Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Ponemon Institute

The State of Cybersecurity in Healthcare Organizations in 2016

ESET and the Ponemon Institute have announced results of The State of Cybersecurity in Healthcare Organizations in 2016.

According to the study, healthcare organizations average about one cyber attack per month with 48% of respondents said their organizations have experienced an incident involving the loss or exposure of patient information during the last 12 months. Yet despite these incidents, only half indicated their organization has an incident response plan in place.

The concurrence of technology advances and delays in technology updates creates a perfect storm for healthcare IT security,” said Stephen Cobb, senior security researcher at ESET. “The healthcare sector needs to organize incident response processes at the same level as cyber criminals to properly protect health data relative to current and future threat levels. A good start would be for all organizations to put incident response processes in place, including comprehensive backup and disaster recovery mechanisms. Beyond that, there is clearly a need for effective DDoS and malware protection, strong authentication, encryption and patch management

Key findings of the survey:

78% of respondents, the most common security incident is the exploitation of existing software vulnerabilities greater than three months old.

63% said the primary consequences of APTs and zero-day attacks were IT downtime

46% of respondents experienced an inability to provide services which create serious risks for patient treatment.

Hackers are most interested in stealing patient information

  • The most attractive and lucrative target for unauthorized access and abuse can be found in patients’ medical records, according to 81% of respondents.

Healthcare organizations worry most about system failures

  • 79% of respondents said that system failures are one of the top three threats facing their organizations
  • 77% cyber attackers
  • 77% unsecure medical devices

Technology poses a greater risk to patient information than employee negligence

  • 52% of respondents said legacy systems and new technologies to support cloud and mobile implementations, big data and the Internet of Things increase security vulnerabilities for patient information
  • 46% of respondents also expressed concern about the impact of employee negligence
  • 45% cited the ineffectiveness of HIPAA mandated business associate agreements designed to ensure patient information security

DDoS attacks have cost organizations on average $1.32 million in the past 12 months

  • 37% of respondents say their organization experienced a DDoS attack that caused a disruption to operations and/or system downtime about every four months. These attacks cost an average of $1.32 million each, including lost productivity, reputation loss and brand damage.

Healthcare organizations need a healthy dose of investment in technologies

  • On average, healthcare organizations represented in this research spend $23 million annually on IT
  • 12% on average is allocated to information security
  • Since an average of $1.3 million is spent annually for DDoS attacks alone, a business case can be made to increase technology investments to reduce the frequency of successful attacks

Based on our field research, healthcare organizations are struggling to deal with a variety of threats, but they are pessimistic about their ability to mitigate risks, vulnerabilities and attacks,” said Larry Ponemon, chairman and founder of The Ponemon Institute. “As evidenced by the headline-grabbing data breaches over the past few years at large insurers and healthcare systems, hackers are finding the most lucrative information in patient medical records. As a result, there is more pressure than ever for healthcare organizations to refine their cybersecurity strategies

Cost of Phishing and Value of Employee Training

The Ponemon Institute has presented the results of it’s study the Cost of Phishing and Value of Employee Training sponsored by Wombat Security. The purpose of this research is to understand how training can reduce the financial consequences of phishing in the workplace.

Phishing

The research reveals the majority of costs caused by successful phishing attacks are the result of the loss of employee productivity. Based on the analysis described later in this report, Ponemon extrapolate an average improvement of 64% from six proof of concept training projects. This improvement represents the change in employees who fell prey to phishing scams in the workplace before and after training.

As a result of effective training provided by Wombat, Ponemon estimate a cost savings of $1.8 million or $188.4 per employee/user. If companies paid Wombat’s standard fee of $3.69 per user for a program for up to 10,000 users, Ponemon determine a very substantial net benefit of $184.7 per user, for a remarkable one-year rate of return at 50X.

To determine the cost structure of phishing, Ponemon  surveyed 377 IT and IT security practitioners in organizations in the United States. 39% of respondents are from organizations with 1,000 or more employees who have access to corporate email systems.

The topics covered in this research include the following:

  • The financial consequences of phishing scams
  • The financial impact of phishing on employee productivity
  • The cost to contain malware
  • The cost of malware not contained & the likelihood it will cause a material data breach
  • The cost of business disruption due to phishing
  • The cost to contain credential compromises
  • Potential cost savings from employee training

Phishing scams are costly. Often overlooked is the potential cost to organizations when employees are victimized by phishing scams. Ponemon’s cost analysis includes the cost to contain malware, the cost not contained, loss of productivity, the cost to contain credential compromises and the cost of credential compromises not contained. Based on these costs, the extrapolated total annual cost of phishing for the average-sized organization in Ponemon’s sample totals $3.77 million.

Summarized calculus on the cost of phishing. Estimated cost.
Part 1. The cost to contain malware $208,174
Part 2. The cost of malware not contained $338,098
Part 3. Productivity losses from phishing $1,819,923
Part 4. The cost to contain credential compromises $381,920
Part 5. The cost of credential compromises not contained $1,020,705
Total extrapolated cost $3,768,820

The average total cost to contain malware annually is $1.9 million. The first step in understanding the overall cost is to analyze the six tasks to contain malware infections. Drawing from the empirical findings of an earlier study, Ponemon  were able to derive cost estimates relating to six discrete tasks conducted by companies to contain malware infections in networks, enterprise systems and endpoints. The table below summarizes the annual hours incurred for six tasks by the average-sized organization on an annual basis. The largest tasks incurred to contain malware involve the cleaning and fixing of infected systems and conducting forensic investigations.

Documentation and planning represents the smallest tasks in terms of hours spent each year.

Six tasks to contain malware infections. Estimated hours per annum.

Planning 910
Capturing intelligence 3,806
Evaluating intelligence 2,844
Investigating 10,338
Cleaning & fixing 11,955
Documenting 671
Total hours 30,524

The annual cost to contain malware is based on the hours to resolve the incident. These cost estimates are based on a fully loaded average hourly labor rate for US-based IT security practitioners of $62. As can be seen, the extrapolated total cost to contain malware is $1.89 million.

The adjusted cost of malware containment resulting from phishing scams is $208,174 per annum. The final step in determining the cost of malware containment attributable to phishing is to calculate the percentage of malware incidents unleashed by successful phishing scams.

Response to the survey question, “What percent of all malware infections is caused by successful phishing scams?” The percentage rate of malware infections caused by phishing scams was based on Ponemon’s  independent survey of IT security practitioners. As can be seen, the estimated range is less than 1% to more than 50%. The extrapolated average rate is 11%.

Drawing from the above analysis, Ponemon estimate the cost of malware containment as 11% of the previously calculated total cost of $1.9 million.

Cost of malware not contained

In this section, Ponemon estimate the cost of malware not contained at the device level to be $105.9 million. In other words, this cost occurs because malware evaded traditional defenses such as firewalls, anti-malware software and intrusion prevention systems. In this state Ponemon  assume the malware becomes weaponized for attack.

Following are two attacks caused by weaponized malware:

  1. Data exfiltration (a.k.a. material data breach)
  2. Business disruptions

Ponemon determine a most likely cost using an expected cost framework, which is defined as:

Expected cost = Probable maximum loss (PML) x Likelihood of occurrence [over a 12-month period].

Respondents in Ponemon’s  survey were asked to estimate the probable maximum loss (PML) resulting from a material data breach (i.e., exfiltration) caused by weaponized malware. Ponemon’s research shows the distribution of maximum losses ranging from less than $10 million to more than $500 million.

The extrapolated average PML resulting from data exfiltration is $105.9 million.

What is the likelihood of weaponized malware causing a material data breach? In the context of this research, a material data breach involves the loss or theft of more than 1,000 records. Respondents were asked to estimate the likelihood of this occurring. According to the research the probability distribution ranges from less than .1% to more than 5%. The extrapolated average likelihood of occurrence is 1.9 percent over a 12-month period.

The cost of business disruption due to phishing is $66.9 million. Respondents were asked to estimate the PML resulting from business disruptions caused by weaponized malware. Business disruptions include denial of services, damage to IT infrastructure and revenue losses. The research shows the distribution of maximum losses ranging from less than $10 million to $500 million. The extrapolated average PML resulting from data exfiltration is $66.9 million.

How likely are business disruptions due to weaponized malware? Respondents were asked to estimate the likelihood of material business disruptions caused by weaponized malware. The research shows the probability distribution ranging from less than .1% to more than 5%. The extrapolated average likelihood of occurrence is 1.6% over a 12-month period.

The table below shows the expected cost of malware attacks relating to data exfiltration ($2 million) and disruptions to IT and business processes ($1.1 million). The total amount of $3.1 million is adjusted for the 11% of malware attacks originating from phishing scams, which yields an estimated cost of $338,098 per annum.

Recap for the cost of malware not contained Calculus
Probable maximum loss resulting from data exfiltration $105,900,000
Likelihood of occurrence over the next 12 months 1.90%
Expected value $2,012,100
Probable maximum loss resulting from business disruptions (including denial of services, damage to IT infrastructure and revenue losses) $66,345,000
Likelihood of occurrence over the next 12 months 1.60%
Expected value $1,061,520
Total cost of malware not contained $3,073,620
Percentage rate of malware infections caused by phishing scams 11%
Adjusted total cost attributable to phishing scams $338,098

Employees waste an average of 4.16 hours annually due to phishing scams. As previously discussed, the majority of costs (52%) are due to the decline in employee productivity as a result of being phished. In this section, Ponemon estimate the productivity losses associated with phishing scams experienced by employees during the workday. Drawing upon Ponemon’s  survey research, Ponemon  extrapolated the total hours spent each year by employees/users viewing and possibly responding to phishing emails.

The research shows the distribution of time wasted for the average employee (office worker) due to phishing scams. The range of response is less than 1 hour to more than 25 hours per employee each year.

What is the cost to respond to a credential compromise? In this section, Ponemon estimate the costs incurred by organizations to contain credential compromises that originated from a successful phishing attack, including the theft of cryptographic keys and certificates. Ponemon’s  first step in this analysis is to estimate the total number of compromises expected to occur over the next 12 months. The range of responses includes zero to more than 10 incidents.

How likely will a material data breach occur if the credential compromise is not contained? Respondents were asked to estimate the likelihood of a material data breach caused by credential compromise. Ponemon’s research shows the probability distribution ranging from less than .1% to 5%. The extrapolated average likelihood of occurrence is 4% over a 12-month period.

In this section, Ponemon estimates the potential cost savings that result from employee education that provides actionable advice and raises awareness about phishing and other related topics. As a starting point to this analysis, Ponemon obtained six proof of concept studies completed for six large companies.

These reports provided detailed findings that show the phishing email click rate for employees both before and after training. Ponemon provides the actual improvements experienced by companies, ranging from 26 to 99%, respectively. The average improvement for all six companies is 64%.

