Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Pair of Reports Paint Picture of Enterprise Security Struggling to Keep Up

Many organizations have yet to create an effective cybersecurity strategy - and it's costing them millions.

The costs associated with data breaches continue to grow at a pace that exceeds the resources available to protect the organizations dealing with the breaches. Two new reports, from IBM and EY, make that same point with different data and slightly different, but definitely related, conclusions. Together they provide a picture of security incidents that are inevitably expensive but can be made less so through careful planning.

The first study, commissioned by IBM and conducted by the Ponemon Institute, looks at the cost of data breaches from the perspective of business continuity management (BCM). The study breaks the costs associated with a breach into four areas:

  • Detection and escalation: Finding out you've been breached and deciding what to do about it.
  • NotificationTelling the affected customers, partners, and employees about the breach and notifying any relevant regulators or law-enforcement agencies.
  • Ex-post response: Remediating the impact on the organization and the individuals affected by the breach.
  • Lost business cost: Business lost due to the reputation hit, distraction, or downtime due to the incident.

According to the study, 22 different factors — ranging from the lack of security analytics to the presence of the Internet of Things — can have an impact on the cost, with the overall thrust being that time equals money: The longer it takes to figure out what has happened and to do something about it, the more money the effort will consume. And in 2018, the average incident has consumed $4.24 million in the population studied.

EY also studied the cost of a cybersecurity breach, but from a slightly different perspective: that of cybersecurity in the context of overall business advantage. While 55% of the companies also surveyed by Ponemon on its behalf had some sort of business continuity management team in place, EY found that 87% of the companies were working with limited cybersecurity and resilience capabilities. While the two facts are not mutually exclusive, they suggest that companies have business continuity or cybersecurity teams who operate within very tightly constrained resources. 

Those constrained resources still have room for cybersecurity incidents that cost companies an average of $3.62 million per incident. While a different total than in IBM's study, the two numbers are in the same financial neighborhood, with each representing a significant sum for many organizations.

With different beginning points for their work, the two report reach different conclusions. The IBM report focuses on the impact that a BCM team and plan can have on the cost of an incident once it has occurred. According to the report, an in-place BCM team can save 82 days throughout the total span of an incident, save the company more than $5,700 per day, and lower the overall cost of an incident to an average of $3.55 million.

EY makes the point in its report that organizations must do three things simultaneously:

  • Protect the enterprise: Identify assets and build lines of defense.
  • Optimize cybersecurity: Stop low-value activities, increase efficiency, and reinvest the resulting funds in innovative security technology.
  • Enable growth: Implement security-by-design as a key success factor for digital transformation.

All are critical in the face of 6.4 billion fake email messages sent every day, EY says. The overwhelming number of potential attacks launched against organizations means that cybersecurity must be part of the business strategy and reflected in the organization's governance. Yet, according to the report, "At the moment, there is significant room for improvement. Fewer than 1 in 10 organizations say their information security function currently fully meets their needs — and many are worried that vital improvements are not yet under way."

With approaches that include working to prevent incidents and preparing to deal with incidents when they do occur, the studies show that many organizations have yet to effectively create a cybersecurity strategy that meets the needs of the business — or the incident at hand.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
10/12/2018 | 8:46:23 AM
4. Increase C-Suite awareness
Lower level staff and cyber expets are well aware of the dangers and methods used by foreign actors, phishing emails and such - but education UP and down the corporae ladder is essential.  C-Suite MUST back the security effort fully and without excuses (Equifax) so it becomes part of IT structure.  Lower levle staff must know the  basics - phishing emails most common cause, malicious websites (no porn) and such.   Unless the knowledge is spread around, other fixes remain problematic at best and ineffective at worst. 
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3896
PUBLISHED: 2019-06-19
A double-free can happen in idr_remove_all() in lib/idr.c in the Linux kernel 2.6 branch. An unprivileged local attacker can use this flaw for a privilege escalation or for a system crash and a denial of service (DoS).
CVE-2019-3954
PUBLISHED: 2019-06-19
Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.0 allows a remote, unauthenticated attacker to execute arbitrary code by sending a crafted IOCTL 81024 RPC call.
CVE-2019-10085
PUBLISHED: 2019-06-19
In Apache Allura prior to 1.11.0, a vulnerability exists for stored XSS on the user dropdown selector when creating or editing tickets. The XSS executes when a user engages with that dropdown on that page.
CVE-2019-11038
PUBLISHED: 2019-06-19
When using gdImageCreateFromXbm() function of gd extension in versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been ...
CVE-2019-11039
PUBLISHED: 2019-06-19
Function iconv_mime_decode_headers() in versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 may perform out-of-buffer read due to integer overflow when parsing MIME headers. This may lead to information disclosure or crash.