Ponemon Cost of a Data Breach Study and Verizon DBIR Highlight Some Good News and Some Bad News

Anthony Di Bello Two highly regarded security studies were recently released: the Ponemon Institute’s 2011 Cost of a Data Breach Study and Verizon's annual Data Breach Investigations Report, or DBIR. Both with interesting results.

There was good news in the Ponemon report as both the cost per breached record (whether lost or stolen) and the organizational costs associated with breaches have both declined. This was the first time since the start of study seven years ago. The cost of breaches to the organization dropped to $5.5 million from $7.2 million last year. While the cost per each breached record fell to $194 from $214.

The 2011 Cost of a Data Breach Study results are based on the evaluation of 49 data breach incidents that ranged 4,500 to 98,000 records. The study found that 41 percent of companies notified their affected customers within one month of the incident.

While timely notifications and lowered costs associated with breaches are good news, one of the more interesting findings in the report is that organizations that have chief information security officers with organizational responsibility for data protection are able to cut the costs of their breaches by up to 35 percent per compromised record.

That statistic clearly shows that organizations with more mature security programs in place tend to have better outcomes.

The study also found that customer churn rates went down last year: Customers are no longer so quick to leave companies that have announced that they’ve been breached. While that’s certainly good news for companies that have to announce that they’ve been breached, it also shows that consumers are becoming desensitized to breach notifications. There have been so many breach notifications and hacking news stories breaking that people are no longer paying attention.

When we look at the Verizon DBIR we learn that  the surge in hacktivism in the recent year has made online activism the most prevalent motivation for attack. That’s not to say that attackers aren’t aren’t still targeting data for monetary value, such as account numbers and intellectual property - they are. However, we’ve seen a wave of politically or civically motivated attacks. Which means companies that find themselves in a politically charged industry or part of a dispute had better adjust their risk posture accordingly.

The DBIR also points to the fact that all companies had better be prepared to stop attacks quickly, and even better identify when they’re underway. According to the study’s analysis, in 85 percent of incidents attackers are able to compromise their target in minutes or seconds. It turns out, thanks to easy to use and automated tools, it doesn’t take long to hack a server or point of sale system.

What makes it even more troubling is that in more than 50 percent of cases, for all organizations, the target’s data is successfully removed within hours of the initial breach. In about 40 percent of incidents it took about a day, or more, for the attacker to find and exfiltrate the data.

While that’s certainly concerning enough, the very disheartening news is that enterprises move much more slowly than their attackers. In about a third of incidents (27 percent), it took days between initial comprise and attack discovery. For another 24 percent of organization that discover took weeks. For the remaining 48 percent it took months to years for breach discover.

It goes without saying that’s just not acceptable. For an adversary that moves in minutes - the defender needs to be able to identify and respond to attacks in near real-time. This is only possible when response technology like EnCase Cybersecurity is integrated directly with alerting or event management solutions. It’s a topic we’ve covered previously here.

For a deeper look into the implications of the studies referred to in this post, join Larry Ponemon of the Ponemon Institute and Bryan Sartin, co-author of the Verizon DBIR for the Guidance Software CISO Summit, May 21st at the Red Rock Resort in Summerlin Nevada. Learn more at www.guidancesoftware.com/cisosummit.

No comments :

Post a Comment