As a result of Wombat’s training on phishing that includes mock attacks and follow-up with indepth training, Ponemon estimate a high knowledge retention rate. Based on well-known research, training that focuses on actual practices should result in an average retention rate of approximately 75%. Applying this retention rate against the average improvement shown in the six proof of concept studies, Ponemon  estimate a net long-term improvement in fighting phishing scams of 47.75%.

Proof of concept results Improvement %
Company A 99%
Company B 72%
Company C 54%
Company D 26%
Company E 62%
Company F 69%
Average improvement 64%
Expected diminished learning retention over time (1-75%) 25%
Average net improvement 47.75%

The figures below provides a simple analysis of potential cost savings accruing to organizations that use an effective training approach to mitigating phishing scams. As shown before, Ponemon estimate a total cost of phishing for an average-sized organization at $3.77 million.

Assuming a net improvement of 47.75%, Ponemon estimate a cost savings of $1.80 million or $188.40 per employee/user. At a fee of $3.69 per employee/user, Ponemon determine a very substantial net benefit of $184.71 per user, or a one-year rate of return of 50X.

Calculating net benefit of Wombat training on phishing Calculus
Total cost of phishing $3,768,820
Estimated cost savings assuming net improvement at 47.75% $1,799,612
Extrapolated headcount for the average-sized organization 9,552
Estimated cost savings per employee $188.40
Estimated fee of Wombat training per user $3.69
Estimated net benefit of Wombat training per user $184.71
Estimated one-year rate of return = Net benefit ÷ Fee 50X

Survey Shows Lack of Trust, Limited Visibility and Knowledge Gap between the Board and IT Security Professionals

There are significant gaps in cybersecurity knowledge, shared visibility and mutual trust between those who serve on organizations’ board of directors and IT security professionals. These gaps between those responsible for corporate and cyber governance and those responsible for the day-to-day defense against threats could have damaging impacts on organizations’ cybersecurity posture, leaving them more vulnerable to attack and breaches.

This data comes from a new survey, Defining the Gap: The Cybersecurity Governance Survey, conducted by the Ponemon Institute and commissioned by Fidelis Cybersecurity.

Cybersecurity is a critical issue for boards, but many members lack the necessary knowledge to properly address the challenges and are even unaware when breaches occur. Further widening the gap, IT security professionals lack confidence in the board’s understanding of the cyber risks their organizations face, leading to a breakdown of trust and communication between the two groups.

The survey asked more than 650 board members and IT security professionals (mainly CIOs, CTOs and CISOs) for their perspectives regarding board member knowledge and involvement in cybersecurity governance.

Key findings include:

Lack of Critical Cybersecurity Knowledge at the Top

76% of boards review or approve security strategy and incident response plans, but 41% of board members admitted they lacked expertise in cybersecurity. An additional 26% said they had minimal or no knowledge of cybersecurity, making it difficult, if not impossible, for them to understand whether the practices being discussed adequately address the unique risks faced by their organization. This renders their review of strategy and plans largely ineffective.

Limited Visibility into Breach Activity

59% of board members believe their organizations’ cybersecurity governance practices are very effective, while only 18% of IT security professionals believe the same. This large gap is likely the result of the board’s lack of information about threat activity. Although cybersecurity governance is on 65% of boards’ agendas, most members are remarkably unaware if their organizations had been breached in the recent past. Specifically, 54% of IT security professionals reported a breach involving the theft of high-value information such as intellectual property within the last two years, but only 23% of board members reported the same, with 18% unsure if their organizations were breached at all.

As the breadth and severity of breaches continues to escalate, cybersecurity has increasingly become a board level issue,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “The data shows that board members are very aware of cybersecurity, but there is still a lot of uncertainty and confusion. Many lack knowledge not only about security issues and risks, but even about what has transpired within their own companies, which is shocking to me. Without an understanding of the issues, it’s impossible to reasonably evaluate if strategies and response plans are effectively addressing the problem

Absence of Trust Between Boards and IT Security Professionals

The board’s lack of knowledge has created a further divide. Nearly 60% of IT security professionals believe that the board does not understand the cybersecurity risks of the organization, compared to 70% of board members who believe that they do understand the risks.

The gap in knowledge and limited visibility into breach activity means board members don’t have the information they need to make smart cybersecurity governance decisions, and IT security professionals don’t have the support, monetary or otherwise, to maintain a strong security posture,” said retired Brig. Gen. Jim Jaeger, chief cyber services strategist at Fidelis. “Board members don’t need to be cyber experts, but they should have a thorough knowledge of the risks their organization faces and be able to provide the support needed for the security teams to protect against those risks

Additional Key Findings Include:

  • Target breach was a watershed moment. 65% of board members and 67% of IT security professionals reported that the Target data breach had a significant impact on the board’s involvement in cybersecurity governance, while previous high profile breaches were reported to have nominal or no impact.
  • The SEC will drive drastically increased board involvement. The Securities & Exchange Commission (SEC) Guidelines requiring the disclosure of material security information had a significant impact in boards’ involvement, according to 46% of board members and 44% of IT security professionals. However, only 5% of board members and 2% of IT security professionals say they followed the SEC guidelines and disclosed a material security breach to shareholders. Moving forward, 72% of board members believe the SEC will make the guidelines a mandate, and 81% believe that this will increase the board’s involvement in cybersecurity governance.

Most Healthcare Organisations Have Experienced A Data Breach

The Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data reveals that the majority of healthcare organizations represented in this study have experienced multiple security incidents and nearly all have faced a data breach. Despite the universal risk for data breach, the study found that many organizations lack the funds and resources to protect patient data and are unprepared to meet the changing cyber threat environment.

The 2015 study was expanded beyond healthcare organizations to include Business Associates.

Represented in this study are 90 covered entities (hereafter referred to as healthcare organizations) and 88 business associates (hereafter may be referred to as either business associates or BAs). A BA is a person or entity that performs services for a covered entity that involves the use or disclosure of protected health information (PHI), according to the U.S.

Department of Health & Human Services. The inclusion of BAs provides a broader perspective of the healthcare industry as a whole and demonstrates the impact third parties have on the privacy and security of patient data. Respondents were surveyed about their privacy and security practices and experiences with data breaches, as well as their experiences with both electronic and paper security incidents.

Data breaches in healthcare continue to put patient data at risk and are costly. Based on the results of this study, they estimate that data breaches could be costing the industry $6 billion.

  • 90% of healthcare organizations represented in this study had a data breach
  • 40% had more than five data breaches over the past two years

According to the findings of this research, the average cost of a data breach for healthcare organizations is estimated to be more than $2.1 million. No healthcare organization, regardless of size, is immune from data breach. The average cost of a data breach to BAs represented in this research is more than $1 million. Despite this, half of all organizations have little or no confidence in their ability to detect all patient data loss or theft.

For the first time, criminal attacks are the number one cause of data breaches in healthcare. Criminal attacks on healthcare organizations are up 125% compared to five years ago. In fact, 45% of healthcare organizations say the root cause of the data breach was a criminal attack and 12 % say it was due to a malicious insider. In the case of BAs, 39% say a criminal attacker caused the breach and 10% say it was due to a malicious insider.

The percentage of criminal-based security incidents is even higher; for instance, web-borne malware attacks caused security incidents for 78% of healthcare organizations and 82% for BAs. Despite the changing threat environment, however, organizations are not changing their behaviour, only 40% of healthcare organizations and 35% of BAs are concerned about cyber attackers.

Security incidents are part of everyday business. 65% of healthcare organizations and 87% of BAs report their organizations experienced electronic information-based security incidents over the past two years.

  • 54% of healthcare organizations suffered paper-based security incidents
  • 41% of BAs had such an incident

However, many organizations do not have the budget and resources to protect both electronic and paper-based patient information. For instance, 56 % of healthcare organizations and 59% of BAs don’t believe their incident response process has adequate funding and resources. In addition, the majority of both types of organizations fail to perform a risk assessment for security incidents, despite the federal mandate to do so.

Even though medical identity theft nearly doubled in five years, from 1.4 million adult victims to over 2.3 million in 2014, the harms to individuals affected by a breach are not being addressed. Many medical identity theft victims report they have spent an average of $13,500 to restore their credit, reimburse their healthcare provider for fraudulent claims and correct inaccuracies in their health records.

Nearly two-thirds of both healthcare organizations and BAs do not offer any protection services for patients whose information has been breached.

Since 2010, this study has tracked privacy and security trends of patient data at healthcare organizations. Although the annual economic impact of a data breach has remained consistent over the past five years, the most-often reported root cause of a data breach is shifting from lost or stolen computing devices to criminal attacks. At the same time, employee negligence remains a top concern when it comes to exposing patient data. Even though organizations are slowly increasing their budgets and resources to protect healthcare data, they continue to believe not enough investment is being made to meet the changing threat landscape.

Key Findings

In this section, they provide a deeper analysis of the findings. They have organized this report according to the two following topics:

  • Privacy and security of patient data in healthcare organizations and business associates
  • Five-year trends in privacy and security practices in healthcare organizations

To respond quickly to data breaches, organizations need to invest more in technologies.

  • 58 % of healthcare organizations agree that policies and procedures are in place to effectively prevent or quickly detect unauthorized patient data access, loss or theft.
  • 49% agree they have sufficient technologies
  • 33% agree they have sufficient resources to prevent or quickly detect a data breach.
  • 53% of organizations have personnel with the necessary technical expertise to be able to identify and resolve data breaches involving the unauthorized access, loss or theft of patient data.

Background

  • Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
  • A security incident is defined as a violation of an organization’s security or privacy policies involving protected information such as social security numbers or confidential medical information. A data breach is an incident that meets specific legal definitions per applicable breach law(s). Data breaches require notification to the victims and may result in regulatory investigation, corrective actions, and fines.
  • This is based on multiplying $1,067,400 (50% of the average two year cost of a data breach experienced by the 90 healthcare organizations in this research) x 5,686 (the total number of registered US hospitals per the AHA).

Time to Identify Advanced Threats is 98 Days for Financial Services Firms and 197 Days for Retail

According to a Ponemon Institute Survey, sponsored by Arbor Networks, Financial Services and Retail organizations agree, advanced threats are the most serious security challenge facing their organizations. Despite the concern, both industries struggle to identify these attacks once they are inside their network.

Known as ‘dwell’ time, the time it takes to identify these attacks is

  • 98 days for Financial Services firms
  • 197 days for Retail

Despite these results, 58% of Financial Services and 71% of Retail organizations said they are not optimistic about their ability to improve these results in the coming year. This is alarming considering the number of attacks targeting their networks. Within Financial Services, 83% experienced more than 50 attacks per month, while 44% of Retail firms did.

