Category: Statistics

“A few years ago, you wouldn’t have a marketing officer concerned with a data breach. That was an IT problem. Nowadays all the execs around a boardroom table are concerned about it,” John Dasher, director of product management for PGP told InternetNews.com. “If I’m a marketing officer, the last thing I want to do is spend marketing money doing brand damage repair because of a breach.”

The report, called “The 2007 Annual Study: Cost of a Data Breach,” comes from a detailed analysis of 35 data breach incidents involving fewer than 4,000 records to more than 125,000 records.

The TJX breach, initially believed to be a small deal, has grown enormously expensive for the retailer. TJX in August announced it would take a $118 million charge related to the costs and potential liability resulting from the theft of more than 45 million credit and debit accounts. “This is one of the first widely publicized examples of how a data breach can affect you, your shareholders, and your stock price,” said Dasher. But Peter Firstbrook, security research analyst for Gartner, disputes this scale of impact. “How do they know how much revenue would have accrued before the breach? Our research shows that most consumers do not actually change business after a breach. Check out TJMax’s sales before and after their incident,” he said in an e-mail to InternetNews.com. Firstbrook appears to make a valid point. TJX may have gotten a black eye but sales rose 8 percent in the third quarter of 2007 compared to the same quarter last year, and the company plans to add more than 1,000 new stores in the next few years.

The report also claims that the average total per-incident costs in 2007 were $6.3 million, a 31 percent increase from the 2006 average per-incident cost of $4.8 million. On the bright side, if there is such a thing, the cost of notification fell 40 percent because firms got better at notifying their customers when a breach occurred.

One of the biggest vulnerabilities is found when data is stored, disseminated and shared with third parties. Outsourcers, contractors, consultants and business partners accounted for 40 percent of breaches, up from 29 percent in 2006. External breaches also cost more, averaging $231 compared to $171 per record.

The Real Point Of Vulnerability?
While outsourcing and third parties are a weakness, the notion of the nefarious hacker sniffing traffic coming into Amazon and Overstock may be overblown. Instead, it’s brick-and-mortar retail outlets like TJX stores that are the weak link. This past Sunday, the TV news magazine 60 Minutes showed how many retail outlets don’t secure the wireless networks of their stores. Sitting in a car with some computer experts with a laptop, correspondent Leslie Stahl showed how easy it was to pick up on wireless transmissions in the stores. “It makes sense because companies like Amazon that are born and bred of technology have a good security model from the beginning,” said Dasher. “A lot of brick-and-mortar companies don’t have this. They have conflicting setups. Some of them are still using a DOS-based point-of-sale system.” This disparity may prove retail’s real challenge compared to its online counterparts. Beyond the convenience and the chance to avoid paying sales tax, if an Amazon purchase is viewed as safer than an in-store purchase, it poses a real problem for traditional retail stores. “Retail is going to have to spend more effort on this issue, but it may prove harder for them,” Dasher said. “[Retailers] are starting off with a poorer hand they have been dealt with, since many of them use a custom point-of-sale system, so they can’t bolt on a quick aftermarket security fix.”

For some financial services firms, security breaches can often be the unfortunate result of living in the past. Many firms come from a background of mainframes connected via leased lines, so they have a history of doing insecure transactions over secured networks. With the advent of the Internet, they now have to do secure transactions over a very insecure network. “So it’s not surprising they may have had a false sense of security over their position,” said Dasher. Firstbook thinks more emphasis needs to be placed on the human element rather than focusing on the security products sold by the two companies that sponsored the report. “Besides technology, minimizing the risk of data breaches will involve lots of manual processes like data identification and classification data clean up and changes to procedures—as well as a health dose of user education,” he said. “Some technologies can help but they are not solutions.”

http://www.internetnews.com/ent-news/article.php/3713261

While office-bound employees have consistently topped the list of those thought most likely to compromise network security in past surveys, they have lost some ground to remote and mobile employees, who are considered to be a greater security threat by 31 percent of respondents.

Sophos’ head of technology, Paul Ducklin, said, “This is a representation of how common telecommuting and remote working has become,” to the extent that half of those in the office are also remote workers.

http://news.zdnet.com/2100-1009_22-6213227.html

The Computer Security Institute’s annual Computer Crime and Security Survey, which is scheduled for release later this week, reports that insider attacks have now surpassed viruses as the most common cause of security incidents in the enterprise.

Nearly 60 percent of respondents have experienced insider-related events in the past 12 months, while only 52 percent of companies reported a virus incident.

Yet while the average annual cybercrime losses per company more than doubled in the past year, almost two thirds (63 percent) of respondents said that losses due to insider-related events accounted for 20 percent or less of those losses.

Fifty percent cited the loss or theft of laptop or mobile devices, while 25 percent cited misuse of instant messaging services.

Another 25 percent said they had experienced “unauthorized access to information” in the past 12 months, and 17 percent said they have suffered loss or theft of customer/employee data.

“A great deal is made of the insider threat, particularly by vendors selling solutions to stop insider security infractions,” the report observes.

Some 30 percent of respondents stated that, despite new laws concerning breach disclosure, they experienced at least one incident that was never reported outside the organization.

Twenty-six percent said they did not report their incidents to law enforcement because of fears of negative publicity.

http://www.darkreading.com/document.asp?doc_id=133762&WT.svl=news2_5

“Protecting data that is stored on devices outside the confines and control of the corporate network is a problem for which many companies simply do not have a solution,” said Larry Ponemon, founder and chairman of the Ponemon Institute, in a statement.

“Our research shows that, while most companies recognize the risk off-network data poses, few seem to have a grasp on how to manage the many challenges off-network data present to maintaining a strong data security program, and many do not even have a policy to address the situation.”

http://www.informationweek.com/news/showArticle.jhtml?articleID=201801989

“The level of encryption required will obviously vary from organisation to organisation, but companies should be looking to encrypt as much network traffic as possible, if not all of it,” said Gary Clark, vice president of SafeNet in EMEA. “However, I am concerned to see that the number of organisations implementing security measures and encryption policies has decreased over the past 12 months.”

http://www.vnunet.com/vnunet/news/2197101/unencrypted-networks-data

The study also showed that one-third of mobile users access unauthorized wireless connections, whether they’re hijacking a neighbors’ wireless connection or using unsecured hotspots at a coffee shop or in a public park.

Although many said they are “sometimes” aware, another 28% admitted they “hardly ever” consider security risks and proper behavior.

Some even said they “never” consider safety best practices and didn’t know they needed to be aware of security risks.

http://www.informationweek.com/news/showArticle.jhtml?articleID=201801429