Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/24/2019
05:05 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

With Data Breach Costs, Time is Money

The sooner a company can detect and respond to an incident, the less likely they are to pay for it, a new IBM-Ponemon study finds.

One of the main takeaways from IBM's latest annual data breach report, released this week, is that a strong incident response capability can help organizations reduce breach costs by more than 25% on average.

IBM's study of over 500 data breach victims — conducted by the Ponemon Institute — shows that businesses with a formal incident response team and well-tested response plans spent $3.51 million on average on breach costs compared with $4.74 million by those who had neither.

The study shows that organizations on average took 206 days after initial intrusion to first identify a data breach and another 73 days to remediate it. But companies that were able to detect and contain a breach in fewer than 200 days spent $1.23 million less in breach costs.

"When it comes to data breaches, time is money, and the longer it takes to contain and remediate, the longer the organization keeps bleeding, so to speak," says Limor Kessem, global executive security advisor at IBM Security.

The IBM-Ponemon study — now in its 15th year — considered four core categories of expenses when computing breach costs: lost business, detection and escalation, notification, and post-breach, Kessem says.

"We found that lost business has remained the highest cost factor over the past five years," Kessem says. This includes things such as the costs of business disruption, revenue losses from system downtime, damage to a company's reputation, and the cost of lost customers, she says. The global average customer turnover rate caused by a data breach was 3.9%, an increase from last year's rate of 3.4%, she says.

Quick detection and response are critical to reporting the exact scope of a breach, figuring out what might have been compromised, and complying with regulatory breach notification requirements. A fully drilled incident response team can help speed up restoration and repair, Kessem notes. "[Organizations] are in a better place on reporting and can save costs on everything from operational downtime, employee productivity, and regulatory fines to reputational damage."

Joseph Carson, chief security scientist at Thycotic, says the reason why companies are having a harder time detecting breaches is because attackers are getting better at hiding their tracks by abusing privileged accounts and other measures to remove traceable digital footprints. Many security researchers have noted a recent increase in attacks that employ legitimate remote admin tools and other utilities to hide on a compromised network for extended durations. "A strong incident response plan can be useless if you're not actively threat hunting" as well, Carson says.

The IBM-Ponemon study shows that other measures could help organizations reduce breach costs, too. Companies that had deployed security automation technologies, for instance, generally spent just half of what organizations without such tools spent on a data breach. Similarly, total breach costs were about $360,000 lower on average for companies that employed encryption effectively.

"Encryption, business continuity management, DevSecOps, and threat intelligence sharing are cost mitigators, while cloud migration, IT complexity, and third-party breaches are major cost amplifiers," says Jonathan Deveaux, head of enterprise data protection at comforte AG.

Increasingly, companies are talking about a "cloud-first" strategy for some projects and about "multicloud" configurations, involving the use of AWS alongside Azure or Google Cloud, Deveaux says. "What this means from a data security perspective is that there are more attack vectors that leave organizations susceptible to data breaches."

"Long-Tail" Costs

As in previous years, the latest IBM-Ponemon report shows that data breach costs are continuing to climb for organizations across the board, but none more so than healthcare companies. The global average cost for a data breach is now $3.92 million — or 12% higher than what it was five years ago. For organizations in the US, the average costs are more than double, at $8.19 million.

The data shows that healthcare companies last year spent a stunning $439 per lost record at an average of nearly $6.5 million for a data breach. That figure is some 60% higher than what organizations in any other industry pay for a data breach. "[These] breaches are simply calamitous to organizations in the sector," Kessem notes. It speaks to the need of the healthcare sector to pay more attention to all those cost reduction strategies that extend beyond a security program that's already in place, she says.

The biggest cost factor for breaches in the US stemmed from lost business, such as customer turnover, system downtime, and business disruption. More than half ($4.5 million) of the total cost of a breach in the US, in fact, was tied to lost business — double that for organizations in other countries. "In general, we expect increasing data privacy standards and regulation like GDPR will increase regulatory and compliance costs for companies who experience a breach," Kessem notes.

Generally, data breaches caused by malicious cyberattacks cost businesses in the IBM-Ponemon study about $1 million more on average than data compromises caused by an accident. The data shows the percentage of companies in the study that experienced a malicious external data breach was 51% compared with 42% six years ago. Forty-nine percent of the breaches were caused by human error and system problems and cost victims $3.5 million and $3.24 million on average, respectively.

The study shows that breach costs can escalate sharply depending on the number of records that are breached. The projected final cost for companies in the IBM-Ponemon study that experienced a breach of more than 1 million records — a relatively rare occurrence — was $42 million. The figure skyrocketed to $388 million for breaches involving more than 50 million records.

Significantly, the financial impact of a data breach can last for years, Kessem says. Most organizations incur only about two-thirds (67%) of their data breach costs in the first 12 months. They spend 22% in the second year and the remaining 11% more than two years after the incident.

Such "long-tail" costs tend to be higher in regulated industries such as healthcare, financial services, and energy. A lot of it has to do with the fact that compliance and regulatory processes tend to be complex and often move slower as well. Therefore, fines and legal fees accumulate in the years following a breach, and not in the immediate aftermath of one, she says.

Related Content:

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/25/2019 | 9:21:13 AM
Repetitive but needed

Increasingly, companies are talking about a "cloud-first" strategy for some projects and about "multicloud" configurations, involving the use of AWS alongside Azure or Google Cloud, Deveaux says. "What this means from a data security perspective is that there are more attack vectors that leave organizations susceptible to data breaches."

Interesting, I don't agree with that, I think lack of knowledge, experience, strategy and inadequate education can leave a company susceptible to attack. The cloud is an extension of the organization. No matter how secure the cloud provider is, the individuals that are responsible for its functions will carry those same practices over to the cloud. Look at a few companies that have been hit by incompetence (Cloud S3 Issues):
  • Attunity - S3 bucket left open without specific controls
  • Accenture Federal Services - S3 bucket left open with company data
  • Microsoft, Yahoo, iCloud, Dropbox
  • Booz Allen Hamilton
  • Dow Jones & Co
  • Verizon Wireless
  • Time-Warner Cable

Again, all you have to have is a person who leaves one door open. Think about creating a VM on any CSP, look at the /var/log/*.log files and run the following:
  • "yum install logwatch -y"
  • "/usr/sbin/logwatch --detail High --mailto <email> --range Today --filename logwatch-`date '+%m-%d-%Y'`.html --format html" 

Be sure to look at the number of attempts of someone trying to access ssh, this is alarming, now you have the option of locking down ssh using iptables and cloud rules (NSG or ACL IP filtering):
  • "iptables -I INPUT 1 -m multiport --dport 22 -s 192.168.0.0/16 -d 192.168.0.0/16 -m conntrack --ctstate -j ACCEPT #isolate ports on the network and monitor that access with conntrack

Just a word to the wise.

Todd
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
7/25/2019 | 8:21:22 AM
Re: woa
I rather think this a brain-dead article - obvious in all respects.  Equifax did everything wrong and anybody in security knows these steps.  Not the most challenging subject. 
josephvespiritu
50%
50%
josephvespiritu,
User Rank: Apprentice
7/25/2019 | 2:20:40 AM
woa
thank for your post
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19037
PUBLISHED: 2019-11-21
ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero.
CVE-2019-19036
PUBLISHED: 2019-11-21
btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because rcu_dereference(root-&gt;node) can be zero.
CVE-2019-19039
PUBLISHED: 2019-11-21
__btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program.
CVE-2019-6852
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
CVE-2019-6853
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.