The big takeaway from our research is that more investment is needed in both security operations staff and in security tools, which can help companies efficiently and accurately detect and respond to security incidents,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “The time to detect an advanced threat is far too long; attackers are getting in and staying long enough that the damage caused is often irreparable

It’s time to find a better balance between technology solutions, usability, workflow and the people who use them. As security vendors, we need to help our customers so they can adapt to this new cyber security reality that balances the threats with the people who fight them every day,” said Matthew Moynahan, president of Arbor Networks.

In the wake of high profile mega breaches, the Ponemon Institute surveyed Financial Services and Retail firms in North America and Europe, Middle East and Africa (EMEA) to better understand how they are dealing with attacks targeting their organizations. The survey asked how these organizations manage the explosion in advanced threats and distributed denial of service (DDoS) attacks targeting their infrastructure; how effective (or not) their IT investments are; and how they are adapting incident response procedures and integrating threat intelligence for better visibility, insight and context.

Key Findings Among Financial Services Firms

Advanced Threats

  • 71% view technologies that provide intelligence about networks and traffic as most promising at stopping or minimizing advance threats during the seven phases of the Kill Chain
  • 45% have implemented incident response procedures
  • 43% have established threat sharing with other companies or government entities

DDoS Attacks

  • 55% consider DDoS attacks as an advanced threat
  • 48% ‘Strongly Agree’ or ‘Agree’ that they are effective in containing DDoS attacks
  • 45% have established threat sharing with other companies or government entities to minimize or contain the impact of DDoS attacks

Budgets & Staffing. Budgets are allocated

  • 40% towards Technology
  • 37% to Staffing
  • 20% to Managed Services

Key Findings Among Retail Firms

Advanced Threats

  • 64% view technologies that provide intelligence about networks and traffic as most promising at stopping or minimizing advance threats during the seven phases of the Kill Chain
  • 34% have implemented incident response procedures
  • 17% have established threat sharing with other companies or government entities

DDoS Attacks

  • 50% consider DDoS attacks as an advanced threat
  • 39% firms ‘Strongly Agree’ or ‘Agree’ that they are effective in containing DDoS attacks
  • 13% have established threat sharing with other companies or government entities to minimize or contain the impact of DDoS attacks

Budgets & Staffing. Budgets are allocated

  • 34% towards Technology
  • 27% to Staffing
  • 34% to Managed Services

Mobile Insecurity as an Infographic

IBM Mobile Insecurity

The costs of a cloud data breach revealed.

A summary of the Data Breach: The Cloud Multiplier Effect” survey from Ponemon sponsored by Netskope is below.

The survey reveals how the risk of a data breach in the cloud is multiplying. This can be attributed to the proliferation of mobile and other devices with access to cloud resources and more dependency on cloud services without the support of a strengthened cloud security posture and visibility of end user practices.

Ponemon surveyed 613 IT and IT security practitioners in the United States who are familiar with their company’s usage of cloud services.

  • 51% say on-premise IT is equally or less secure than cloud-based services
  • 66% of respondents say their organization’s use of cloud resources diminishes its ability to protect confidential or sensitive information
  • 64% believe it makes it difficult to secure business-critical applications

A lack of knowledge about the number of computing devices connected to the network and enterprise systems, software applications in the cloud and business critical applications used in the cloud workplace could be creating a cloud multiplier effect. Other uncertainties identified in this research include how much sensitive or confidential information is stored in the cloud.

For the first time, Ponemon attempt to quantify the potential scope of a data breach based on typical use of cloud services in the workplace or what can be described as the cloud multiplier effect. The report describes nine scenarios involving the loss or theft of more than 100,000 customer records and a material breach involving the loss or theft of high value1 IP or business confidential information.

When asked to rate their organizations’ effectiveness in securing data and applications used in the cloud.

  • 51% of respondents say it is low
  • 26% rate the effectiveness as high. Based on their lack of confidence
  • 51% say the likelihood of a data breach increases due to the cloud

Key takeaways from this research include the following:

Cloud security is an oxymoron for many companies.

  • 62% of respondents do not agree or are unsure that cloud services are thoroughly vetted before deployment
  • 69% believe there is a failure to be proactive in assessing information that is too sensitive to be stored in the cloud

Certain activities increase the cost of a breach when customer data is lost or stolen.

An increase in the backup and storage of sensitive and/or confidential customer information in the cloud can cause the most costly breaches. The second most costly occurs when one of the organization’s primary cloud services provider expands operations too quickly and experiences financial difficulties. The least costly is when the use of IaaS or cloud infrastructure services increases.

Certain activities increase the cost of a breach when high value IP and business confidential information is lost or stolen

Bring Your Own Cloud (BYOC) results in the most costly data breaches involving high value IP. The second most costly is the backup and storage of sensitive or confidential information in the cloud increases. The least costly occurs when one of the organization’s primary cloud providers fails an audit failure that concerns the its inability to securely manage identity and authentication processes.

Why is the likelihood of a data breach in the cloud increasing?

Ideally, the right security procedures and technologies need to be in place to ensure sensitive and confidential information is protected when using cloud resources. The majority of companies are circumventing important practices such as vetting the security practices of cloud service providers and conducting audits and assessment of the information stored in the cloud.

The findings also reveal that 55% do not believe that the IT security leader is responsible for ensuring the organization’s safe use of cloud computing resources. In other words, respondents believe their organizations are relying on functions outside security to protect data in the cloud.

  • 62% of respondents do not agree or are unsure that cloud services are thoroughly vetted for security before deployment
  • 63% believe there is a lack of vigilance in conducting audits or assessments of cloud-based services
  • 69% of respondents believe there is a failure to be proactive in assessing information that is too sensitive to be stored in the cloud

There is a lack of confidence in the security practices of cloud providers

Respondents are critical of their cloud providers’ security practices. First, they do not believe they would be notified that the cloud provider lost their data in a timely manner. Second, they do not think the cloud provider has the necessary security technologies in place.

  • 72% of respondents do not agree their cloud service provider would notify them immediately if they had a data breach involving the loss or theft of their intellectual property or business confidential information
  • 71% of respondents fear their cloud service provider would not notify their organization immediately if they had a data breach involving the loss or theft of customer data.
  • 69% of respondents do not agree that their organization’s cloud service use enabling security technologies to protect and secure sensitive and confidential information
  • 64% say these cloud service providers are not in full compliance with privacy and data protection regulations and laws

Lack of visibility of what’s in the cloud puts confidential and sensitive information at risk

The number of computing devices in the typical workplace is making it more difficult than ever to determine the extent of cloud use. According to estimates provided by respondents, an average of 25,180 computing devices such as desktops, laptops, tablets and smartphones are connected to their organization’s networks and/or enterprise systems.

Ponemon asked respondents to estimate the percentage of their organizations’ applications and information that is stored in the cloud. They were also asked to estimate the percentage of these applications and information that are not known, officially recognized or approved by the IT function (a.k.a. shadow IT).

30% of business information is stored in the cloud but of this, respondents estimate 35% is not visible to IT. This suggests that many organizations are at risk because they do not know what sensitive or confidential information such as IP is in the cloud.

What employees do in the cloud?

  • 44% of employees in organizations use cloud-based services or apps in the workplace
  • 53% use their personally owned mobile devices (BYOD) in the workplace
  • 50% of these employees use their own devices to connect to cloud-based services or apps.

Do certain changes in an organization’s use of cloud services affect the likelihood of a data breach?

  • 17% say the use of cloud-based services significantly increases
  • 34% say it increases the likelihood of a data breach. Ponemon define a material data breach as one that involves the loss or theft of more than 100,000 customer records or one that involves the theft of high value IP or business confidential information.

Calculating the economic impact of a data breach in the cloud.

Ponemon calculate what it might cost an organization to deal with a data breach in the cloud involving customer records. These calculations are based on Ponemon Institute’s recent cost of data breach research and the estimated likelihood or probability of a data breach based on cloud use. The calculation involves the following four steps:

  • First, drawing upon Ponemon Institute’s most recent cost of data breach study. Ponemon determine a cost of $201.18 dollars per compromised record.
  • Second, based on a data breach size of 100,000 or more compromised records in the survey and using the unit cost of $201.18 times 100,000 records. Ponemon calculate a total cost of $20,118,000
  • Third, from the survey results Ponemon extrapolate the average likelihood of a data breach involving 100,000 or more questions at approximately 11.8% over a two-year period.
  • Fourth, multiplying the estimated likelihood or probability of a data breach at 11.8% times the total cost of $20,118,000 Ponemon calculate a baseline expected value of $2.37 million as the average of what an organization would have to spend if it had a data breach involving customer records lost or stolen in the cloud.

Ponemon calculate what it might cost an organization to deal with a data breach in the cloud involving high value IP. Once again, these calculations are based on Ponemon Institute’s recent cost of data breach research and the estimated likelihood or probability of a data breach based on cloud use. The calculation involves the following steps:

  • First, drawing upon Ponemon Institute’s IT security benchmark database consisting of 1,281 companies compiled over a 10-year period, Ponemon estimate an expected value of $11,788,000.
  • Second, based upon the estimates provided by respondents Ponemon extrapolate the likelihood of a data breach involving the theft of high value information at 25.4%.
  • Third, multiplying the estimated likelihood or probability of a data breach at 25.4% times the total cost of $11.788 million Ponemon calculate a baseline expected value of $2.99 million as the average economic impact for organizations in our study.

What can cost an organization the most when it has a data breach involving the loss or theft of IP? The most costly scenarios involve the growth in the number of employees using their own cloud apps in the workplace for sharing sensitive or confidential information (a.k.a. BYOC) and an increase in the backup and storage of IP or business confidential information in the cloud.

The average costs to deal with these two types of data breaches are $5.38 million and $4.93 million, respectively.

2014 Global Report on the Cost of Cyber Crime – a HP Ponemon Study.

The results of the HP Enterprise Security sponsored Ponemon 2014 Global Report on the Cost of Cyber Crime are summarised below.

During the period they conducted interviews and analysed the findings, mega cybercrimes took place. Most notable was the Target cyber breach, which was reported to result in the theft of 40 million payment cards.

More recently, Chinese hackers launched a cyber attack against Canada’s National Research Council as well as commercial entities in Pennsylvania, including Westinghouse Electric Company, U.S. Steel and the United Steel Workers Union. Russian hackers recently stole the largest collection of Internet credentials ever: 1.2 billion user names and passwords, plus 500 million email addresses. While the companies represented in this research did not have cyber attacks as devastating as these were, they did experience incidents that were expensive to resolve and disruptive to their operations.

For purposes of this study, they refer to cyber attacks as criminal activity conducted via the Internet. These attacks can include stealing an organisation’s intellectual property, confiscating online bank accounts, creating and distributing viruses on other computers, posting confidential business information on the Internet and disrupting a country’s critical national infrastructure.

