have been securely returned to them by Pharmacyrepublic Ltd before the premises were vacated. Read the details here.
  • 14 March 2012 An undertaking to comply with the seventh data protection principle has been signed by the Lancashire Constabulary. This follows the discovery of a missing person’s report on a street in Blackpool. A monetary penalty has also been issued to the authority in connection with this incident.
  • 9 March 2012 An undertaking to comply with the seventh data protection principle has been signed by Enable Scotland (Leading the Way), after two unencrypted memory sticks and papers containing the personal details of up to 101 individuals were stolen from an employee’s home.
  • 1 March 2012 An undertaking to comply with the seventh data protection principle has been signed by Community Integrated Care, a national social care charity. This follows the theft of an unencrypted laptop containing personal and sensitive personal data.
  • 1 March 2012 An Undertaking to comply with the seventh data protection principle has been signed by Durham University. This follows the disclosure of personal information in training materials published on its website.
  • 1 March 2012 An Undertaking to comply with the seventh data protection principle has been signed by London Borough of Croydon. This follows the theft of a bag belonging to a social worker from a public house in London. The bag contained a hard copy file of papers concerning a child who is in the care of the Council. This incident was also subject to a monetary penalty which was announced earlier this month.
  • 1 March 2012 An undertaking to comply with the seventh data protection principle has been signed by Dr Pervinder Sanghera of Arthur House Dental Care. This follows the discovery of an unencrypted memory stick containing personal and limited sensitive personal data relating to patients and employees of the practice.
  • 10 February 2012 Youth charity Fairbridge has signed an undertaking committing the organisation to taking action after the loss of two unencrypted laptops containing employee information.
  • 10 February 2012 Healthcare provider Turning Point has signed an undertaking committing the organisation to take action after the loss of three service users’ files during an office relation.
  • 10 February 2012 Five local authorities have signed undertakings to comply with the seventh data protection principle, following incidents where the councils failed to take appropriate steps to ensure that personal information was kept secure.
  • 10 February 2012 Basingstoke and Deane Borough Council breached the Data Protection Act on four separate occasions during a two month period last year. The breaches included an incident in May when an individual was mistakenly sent information relating to 29 people who were living in supported housing.
  • 10 February 2012 Brighton and Hove Council emailed the details of another member of staff’s annual salary – and the deductions made from this – to 2,821 council workers. A third party also informed the ICO of a historic breach which occurred in May 2009 when an unencrypted laptop was stolen from the home of a temporary employee.
  • 10 February 2012 Undertakings have been signed by • Dacorum Borough Council • Bolton Council • Craven District Council
  • 3 February 2012 An undertaking to comply with the seventh data protection principle has been signed by E*Trade Securities Ltd. This follows a report to the Commissioner concerning missing client files. The files contained limited sensitive personal data including identification documents.
  • 20 January 2012 An undertaking has been signed by Manpower UK Ltd following a breach of the Data Protection Act where a spreadsheet containing 400 people’s personal details was accidentally emailed to 60 employees.
  • 18 January 2012 An undertaking has been signed by the Chartered Institute of Public Relations, following the loss of up to 30 membership forms on a train. The organisation didn’t have a policy in place for handling personal data outside of the office at the time of the incident.
  • 18 January 2012 Praxis Care Limited breached both the UK Data Protection Act and the Isle of Man Data Protection Act by failing to keep peoples’ data secure. An unencrypted memory stick, containing personal information relating to 107 Isle of Man residents and 53 individuals from Northern Ireland, was lost on the Isle of Man.

Prosecutions:

  • 2 August 2012. Mohammed Ali Enayet, owner of The Lime Lounge in Cleveleys has been prosecuted by the ICO for failing to register his premises’ use of CCTV equipment.
  • 30 March 2012. SAI Property Investments Limited, trading as IPS Property Services and one of its directors Mr Punjab Sandhu unlawfully obtained details about their tenants from a rogue employee at Slough Borough Council have been found guilty of committing offences under Section 55 of the Data Protection Act 1998 (DPA).
  • 27 February 2012. Pinchas Braun, a letting agent who unlawfully tried to obtain details about a tenant’s finances from the DWP has been found guilty of an attempt to commit an offence under section 55 of the Data Protection Act and the Criminal Attempts Act.
  • 12 January 2012. Juliah Kechil, formerly known as Merritt, a former health worker has pleaded guilty to unlawfully obtaining patient information by accessing the medical records of five members of her ex-husband’s family in order to obtain their new telephone numbers.

The ICO is not just an enforcer, he offers advice too The Information Commissioner’s 5 Tips on how to better protect personal information .

The list was compiled on the 16th August 2012, updates will be added later so why not subscribe to the blog and automatically get the updates.

 

See Who breached the Data Protection Act in 2013? Find the complete list here.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: