There was good news in the Ponemon report as both the cost per
breached record (whether lost or stolen) and the organizational costs
associated with breaches have both declined. This was the first time since the
start of study seven years ago. The cost of breaches to the organization
dropped to $5.5 million from $7.2 million last year. While the cost per each
breached record fell to $194 from $214.
The 2011 Cost of a Data Breach Study results are based on the
evaluation of 49 data breach incidents that ranged 4,500 to 98,000 records. The
study found that 41 percent of companies notified their affected customers
within one month of the incident.
While timely notifications and lowered costs associated with
breaches are good news, one of the more interesting findings in the report is
that organizations that have chief information security officers with
organizational responsibility for data protection are able to cut the costs of
their breaches by up to 35 percent per compromised record.
That statistic clearly shows that organizations with more mature
security programs in place tend to have better outcomes.
The study also found that customer churn rates went down last
year: Customers are no longer so quick to leave companies that have announced
that they’ve been breached. While that’s certainly good news for companies that
have to announce that they’ve been breached, it also shows that consumers are
becoming desensitized to breach notifications. There have been so many breach
notifications and hacking news stories breaking that people are no longer
paying attention.
When we look at the Verizon DBIR we learn that the surge in hacktivism in the recent year
has made online activism the most prevalent motivation for attack. That’s not
to say that attackers aren’t aren’t still targeting data for monetary value,
such as account numbers and intellectual property - they are. However, we’ve
seen a wave of politically or civically motivated attacks. Which means
companies that find themselves in a politically charged industry or part of a
dispute had better adjust their risk posture accordingly.
The DBIR also points to the fact that all companies had better be
prepared to stop attacks quickly, and even better identify when they’re
underway. According to the study’s analysis, in 85 percent of incidents
attackers are able to compromise their target in minutes or seconds. It turns
out, thanks to easy to use and automated tools, it doesn’t take long to hack a
server or point of sale system.
What makes it even more troubling is that in more than 50 percent
of cases, for all organizations, the target’s data is successfully removed
within hours of the initial breach. In about 40 percent of incidents it took
about a day, or more, for the attacker to find and exfiltrate the data.
While that’s certainly concerning enough, the very disheartening
news is that enterprises move much more slowly than their attackers. In about a
third of incidents (27 percent), it took days between initial comprise and
attack discovery. For another 24 percent of organization that discover took
weeks. For the remaining 48 percent it took months to years for breach
discover.
It goes without saying that’s just not acceptable. For an
adversary that moves in minutes - the defender needs to be able to identify and respond to attacks in near real-time. This is only possible when response technology like EnCase Cybersecurity is integrated directly with alerting or event management solutions. It’s a topic we’ve covered previously here.
For a deeper look into the implications of the studies referred
to in this post, join Larry Ponemon of the Ponemon Institute and Bryan Sartin,
co-author of the Verizon DBIR for the Guidance Software CISO Summit, May 21st
at the Red Rock Resort in Summerlin Nevada. Learn more at
www.guidancesoftware.com/cisosummit.
No comments :
Post a Comment