The study’s goal is to quantify the economic impact of cyber attacks and observe cost trends over time. They believe a better understanding of the cost of cybercrime will assist organisations in determining the appropriate amount of investment and resources needed to prevent or mitigate the consequences of an attack.

Approximately 10 months of effort is required to recruit companies, build an activity-based cost model to analyse the data, collect source information and complete the analysis.

For consistency purposes, the benchmark sample consists of only larger sized organizations (i.e. more than 1,000 enterprise seats). The study examines the total costs organizations incur when responding to cybercrime incidents. These include the costs to detect, recover, investigate and manage the incident response. Also covered are the costs that result in after-the-fact activities and efforts to contain additional costs from business disruption and the loss of customers. These costs do not include the plethora of expenditures and investments made to sustain an organization’s security posture or compliance with standards, policies and regulations.

Global at a glance

This year’s annual study was conducted in the United States, United Kingdom, Germany, Australia, Japan, France and for the first time, the Russian Federation, with a total benchmark sample of 257 organizations. Country-specific results are presented in seven separate reports.

The estimated average cost of cybercrime for seven country samples involving 257 separate companies, with comparison to last year’s country averages. Cost figures are converted into U.S. dollars for comparative purposes.

There is significant variation in total cybercrime costs among participating companies in the benchmark samples. The US sample reports the highest total average cost at $12.7 million and the Russian sample reports the lowest total average cost at $3.3 million. It is also interesting to note that all six countries experienced a net increase in the cost of cybercrime cost over the past year, ranging from 2.7% for Japan to 22.7% for the United Kingdom. The percentage net change between FY 2014 and FY 2013 (excluding Russia) is 10.4%.

Summary of global findings

Following are the most salient findings for a sample of 257 organizations requiring 2,081 separate interviews to gather cybercrime cost results. In several places in this report, they compare the present findings to last year’s average of benchmark studies.

Cybercrimes continue to be on the rise for organizations. They found that the mean annualized cost for 257 benchmarked organizations is $7.6 million per year, with a range from $0.5 million to $61 million per company each year. Last year’s mean cost for 235 benchmarked organizations was $7.2 million. They observe a 10.4% net change from last year (excluding the Russian sample).

Cybercrime cost varies by organizational size. Results reveal a positive relationship between organizational size (as measured by enterprise seats) and annualized cost. However, based on enterprise seats, they determined that small organizations incur a significantly higher per capita cost than larger organizations ($1,601 versus $437).

All industries fall victim to cybercrime, but to different degrees. The average annualized cost of cybercrime appears to vary by industry segment, where organizations in energy & utilities and financial services experience substantially higher cybercrime costs than organizations in media, life sciences and healthcare.

The most costly cybercrimes are those caused by malicious insiders, denial of services and web-based attacks. These account for more than 55% of all cybercrime costs per organization on an annual basis. Mitigation of such attacks requires enabling technologies such as SIEM, intrusion prevention systems, applications security testing solutions and enterprise GRC solutions.

Cyber attacks can get costly if not resolved quickly. Results show a positive relationship between the time to contain an attack and organizational cost. Please note that resolution does not necessarily mean that the attack has been completely stopped. For example, some attacks remain dormant and undetected (i.e. modern day attacks).

The average time to contain a cyber attack was 31 days, with an average cost to participating organizations of $639,462 during this 31-day period. This represents a 23% increase from last year’s estimated average cost of $509,665, which was based upon a 27-day remediation period. Results show that malicious insider attacks can take more than 58 days on average to contain.

Business disruption represent the highest external cost, followed by the costs associated with information loss. On an annualized basis, business disruption accounts for 38% of total external costs, which include costs associated with business process failures and lost employee productivity.

Detection is the most costly internal activity followed by recovery. On an annualized basis, detection and recovery costs combined account for 53% of the total internal activity cost with cash outlays and direct labour representing the majority of these costs.

Activities relating to IT security in the network layer receive the highest budget allocation. In contrast, the host layer receives the lowest funding level.

Deployment of security intelligence systems makes a difference. The cost of cybercrime is moderated by the use of security intelligence systems (including SIEM). Findings suggest companies using security intelligence technologies were more efficient in detecting and containing cyber attacks. As a result, these companies enjoyed an average cost savings of $2.6 million when compared to companies not deploying security intelligence technologies.

A strong security posture moderates the cost of cyber attacks. They utilise Ponemon Institute’s proprietary metric called the Security Effectiveness Score (SES) Index to define an organization’s ability to achieve reasonable security objectives. The higher the SES, the more effective the organization is in achieving its security objectives. The average cost to mitigate a cyber attack for organizations with a high SES is substantially lower than organizations with a low SES score.

Companies deploying security intelligence systems experienced a substantially higher ROI (at 23%) than all other technology categories presented. Also significant are the estimated ROI results for companies that extensively deploy encryption technologies (20%) and advanced perimeter controls such as UTM, NGFW, IPS with reputation feeds (19%).

Deployment of enterprise security governance practices moderates the cost of cybercrime. Findings show companies that invest in adequate resources, appoint a high-level security leader, and employ certified or expert staff have cybercrime costs that are lower than companies that have not implemented these practices. This so-called “cost savings” for companies deploying good security governance practices is estimated at $1.3 million for employing expert personnel and $1.1 million for achieving certification against industry-leading standards.

Key findings

In this section, we provide an analysis of the key findings organized according to the following topics:

  • The average cost of cybercrime by organizational size and industry
  • The type of attack influences the cost of cyber crime
  • An analysis of the cost components of cyber crime 

The average cost of cybercrime by organizational size and industry

To determine the average cost of cybercrime, the 257 organizations in the study were asked to report what they spent to deal with cybercrimes experienced over four consecutive weeks. Once costs over the four-week period were compiled and validated, these figures were then grossed-up to determine the annualized cost.

The total annualized cost of cybercrime in 2014 ranges from a low of $.56 million to a high of $60.5 million. The median annualized cost of cybercrime in the benchmark sample is $6.0 million, an increase from last year’s median value of $5.5. The mean value is $7.6 million. This is an increase of $357,761 from last year’s mean of $7.2 million. Please note the percentage net change from last year’s mean for six countries is 10.4%.

As can be seen, 86 companies in our sample incurred total costs above the mean value of $7.6 million, thus indicating a skewed distribution. The highest cost estimate of $61 million was determined not to be an outlier based on additional analysis. A total of 171 organizations experienced an annualized total cost of cybercrime below the mean value.

As part of our analysis they calculated a precision interval for the average cost of $7.6 million. The purpose of this interval is to demonstrate that our cost estimates should be thought of as a range of possible outcomes rather than a single point or number.

The range of possible cost estimates widens at increasingly higher levels of confidence. Specifically, at a 90% level of confidence they expect the range of cost to be between $7.2 million to $7.9 million.

Certain attacks are more costly based on organizational size. The study focuses on 9 different attack vectors as the source of the cybercrime. They compare smaller and larger-sized organizations based on the sample median of 8,509 seats. Smaller organizations (below the median) experience a higher proportion of cybercrime costs relating to web-based attacks, viruses, worms, Trojans and other malware.

In contrast, larger organizations (above the median) experience a higher proportion of costs relating to denial of services, malicious code and malicious insiders. In the context of this research, malicious insiders include employees, temporary employees, contractors and, possibly other business partners. They also distinguish viruses from malware. Viruses reside on the endpoint and as yet have not infiltrated the network but malware has infiltrated the network. Malicious code attacks the application layer and includes SQL attack.

The cost of cybercrime impacts all industries. The average annualized cost of cybercrime appears to vary by industry segment. In this year’s study they compare cost averages for 17 different industry sectors. The cost of cybercrime for companies in energy & utilities, financial services and technology experienced the highest annualized cost. In contrast, companies in media, life sciences and healthcare incurred much lower cost on average.

The type of cyber-attack influences the cost of cyber crime

In our studies they look at 9 different attack vectors as the source of the cybercrime. This year, the benchmark sample of 257 organizations experienced 429 discernible cyber-attacks or 1.6 attacks per company each week. The list below shows the number of successful attacks for the past three years, which has steadily increased.

  • FY 2014, 429 attacks in 257 organizations or 1.7 successful attacks per company each week
  • FY 2013, 343 attacks in 234 organizations or 1.4 successful attacks per company each week
  • FY 2012, 262 attacks in 199 organizations or 1.3 successful attacks per company each week

Virtually all organizations had attacks relating to viruses, worms and/or Trojans and malware over the four-week benchmark period. Malware attacks and malicious code attacks are inextricably linked. They classified malware attacks that successfully infiltrated the organizations’ networks or enterprise systems as a malicious code attack.

59% experienced botnets and 58% experienced web-based attacks. Denial of service attacks and stolen devices were experienced by 49% of companies. Only 35% of companies say a malicious insider was the source of the cybercrime.

Costs vary considerably by the type of cyber-attack. The benchmark results for seven countries, showing the proportion of annualized cost of cybercrime allocated to 9 attack types compiled from all benchmarked organizations.

With respect to web-based attacks, the percentage annualized costs seem to be fairly consistent ranging from a low of 13% for Australia to 19% of Japan and Russia. For denial of services, they see a low of 8% for France and a high of 25% for the United Kingdom. In the case of malicious insiders, they see a low of 6% for Germany and a high of 21% for Japan. Finally, the cost of malware has a low of 6% for the US and Japan and a high of 17% of the Russian Federation.

The cost of cybercrime is also influenced by the frequency of attacks. The most to least expensive cyber-attacks when analysed by the frequency of incidents. The most expensive attacks are malicious insiders, denial of service, web-based attacks and malicious code. Malware attacks are most frequently encountered and, hence, represent a relatively low unit cost.

Time to resolve or contain cybercrimes increases the cost. The mean number of days to resolve cyber attacks is 31 with an average cost of $20,758 per day, or a total cost of $639,462 over the 31 day remediation period. This represents a 23% increase from last year’s cost estimate of $509,665 over a 27-day remediation period. Please note that resolution does not necessarily mean that the attack has been completely stopped. For example, some attacks remain dormant and undetected (i.e., modern day attacks).

Some attacks take longer to resolve and as a result are more costly. The time it takes to resolve the consequences of the attack increases the cost of a cybercrime. The analysis reveals that the average days to resolve cyber attacks for 9 different attack types studied in this report. It is clear from this chart that it takes the most amount of time, on average, to resolve attacks from malicious insiders, malicious code and web-based attackers (hackers). Malware, botnets and viruses on average are resolved relatively quickly (i.e., in a few days or less).

An analysis of the cost components of cyber crime

Information theft remains the most expensive consequence of a cybercrime. In this research they look at four primary consequences of a cyber attack: business disruptions, the loss of information, loss of revenue and damage to equipment. Among the organizations represented in this study, business disruption represents the largest cost component (38%). The cost of business disruption includes diminished employee productivity and business process failures than happen after a cyber attack. Information and revenue loss follow at 35% and 22%, respectively.

Companies spend the most on detection and recovery. Cybercrime detection and recovery activities account for 53% of total internal activity cost. This is followed by containment and investigation cost (both at 15%. Detection and recovery cost elements highlight a significant cost-reduction opportunity for organizations that are able to systematically manage recovery and to deploy enabling security technologies to help facilitate the detection process.

The largest portion of the security budget is allocated to the network layer. The network layer receives the highest allocation at 33% of total dedicated IT security funding. At only 7%, the host layer receives the lowest funding level.

The organization’s security posture influences the cost of cybercrime. We measure the security posture of participating organizations as part of the benchmarking process. The annualized cost and regression of companies in descending order of their security effectiveness as measured by the SES.

The figure shows an upward sloping regression, suggesting that companies with a stronger security posture experience a lower overall cost. The SES range of possible scores is +2 (most favourable) to -2 (least favourable). Compiled results for the present benchmark sample vary from a high of +1.90 to a low of -1.7 with an SES mean value at .31.

Organizations deploying security intelligence technologies realize a lower annualized cost of cybercrime. The average amount of money companies can save with SEIM in the 6 activities conducted to resolve the cyber attack. The figure compares companies deploying and not deploying security intelligence systems. In total, 124 companies (48%) deploy security intelligence tools such as SIEM, IPS with reputation feeds, network intelligence systems, big data analytics and others.

With two exceptions (investigative and incident management costs), companies using security intelligence systems experience lower activity costs than companies that do not use these technologies. The largest cost differences in millions pertain to detection ($2.83 vs. $1.63), recovery ($1.77 vs. $1.13) and containment ($1.59 vs. $.94) activities, respectively.

Security intelligence systems have the biggest return on investment. The estimated return on investment (ROI) realized by companies for each one of the 7 categories of enabling security technologies indicated above. At 23%, companies deploying security intelligence systems, on average, experience a substantially higher ROI than all other technology categories in this study.

Also significant are the estimated ROI results for companies that extensively deploy encryption technologies (20%) and advanced perimeter controls such as UTM, NGFW, IPS with reputation feeds and more (19%). The estimated average ROI for all 7 categories of enabling security technologies is 15%.

Certain governance activities can reduce the cost of cybercrime. The top three governance activities are: certification against industry-leading standards, appointment of a high-level security leader (CISO) and employment of expert security personnel.

Find the full study here.

Is the concern for data protection making half of all employees less productive?

In 2010, the Visual Data Breach Risk Assessment Study revealed that two out of three working professionals are displaying sensitive information on their mobile devices, such as social security numbers, credit card numbers and other non-regulated but sensitive company information, when outside the office. This points to the insight that in certain circumstances people value productivity over data protection when working. However, in circumstances when an individual values data protection, is the company potentially losing productivity due to visual privacy concerns?

The 2013 Visual Privacy Productivity Study, conducted by The Ponemon Institute, revealed that companies can lose more than data as remote working increases, with 50% of employees answering that they are less productive when their visual privacy is at risk in public places.

The Visual Privacy Productivity Study showed that employees are forced to either trade-off working and risking private data being overlooked by nosy neighbours, or stop working altogether. Based on these findings, lost productivity due to employee visual privacy concerns is potentially costing a US business organisation with more than 7,500 people over $1 million dollars per year.

While many companies realise that snooping and visual privacy presents a potential data security issue, there has been little research regarding how the lack of visual privacy impacts a business’ bottom line,” says Larry Ponemon, Chairman and Founder of The Ponemon Institute. “As workers become more mobile and continue to work in settings where there is the potential for visual privacy concerns, companies need to find solutions to address productivity as it relates to computer visual privacy in addition to dealing with the fundamental security issues of mobile devices

The study of 274 US individuals from 5 organisations in a variety of sectors. More than half stated that their visual privacy had been violated whilst travelling or in other public places such as cafes, airports and hotels, and two out of three admitted to exposing sensitive data on mobile devices whilst outside the workplace. When asked how their organisation handles the protection of sensitive information in a public location, 47% did not think any importance was put on this and that no adequate policies were in place.

Other interesting findings include:

  • Employees are 50% less productive when their visual privacy is at risk and lost productivity costs an organisation approximately £350 per employee per year
  • Visual privacy impacts on transparency as users that value privacy are less likely to enter information on an unprotected screen.
  • Women value privacy more (61%) than men (50%), and women’s productivity is more positively impacted than men’s when the screen is protected with a privacy filter.
  • Older employees value privacy more, with 61% of over 35s compared to 51% of under 35s placing importance on privacy.

Productivity loss is a major discovery in this survey and will hopefully encourage companies across all sectors to consider employee working practices and behaviours,” said Rob Green, Marketing Executive at 3M’s Speciality Display & Projection Division

According to the survey the devices used for work-related activities were:-

  • Smartphone 65%
  • Laptop computer 65%
  • Desktop computer 45%
  • Tablet computer 29%
  • Netbook computer 14%
  • Other 2%

The 2010 Visual Data Breach Risk Assessment survey revealed that visual privacy on computer screens was an under-addressed area in corporate policy. Seventy percent of working professionals said their organization had no explicit policy on working in public places and 79% said that their company had no policy on the use of computer privacy filters.

The 2012 Visual Privacy Productivity Study reinforced these findings with

  • 47% of those surveyed saying they were unsure or did not think their company placed an importance on protecting sensitive information displayed on a screen in public places
  • 58% were unsure or did not think other employees were careful about protecting sensitive information on computer or mobile device screens in public places. Corporate policy and education on that policy continues to be areas for improvement as it relates to visual privacy.

The full study is very informative about how the sponsor’s (3M) privacy filters can improve productivity and reduce risk and can be read here.

.

Schools are concerned about cloud security

SafeGov.org and the Ponemon Institute have released the results of a survey of UK schools designed to measure the views of school staff on the rapidly rising use of cloud services in the education sector and the potential risks to student privacy.

The study focused on cloud versions of email and document collaboration tools:

  • a majority of schools expect to migrate to such services in the near future
  • 81% of respondents object strongly to the mining of student emails, web browsing and online behaviour for profit by cloud providers
  • 84% say providers should never profile students
  • 70% say that even the option to turn on ad serving, or the delivery of advertisements to users online, should be completely removed from school-provided cloud services

The findings also show that schools are increasingly looking to move to cloud services because they expect them to bring significant educational and social benefits to students, as well as being cheaper and easier to manage.

SafeGov.org commissioned the Ponemon Institute to conduct the survey of senior staff and IT practitioners in primary and secondary schools and related administrative organisations in the UK.  Respondents were asked to describe their schools’ current and expected use of cloud-based services such as email and document collaboration, and to give their views about student online privacy and cloud provider business models based on data mining for profit.

Key findings of the research include the following:

  • Schools believe cloud services will offer many benefits, helping students to acquire skills needed for employment (78%), thrive in modern society (63%), and obtain better results on national exams (51%)
  • Cloud deployment in UK schools is growing rapidly: 68% of respondents expect to provide cloud email or document creation in the foreseeable future, while 25% already provide such services to their students
  • Schools recognise that cloud services have a dark side: 74% see threats to student privacy as the top risk of cloud, followed by security breaches (70%)
  • But the vast majority reject for-profit data mining of student information: 84% say cloud providers should never profile students for profit, while 70% say ad serving should never be an option •Some schools admit to a conflict of interest regarding student privacy, but want to give parents the tools to protect their children: 47% say they might be tempted to trade student privacy for lower costs, but 44% also say parents should have the right to opt-out of data mining for their children

We’re very impressed and pleased to find that UK schools are rapidly adopting cloud services and see significant educational and social benefits in doing so, as well as cost savings,” said Jeff Gould , President of SafeGov.org. “But our study also shows that UK schools clearly recognise the dark side of cloud computing, especially when cloud providers are allowed to data mine student emails and documents in order to create profiles that can be used for ad serving and other commercial purposes. As the migration to cloud services continues, UK schools, local councils and education authorities as well as the Department for Education at the national level need to develop concrete measures to ensure that strong privacy protections for students and school staff are put in place. Above all, we call on parents to recognise the risks to their children and to take action to ensure that the authorities adopt the proper response

Larry Ponemon , chairman and founder, Ponemon Institute, added:

These results demonstrate significant potential for cloud services in UK schools, with IT administrators contemplating deployments in the immediate to near future, but at the same time overwhelming concerns regarding mining of student data for commercial use. The numbers indicate that these practices must be tackled before the full benefits of cloud computing can be realised

  • Most schools already provide email to staff (85%) and students (59%)
  • 25% already offer students cloud email
  • 61% of schools that don’t yet provide email expect to offer cloud email in the foreseeable future Schools believe cloud tools will help students improve skills, thrive in modern society, obtain better exam results

But schools also see a darkside in Cloud: Data Mining

Schools overwhelmingly recognise that data mining for profit by cloud providers is a threat to student privacy and strongly object to the practice. But some schools admit they are tempted to trade student privacy for lower costs. A solution to this conflict of interest is to let parents opt-out of cloud data mining for their children. – Schools believe cloud email will be easier to manage and cheaper, but not necessarily safer or more secure

  • Schools see threats to student privacy as top risk of cloud (74%), followed by security breaches (70%)
  •  Vast majority of schools (81%) object to cloud providers that data mine student online behavior (i.e. analyse emails or track web browsing) for profit
  • 84% of schools say cloud providers should never profile students for profit, 70% say ads should not be an option
  • Conflict of interest? 47% of schools admit they might trade student privacy for lower costs, but 44% also say parents should have right to opt-out for children

.

76% of companies have had a data breach or expect to have a breach

Experian Data Breach Resolution and the Ponemon Institute have released a study that finds that, despite the majority of companies experiencing or anticipating significant cost and business disruption due to a material data breach, they still struggle to take the proper measures to mitigate damage in the wake of an incident.

The report, “Is Your Company Ready for a Big Data Breach?” examines the consequences of data breach incidents and the steps taken to lessen future damage.

Respondents include senior privacy and compliance professionals of organisations that experienced at least one data breach. The top three industries represented are retail, health and pharmaceuticals, and financial services.

A majority of companies we surveyed indicate they have already or are very likely to lose customers and business partners, receive negative publicity and face serious financial consequences due to a data breach,” said Michael Bruemmer, vice president at Experian Data Breach Resolution. “Yet, despite understanding the consequences, many companies struggle to take the right steps to mitigate the fallout following an incident, demonstrating a need for better awareness and investment in the tools that can alleviate negative customer perceptions

The study’s key findings include:

Companies experience and anticipate harm due to breaches Companies that suffer data breaches experience significant costs and business disruption, including the loss of business and trust from customers, negative media attention and legal action.

  • 76% of privacy professionals say their organisation already had or expects to have a material data breach that results in the loss of customers and business partners.
  • 75% say they have had or expect to have such an incident that results in negative public opinion and media coverage.
  • 66% of companies have or believe they will suffer serious financial consequences as a result of an incident.

Despite consequences, incident response remains a challenge Companies struggle to properly handle potential damage due to a data breach and implement technologies to help prevent future incidents, even after suffering an incident.

  • Despite experiencing a breach, not all companies prepare for a future breach.
  • 39% of companies say they have not developed a formal incident breach preparedness plan even after experiencing a breach.
  • 10% of organizations have data breach or cyber insurance.
  • A majority of organisations surveyed do not provide clear communication and notification to victims following an incident.
  • 21% of respondents have communications teams trained to assist in responding to victims.
  • 30% of respondents say their organisations train customer service personnel on how to respond to questions about the data breach incident.
  • 65% also lack mechanisms to verify that contact with each victim was completed, and only 38% have mechanisms for working with victims with special circumstances.
  • The survey also finds that organizations are missing security technology safeguards and tools to prevent or understand the extent of an incident.
  • Encryption is not widely deployed: Less than one-third of respondents say sensitive or confidential personal and business information stored on computers, servers and other storage devices is generally encrypted.
  • Forensics is lacking. Many organizations lack the forensics capabilities to fully understand the nature and extent of the incident.
  • Only 36% have the tools or technologies to assess the size and impact of a data breach.
  • 19% have advanced forensics to determine the nature and root causes of cyberattacks.
  • 25% have the ability to ensure the root cause of the data breach was fully contained.

The study findings show that organizations need to prioritize preventing future breaches and better manage post-breach response,” said Dr. Larry Ponemon, Chairman and founder of the Ponemon Institute. “In addition to improving technical safeguards, it’s clear that companies also should focus more attention on meeting the needs of affected consumers that suffer a data breach

.

The growing threat of insider fraud not a top security priority for organizations

ponemonAn Attachmate sponsored Ponemon Survey indicates the growing threat of insider fraud is not a top security priority for organizations which is proving to be a costly mistake.

On average, organisations experience approximately one fraud event per week, according to information from the second annual Attachmate and Ponemon Institute survey, “The Risk of Insider Fraud

However, only 44% of respondents say their organisation views insider fraud prevention as a top security priority, a perception which has declined since 2011.

The average cost of a data breach in a 2011 study was $194 per lost or stolen record

The survey reveals some alarming data security trends:

  • On average, it takes 87 days to first recognize that insider fraud has occurred and more than three months (105 days) to get at the root cause of the fraud.
  • 79% of respondents say that in their organization a privileged user has or is very likely to alter application controls to access or change sensitive information and then reset the controls.
  • 73% of respondents, an employee’s malfeasance has caused financial loss and possibly brand damage.
  • 81% say they already had an employee use someone else’s credentials to gain elevated rights or to bypass separation-of-duty control
  • 48% of respondents say that BYOD has resulted in a significant increase in fraud risk
  • 77% of respondents say the lack of security protocols over edge devices presents a significant security challenge and risk

This data demonstrates the invisibility of employee actions across an enterprise,” said Larry Ponemon, chairman and founder of Ponemon Institute. “While organizations may have policies and procedures to thwart insider fraud, it doesn’t mean employees will remain compliant, particularly with the rise of Bring Your Own Device (BYOD) practices

Data security and insider threats continue to be a challenge for organizations, particularly as BYOD brings complexity to enterprise risk management,” said Christine Meyers, director of Attachmate’s enterprise fraud management solutions. “Next-generation enterprise fraud management solutions, such as Attachmate Luminet, are able to correlate cross-channel activity, score risk and provide a screen-by-screen replay of what actually occurred. Add to that the proven deterrence factor that arises from being able to see and monitor use and abuse, and you can see why customers choose to deploy this technology for fraud detection

Fraud statistics

  • On average, organizations have had approximately 55 employee-related incidents of fraud in the past 12 months
  • More than one-third say that employees’ use of personally owned, mobile devices has resulted in malware and virus infections that infiltrated their corporate networks and enterprise systems and another 26% it is very likely to occur
  • 61% rate the threat of insider risk within their organization as very high or high
  • 23% say insider fraud incidents existed six months or longer before being discovered and 9% could not determine when they occurred.
  • 55% of organizations say their organization does not have the ability/intelligence to determine if the off site employee’s non-compliance is due to negligence or fraud

Threats from BYOD, Mobility & Edge Devices

For the first time the study asks questions about the effect Bring Your Own Device (BYOD), mobility and edge devices have on the risk of insider fraud. We define BYOD as the employees’ use of their personally owned mobile devices (typically smart phones, tablets and laptops) for both work and non-work activities.

An edge device is a physical device that can pass packets between a legacy network (like an Ethernet network) and an ATM network, using data link layer and network layer information. An edge device does not have responsibility for gathering network routing information. It simply uses the routing information it finds in the network layer using the route distribution protocol. An edge router is an example of an edge device.

Edge devices and BYOD make it difficult to identify insider fraud

58% agree that BYOD makes it more difficult for the security or compliance department to have complete visibility of employees’ access and computing activities. The majority of respondents (78%) do not agree that employees’ access and possible misuse of edge devices is completely visible to the security or compliance department (100% – 32% of strongly agree/agree responses).

The study defined insider fraud as the malicious or criminal attacks perpetrated upon business or governmental organizations by employees, temporary employees and contractors. Typically, the objective of such attacks is the theft of financial or information assets, which include customer data, trade secrets and intellectual properties. Sometimes, the most dangerous insiders are those who possess strong IT skills or have access to an organization’s critical applications and data.

With this research, we want to reiterate that organizations are not immune,” said Meyers. “The threat of insider fraud is a growing risk that can result in tangible financial loss to businesses. And the longer an organization takes to address it, the more costly it can become

The insider fraud survey includes results from more than 700 individuals at leading global organisations.

.

Survey reveals companies are taking risks whilst outsourcing consumer data

Experian Data Breach Resolution and the Ponemon Institute survey results identify opportunity for improved data oversight.

The study, “Securing Outsourced Consumer Data”, reveals that many organizations (46%) do not evaluate the security and privacy practices of vendors before sharing sensitive or confidential information.

The survey of almost 750 individuals in organizations that transfer consumer data to third-party vendors. The survey’s aim was to increase understanding of data breach frequency when consumer data is outsourced, to determine what steps are taken to ensure vendors’ data stewardship, and to evaluate privacy and security practices between companies and outsource vendors.

Many companies have higher standards for their in-house data security practices than they have for vendors that they enlist to hold customer information,” said Michael Bruemmer, vice president at Experian Data Breach Resolution. “The standards should be consistent, because not adhering to the same policies leaves companies vulnerable.

When sharing sensitive and confidential consumer information, 49% said that they do not monitor or are unsure whether their organization monitors vendor security and privacy practices.

Additional key findings from the survey include:

  • 56% of respondents acknowledged incidents when their organizations did not act on a vendor’s data breach
  • Outsourcing consumer information demands oversight survey results indicate that organizations that transfer or share consumer data with vendors experience data breaches more often than not
  • 65% of respondents said their organization had a data breach involving the loss or theft of their organization’s information
  • 64% of respondents reported their organization has experienced more than one data breach
  • Training is essential to protect against data breaches. Causes for data breaches can be reduced significantly through enforcement of policies and effective training
  • 45% of respondents reported negligence as the root cause of third-party data breaches
  • 40% of data breaches were the result of lost or stolen devices
  • Security and control procedures need improvement
  • 56% said their organization learned about a data breach accidentally
  • Only 27% said the organization’s security and control procedures uncovered the incident
  • 23% said the vendor’s security and control procedures alerted the organization to a breach

It is imperative that businesses and organizations place a priority on evaluating a vendor’s ability to secure sensitive data said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.

.

What happens after a data breach?

A report by Solera Networks and Ponemon reveals rise in security breaches, with organisations taking months to detect and contain them.

The Ponemon report “The Post Breach Boom”’ commissioned by Solera Networks polled 3,529 IT and IT security professionals in eight countries to understand the steps they are taking in the aftermath of malicious and non-malicious data breaches over the past 24 months.

Highlights of the research include:

Data breaches are on the rise and organizations are unprepared to detect them or resolve them:

  • 54% of respondents said data breaches have increased in both severity
  • 52% said the frequency had increased

Additionally

  • 63% say that knowing the root causes of breaches strengthens their organization’s security posture
  • 40% say they have the tools, personnel and funding to pinpoint the root causes
  • Breaches remain undiscovered and unresolved for months. On average, it is taking companies nearly three months (80 days) to discover a malicious breach and then more than four months (123 days) to resolve it.
  • Security defences are not preventing a large portion of breaches. One third of malicious breaches are not being caught by any of the companies’ defences they are instead discovered when companies are notified by a third party, either law enforcement, a partner, customer or other party or discovered by accident.
  • 34% of non-malicious breaches are discovered accidentally
  • Malicious breaches are targeting key information assets within organization. 42% of malicious breaches targeted applications
  • 36% targeted user accounts

Details of Impact and the cost of breaches from the report

  • On average, malicious breaches cost $840,000, significantly more costly than non-malicious data breaches at $470,000.
  • The average cost of a data breach per compromised record is $194
  • However, if the root cause is the result of a malicious insider or attack the average per record cost climbs to $222
  • While breaches attributed to a negligent insider averages far less at $174 per compromised record

For non-malicious breaches, lost reputation, brand value and image were reported as the most serious consequences by participants. For malicious breaches, organizations suffered lost time and productivity followed by loss of reputation.

Following a malicious breach, organizations more often invested in enabling security technologies (65% vs. 42% of respondents). More often they also made changes to its operations and compliance processes to better prevent and detect future breaches (63% vs. 54%).

Endpoint security and encryption tools were the most popular following a non-malicious breach and SIEM and encryption tools were most frequently purchased following a malicious breach. Breaches drive increased spending on data security, according to 61% of respondents. The average increase is 20%.

52% of respondents say the breach resulted in an increase in spending on forensic capabilities. Among those organizations that spent more the increase was an average of 33%. This represents 13% more than the increase in data security funding.

Security breaches continue to occupy the headlines on a daily basis, making it clear that there is still much work to be done before companies are prepared for the inevitability of today’s advanced targeted attacks,” said John Vecchi, vice president of marketing, Solera Networks. “In a post-prevention world, organizations must shift their focus toward attaining the real-time visibility, context and big data security analytics needed to see, detect, eradicate and respond to advanced malware and zero-day attacks

“Our study confirms that organizations are facing a growing flood of increasingly malicious data breaches, and they don’t have the tools, staff or resources to discover and resolve them,” said Larry Ponemon, chairman and founder, Ponemon Institute. “Meanwhile, months are passing as their key information assets are left exposed. The results demonstrate a clear need for greater and faster visibility as well as a need to know the root cause of the breaches themselves in order to close this persistent window of exposure

.

Big Data Analytics can improve IT Security defences

A new study by the Ponemon Institute, Big Data Analytics in Cyber Defense, confirms that Big Data analytics offers substantial benefits to organisations but adoption is very slow.

The report commissioned by Teradata Corporation contains some interesting results:

  • Cyber-attacks are getting worse but only 20% say their organizations are more effective at stopping them.
  • The greatest areas of cyber security risk are caused by mobility, lack of visibility and multiple global interconnected network systems.
  • 56% are aware of the technologies that provide big data analytics and 61% say they will solve pressing security issues, but only 35% have them. The 61% say big data analytics is in their future.
  • 42% of organizations are vigilant in preventing anomalous and potentially malicious traffic from entering networks or detecting such traffic (49%) in their networks.
  • Big data analytics with security technologies ensure a stronger cyber defense.
  • 82% would like big data analytics combined with anti-virus/anti-malware
  • 80% say anti-DoS/DDoS would make their organizations more secure.

While data growth and complexity are explosive factors in cyber defense, new big data tools and data management techniques are emerging that can efficiently handle the volume and complexity of IP network data,” said Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute, a research “think tank” dedicated to advancing privacy and data protection practices. “These new database analytic tools can bring more power and precision to an enterprise cyber defense strategy, and will help organizations rise to meet the demands of complex and large-scale analytic and data environments

Poneman-Release-Graphic

Many organisations struggle with in-house technology and skill sets

  • 35% say they have big data solutions in place today
  • 51% say they have the in-house analytic personnel or expertise

Big data analytics can bridge the existing gap between technology and people in cyber defense through big data tools and techniques which capture, process and refine network activity data and apply algorithms for near-real-time review of every network node.  A benefit of big data analytics in cyber defense is the ability to more easily recognize patterns of activity that represent network threats for faster response to anomalous activity.

The Ponemon study is a wakeup call,” said Sam Harris, Director of Enterprise Risk Management, Teradata. “Enterprises must act immediately to add big data capabilities to their cyber defense programs to close the gap between intrusion, detection, compromise and containment. When multi-structured data from many sources is exploited, organizations gain a very effective weapon against cyber-crimes

Harris said that in the cyber security realm, effective defense means managing and analyzing unimaginable volumes of network transaction data in near real time. “Many security teams have realized that it is no small feat to quickly sift through all of their network data to identify the 0.1% of data indicating anomalous behavior and potential network threats. Cyber security and network visibility have become a big data problem. Organizations entrusted with personal, sensitive and consequential data need to effectively augment their security systems now or they are putting their companies, clients, customers and citizens at risk

.

How Employees are Putting Your Intellectual Property at Risk

“What’s Yours is Mine: How Employees are Putting Your Intellectual Property at Risk” is a white paper produced by the Ponemon Institute on behalf of Symantec.

The paper reviews the way employees perceive corporate data and their mindset and motivations for copying data and Intellectual Property

Key Findings

  • Employees are moving IP outside the company in all directions
  • When employees change jobs, sensitive business documents often travel with them
  • Employees are not aware they are putting themselves and their companies at risk
  • They attribute ownership of IP to the person who created it
  • Organizations are failing to create a culture of security

Impact on Organizations

According to Ponemon Institute, employees are moving IP outside the company in all directions

  • Over half admit to emailing business documents from their workplace to their personal email accounts
  • 41% say they do it at least once a week
  • 44% also say they download IP to their personally owned tablets or smartphones, leaving confidential information even more vulnerable as it leaves corporate-owned  devices

The data loss continues through employees sharing confidential information in the cloud

  • 37% use file-sharing apps (such as Dropbox or Google Docs) without permission from their employer
  • Worse, the sensitive data is rarely cleaned up; the majority of employees put these files at further risk because they don’t take steps to delete the data after transferring it.

When employees change jobs, sensitive business documents often travel with them. In most cases, the employee is not a malicious insider, but merely negligent or careless about securing IP. However, the consequences remain. The IP theft occurs when an employee takes any confidential information from a former employer

  • Half of the survey respondents say they have taken information
  • 40% say they will use it in their new jobs

This means precious intelligence is also falling into the hands of competitors, causing damage to the losing company and adding risk to the unwitting receiving company.

Understanding Employee Attitudes about IP Theft

The attitudes that emerged from the survey suggest that employees are not aware that they are putting themselves and their employers at risk when they freely share information across multiple media. Most employees do not believe that transferring corporate data to their personal computers, tablets, smartphones, and cloud file-sharing apps is wrong. A third say it is OK as long as the employee does not personally receive economic gain, and about half justified their actions by saying it does not harm the company. Others blamed the companies for not strictly enforcing policies and for not proactively securing the information. These findings suggest that employees do not recognize or acknowledge their role in securing confidential company data.

To shed further insight, over half do not believe that using competitive data taken from a previous employer is a crime. Employees attribute ownership of IP to the person who created it. When given the scenario of a software developer who re-uses source code that he or she created for another company, 42% do not believe it is wrong and that the a person should have ownership stake in his or her work and inventions. They believe that the developer has the right to re-use the code even when that developer does not have permission from the company. These findings portray today’s knowledge workers as unaware that intellectual property belongs to the organization.

Recommendations from the paper

Given these findings, what can companies do to minimize risk? We suggest that companies take a multi-pronged approach:

  • Educate employees. Organizations need to let their employees know that taking confidential information is wrong. Employee training and awareness is critical, companies should take steps to ensure that IP theft awareness is a regular and integral part of security awareness training. Create and enforce policies that provide the do’s and don’ts of information use in the workplace and when working remotely. Help employees understand that sensitive information should remain on corporate-owned devices and databases. Make it clear that new employees are not to bring IP from a former employee to your company.
  • Enforce non-disclosure agreements (NDAs). Review existing employment agreements to ensure that it uses strong and specific language regarding company IP. Conduct focused conversations during exit interviews with departing employees and have them review the original IP agreement. Include and describe, in checklist form, an overt description of information that may and may not transfer with a departing employee. Make sure all employees are aware that any policy violations will be strictly managed and will affect their jobs. Employment agreements should contain specific language about the employee’s responsibility to safeguard sensitive and confidential information.
  • Implement monitoring technology. Support education and policy initiatives by using monitoring technology to gain insight into where IP is going and how it’s leaving. Deploy data loss prevention software to notify managers and employees in real-time when sensitive information is inappropriately sent, copied, or otherwise inappropriately exposed. Implement a data protection policy that monitors inappropriate access/use of IP and notifies employees of violations, which increases security awareness and deters theft. Leverage technology to learn what IP is leaving your organization and how to prevent it from escaping your network.

.

Top 20 Most Trusted Companies for Privacy – 2012

Ponemon has released is list of the Top 20 most trusted companies and how they ranked in 2012 and 2011.

Top 20 Most Trusted Companies for Privacy (2012 Rank, 2011 Rank) is below

  1. American Express (1, 1)
  2.  Hewlett Packard (2, 2)
  3.  Amazon (3, 5)
  4.  IBM (4, 3)   /  US Postal Service (4, 6)
  5.  Procter & Gamble (6, 6)
  6.  USAA (7, 11)
  7.  Nationwide (8, 8)
  8.  eBay (9, 4)
  9.  Intuit (10, 10)
  10.  Verizon (11, 12)
  11.  Johnson & Johnson (12, 7)  /  FedEx (12, 15)
  12.  WebMD (13, 9)
  13.  Weight Watchers (14, 17)
  14.  U.S. Bank (15, 16)
  15.  Disney (16, 13)
  16.  Microsoft (17, NR)
  17.  United Healthcare (18, NR)
  18.  VISA (18, 16)
  19.  AT&T (19, 19)
  20.  Mozilla (20, NR)

*NR = Not rated in the stated year

The full article is here.

.

The average cost of a data breach is $8.9m in the US and £2.1m in the UK

The results of the Ponemon 2012 Cost of Cyber Crime Study for the United States, United Kingdom, Germany, Australia and Japan. For the purposes of this post I have summarised the United States and the United Kingdom.

The study, sponsored by HP Enterprise Security, focused on organizations located in the United States and the United Kingdom many are multinational corporations.

Cyber-attacks generally refer to criminal activity conducted via the Internet. These attacks can include stealing an organization’s intellectual property, confiscating online bank accounts, creating and distributing viruses on other computers, posting confidential business information on the Internet and disrupting a country’s critical national infrastructure. Consistent with the previous two studies, the loss or misuse of information is the most significant consequence of a cyber-attack. Based on these findings, organizations need to be more vigilant in protecting their most sensitive and confidential information. 

  • The median annualised cost for 38 UK benchmarked organisations is £2.1 million per year, with a range from £.4 million to £7.7 million each year per company.
  • The median annualized cost for 56 US benchmarked organizations is $8.9 million per year, with a range from $1.4 million to $46 million each year per company. 

UK Summary

Cybercrimes are costly. The study found that the median annualised cost for 38 benchmarked organisations is £2.1 million per year, with a range from £.4 million to £7.7 million each year per company. 

Cybercrime cost varies by organisational size. Results reveal a positive relationship between organisational size (as measured by enterprise seats) and annualised cost. However, based on enterprise seats, Ponemon determined that smaller-sized organisations incur a significantly higher per capita cost than larger-sized organisations (£399 versus £89). 

All industries fall victim to cybercrime, but to different degrees. The average annualised cost of cybercrime appears to vary by industry segment, where defence, utilities and energy and financial service companies experience higher costs than organisations in hospitality, retail and education. 

Cybercrimes are intrusive and common occurrences. The companies participating in our study experienced 41 successful attacks per week, or about 1.1 successful attacks per organisation. 

The most costly cybercrimes are those caused by malicious insider, denial of service and malicious code. These account for more than 44% of all cybercrime costs per organisation on an annual basis. Mitigation of such attacks requires enabling technologies such as SIEM, intrusion prevention systems, application security testing solutions and enterprise GRC solutions. 

Cyber-attacks can get costly if not resolved quickly. Results show a positive relationship between the time to contain an attack and organisational cost. The average time to resolve a cyber-attack was 24 days, with an average cost to participating organisations of £135,744 over this 24-day period. Results show that malicious insider attacks can take more than 50 days on average to contain. 

Disruption to business processes and revenue losses represent the highest external costs. This is followed by theft of information assets. On an annualised basis, disruption to business or lost productivity account for 38% of external costs. Costs associated with revenue losses and theft of information assets represents 53% of external costs. 

Recovery and detection are the most costly internal activities. On an annualised basis, recovery and detection combined account for 55% of the total internal activity cost with cash outlays and labour representing the majority of these costs. 

Deployment of security intelligence systems makes a difference. The cost of cybercrime is moderated by the use of security intelligence systems (including SIEM). Findings suggest companies using security intelligence technologies were more efficient in detecting and containing cyber-attacks. As a result, these companies enjoyed an average cost savings of £.4 million when compared to companies not deploying security intelligence technologies. 

Deployment of enterprise security governance practices moderates the cost of cybercrime. Findings show companies that have adequate resources, appoint a high-level security leader, and employ certified or expert staff experience cybercrime costs that are lower than companies that have not implemented these practices. This so-called “cost savings” for companies deploying good security governance practices is estimated at more than £.3 million, on average. 

A strong security posture moderates the cost of cyber-attacks. Ponemon utilize a well-known metric called the Security Effectiveness Score (SES) to define an organisation’s ability to achieve reasonable security objectives. The higher the SES, the more effective the organisation is in achieving its security objectives. The average cost to mitigate a cyber-attack for organisations with a high SES is substantially lower than organisations with a low SES score.

Summary of US findings

Cybercrimes continue to be very costly for organizations. Ponemon found that the median annualized cost for 56 benchmarked organizations is $8.9 million per year, with a range from $1.4 million to $46 million each year per company. Last year’s median cost per benchmarked organization was $8.4 million. Ponemon observe a $500,000 (6%) increase in median values. 

Cybercrime cost varies by organizational size. Results reveal a positive relationship between organizational size (as measured by enterprise seats) and annualized cost. However, based on enterprise seats, Ponemon determined that small organizations incur a significantly higher per capita cost than larger organizations ($1,324 versus $305). 

All industries fall victim to cybercrime, but to different degrees. The average annualized cost of cybercrime appears to vary by industry segment, where defence, utilities and energy and financial service companies experience higher costs than organizations in retail, hospitality and consumer products. 

Cybercrimes are intrusive and common occurrences. The companies participating in our study experienced 102 successful attacks per week – or 1.8 successful attacks per organization. In last year’s study, an average of 72 successful attacks occurred per week. 

The most costly cybercrimes are those caused by denial of service, malicious insider and web-based attacks. This account for more than 58% of all cybercrime costs per organization on an annual basis.4 Mitigation of such attacks requires enabling technologies such as SIEM, intrusion prevention systems, applications security testing solutions and enterprise GRC solutions. 

Cyber-attacks can get costly if not resolved quickly. Results show a positive relationship between the time to contain an attack and organizational cost. The average time to resolve a cyber-attack was 24 days, with an average cost to participating organizations of $591,780 during this 24-day period. This represents a 42% increase from last year’s estimated average cost of $415,748, which was based upon an 18-day resolution period. Results show that malicious insider attacks can take more than 50 days on average to contain. 

Information theft continues to represent the highest external cost, followed by the costs associated with business disruption. On an annualized basis, information theft accounts for 44% of total external costs (up 4% from 2011). Costs associated with disruption to business or lost productivity account for 30% of external costs (up 1% from 2011). 

Recovery and detection are the most costly internal activities. On an annualized basis, recovery and detection combined account for 47% of the total internal activity cost with cash outlays and labour representing the majority of these costs. 

Deployment of security intelligence systems makes a difference. The cost of cybercrime is moderated by the use of security intelligence systems (including SIEM). Findings suggest companies using security intelligence technologies were more efficient in detecting and containing cyber-attacks. As a result, these companies enjoyed an average cost savings of $1.6 million when compared to companies not deploying security intelligence technologies. 

A strong security posture moderates the cost of cyber-attacks. Ponemon utilize a well-known metric called the Security Effectiveness Score (SES) to define an organization’s ability to achieve reasonable security objectives. The higher the SES, the more effective the organization is in achieving its security objectives. The average cost to mitigate a cyber-attack for organizations with a high SES is substantially lower than organizations with a low SES score. 

Deployment of enterprise security governance practices moderates the cost of cybercrime. Findings show companies that invest in adequate resources, appoint a high-level security leader, and employ certified or expert staff have cybercrime costs that are lower than companies that have not implemented these practices. This so-called “cost savings” for companies deploying good security governance practices is estimated at more than $1 million, on average. 

UK report is here – registration is required. 

US report is here  – registration is required.

.

Almost 50% of organizations report 10 or more significant data breaches a year

Ponemon have revealed the results of a Co3 Systems sponsored survey into Data Loss Management. Ponemon Institute polled more than 100 influencers in the privacy and data protection community across the US.

Key findings of the survey were:-

  • almost 50% of organizations experience ten or more data loss incidents annually that meet the legal criteria that require tracking and reporting
  • more than 60% of the organisations surveyed employ manual, repetitive and time intensive processes to manage these incidents across tasks like notifying customers and informing regulators

“Not only have the number of data breaches reached epidemic proportions, but organizations are hemorrhaging records at staggering volumes,” said Dr. Ponemon. “To start the response process at day zero and square one is not only a recipe for disaster, it is irresponsible business. Privacy has become a hot button issue for everyone from citizen groups to elected officials, and one can only expect protections and regulations to increase. Organizations need to evaluate ways to automate their response process, and tools like Co3 have arrived at just the right time.”

“The Ponemon survey findings, with regards to data breach response and management, highlight the very real challenges firms are grappling with,” said John Bruce, CEO at Co3 Systems. “Organizations realize that the opportunities for loss and exposure — by their own hand or through partners and connected organizations — far outnumber the points of control and protection they can implement. It’s not surprising that more than one third of those surveyed have tried to create their own automated systems to cope with the implications of a breach. Our knowledgebase of regulations and industry best practices produce instant incident response plans based on the unique characteristics of a breach, and our easy-to-use project management interface ensures a timely, decisive and accurate response by any team.”

.

Who is responsible for data protection in the cloud?

Encryption in the Cloud is a Ponemon Institute report sponsored by Thales.

The study considers how encryption is used to ensure sensitive or confidential data is kept safe and secure when transferred to external-based cloud service providers. 4,140 business and IT managers in the United States, United Kingdom, Germany, France, Australia, Japan and Brazil were surveyed.

Following is a summary of key findings relating to data protection, encryption and key management activities in the cloud.

  1. Currently, about half of all respondents say their organizations transfer sensitive or confidential data to the cloud environment. Within the next two years, another one-third of respondents say their organizations are very likely to transfer sensitive or confidential to the cloud. At 56%, German companies appear to have the highest rate of sensitive or confidential data transferred to the cloud.
  2. 39% of respondents believe cloud adoption has decreased their companies’ security posture. However, 44% of respondents believe the adoption of cloud services has not increased or decreased their organization’s security posture. Only 10% of respondents believe the move to the cloud has increased their organization’s security posture. With respect to country differences, results suggest that French organizations are most likely to view cloud deployment as diminishing the effectiveness of data protection efforts.
  3. 44% of respondents believe the cloud provider has primary responsibility for protecting sensitive or confidential data in the cloud environment and 30% believe it is the cloud consumer. There are also differences among countries as to who is most responsible. 67% of French companies appear to be the most likely to hold the cloud provider responsible for data protection activities. In contrast, 48% of Japanese companies hold the cloud consumer primarily responsible for data protection.
  4. Companies that currently transfer sensitive or confidential data to the cloud are much more likely to hold the cloud provider primarily responsible for data protection. In contrast, companies that do not transfer sensitive or confidential information to the cloud are more likely to hold the cloud consumer with primary responsibility for data protection.
  5. 63% of respondents say they do not know what cloud providers are doing to protect the sensitive or confidential data entrusted to them. Once again, French respondents (76%) are least likely to say they know what their cloud providers do to safeguard their organization’s information assets.
  6. In general, respondents who select the cloud provider as the most responsible party for protecting data are more confident in their cloud provider’s actual ability to do so (51%) compared to only 32% of respondents who report confidence in their own abilities to protect data even though they consider their own organization to be primarily responsible for protecting data.
  7. Where is data encryption applied? According to 38% of respondents, their organizations rely on encryption of data as it is transferred over the network (typically the internet) between the organization and the cloud. Another 35% say the organization applies persistent encryption data before it is transferred to the cloud provider. Only 27% say they rely on encryption that is applied within the cloud environment.
  8. Among the companies that encrypt data inside the cloud, nearly 74% believe the cloud provider is most responsible for protecting that data. However, only 34% of organizations that encrypt data inside their organization prior to sending it to the cloud hold the cloud provider primarily responsible for data protection.
  9. Who manages the encryption keys when sensitive or confidential data is transferred to the cloud? 36% of respondents say their organization is most responsible for managing the keys. 22% say the cloud provider is most responsible for encryption key management. Another 22% says a third party (i.e. another independent service provider) is most responsible for managing the keys. Even in cases where encryption is performed outside the cloud, more than half of respondents hand over control of the keys. With respect to country differences, German organizations appear to be the least likely to relinquish control of encryption keys to the cloud provider. Companies in Australia and Brazil appear to be the most likely to transfer control of encryption keys to the cloud provider.
  10. Companies with the characteristics that indicate a strong overall security posture appear to be more likely to transfer sensitive or confidential information to the cloud environment than companies that appear to have a weaker overall security posture. In other words, companies that understand security appear to be willing and able to take advantage of the cloud. This finding appears to be at odds with the common suggestion that more security aware organizations are the more skeptical of cloud security and that it is the less security aware organizations are willing to overlook a perceived lack of security. Here, we use the Security Effectiveness Score (SES) as an objective measure of each organization’s security posture.

Larry Ponemon, chairman and founder, Ponemon Institute, says:

“It’s a rather sobering thought that nearly half of respondents say that their organization already transfers sensitive or confidential data to the cloud even though thirty-nine percent admit that their security posture has been reduced as a result. This clearly demonstrates that for many organizations the economic benefits of using the cloud outweigh the security concerns. However, it is particularly interesting to note that it is those organizations that have a strong overall security posture that appear to be more likely to transfer this class of information to the cloud environment – possibly because they most understand how and where to use tools such as encryption to protect their data and retain control . What is perhaps most surprising is that nearly two thirds of those that move sensitive data to the cloud regard their service providers as being primarily responsible for protecting that data, even though a similar number have little or no knowledge about what measures their providers have put in place to protect data. This represents an enormous opportunity for cloud providers to articulate what they are doing to secure data in the cloud and differentiate themselves from the competition.”

Richard Moulds, vice president, strategy, Thales e-Security, says:

“Staying in control of sensitive or confidential data is paramount for most companies today. For any organization that is still weighing the advantages of using cloud computing with the potential security risks of doing so, it is important to know that encryption is one of the most valuable tools for protecting data. However, just as with any type of encryption, it only delivers meaningful value if deployed correctly and with encryption keys that are managed appropriately. Effective key management is emblematic of control and the need for centralized and automated key management integrated with existing IT business processes is a necessity. Even if you allow your data to be encrypted in the cloud, it’s important to know you can still keep control of your keys. If you control the keys, you control the data.”

.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: