Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/24/2019
05:05 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

With Data Breach Costs, Time is Money

The sooner a company can detect and respond to an incident, the less likely they are to pay for it, a new IBM-Ponemon study finds.

One of the main takeaways from IBM's latest annual data breach report, released this week, is that a strong incident response capability can help organizations reduce breach costs by more than 25% on average.

IBM's study of over 500 data breach victims — conducted by the Ponemon Institute — shows that businesses with a formal incident response team and well-tested response plans spent $3.51 million on average on breach costs compared with $4.74 million by those who had neither.

The study shows that organizations on average took 206 days after initial intrusion to first identify a data breach and another 73 days to remediate it. But companies that were able to detect and contain a breach in fewer than 200 days spent $1.23 million less in breach costs.

"When it comes to data breaches, time is money, and the longer it takes to contain and remediate, the longer the organization keeps bleeding, so to speak," says Limor Kessem, global executive security advisor at IBM Security.

The IBM-Ponemon study — now in its 15th year — considered four core categories of expenses when computing breach costs: lost business, detection and escalation, notification, and post-breach, Kessem says.

"We found that lost business has remained the highest cost factor over the past five years," Kessem says. This includes things such as the costs of business disruption, revenue losses from system downtime, damage to a company's reputation, and the cost of lost customers, she says. The global average customer turnover rate caused by a data breach was 3.9%, an increase from last year's rate of 3.4%, she says.

Quick detection and response are critical to reporting the exact scope of a breach, figuring out what might have been compromised, and complying with regulatory breach notification requirements. A fully drilled incident response team can help speed up restoration and repair, Kessem notes.

"[Organizations] are in a better place on reporting and can save costs on everything from operational downtime, employee productivity, and regulatory fines to reputational damage."

Joseph Carson, chief security scientist at Thycotic, says the reason why companies are having a harder time detecting breaches is because attackers are getting better at hiding their tracks by abusing privileged accounts and other measures to remove traceable digital footprints. Many security researchers have noted a recent increase in attacks that employ legitimate remote admin tools and other utilities to hide on a compromised network for extended durations.

"A strong incident response plan can be useless if you're not actively threat hunting" as well, Carson says.

The IBM-Ponemon study shows that other measures could help organizations reduce breach costs, too. Companies that had deployed security automation technologies, for instance, generally spent just half of what organizations without such tools spent on a data breach. Similarly, total breach costs were about $360,000 lower on average for companies that employed encryption effectively.

"Encryption, business continuity management, DevSecOps, and threat intelligence sharing are cost mitigators, while cloud migration, IT complexity, and third-party breaches are major cost amplifiers," says Jonathan Deveaux, head of enterprise data protection at comforte AG.

Increasingly, companies are talking about a "cloud-first" strategy for some projects and about "multicloud" configurations, involving the use of AWS alongside Azure or Google Cloud, Deveaux says. "What this means from a data security perspective is that there are more attack vectors that leave organizations susceptible to data breaches."

"Long-Tail" Costs
As in previous years, the latest IBM-Ponemon report shows that data breach costs are continuing to climb for organizations across the board, but none more so than healthcare companies. The global average cost for a data breach is now $3.92 million — or 12% higher than what it was five years ago. For organizations in the US, the average costs are more than double, at $8.19 million.

The data shows that healthcare companies last year spent a stunning $439 per lost record at an average of nearly $6.5 million for a data breach. That figure is some 60% higher than what organizations in any other industry pay for a data breach. "[These] breaches are simply calamitous to organizations in the sector," Kessem notes. It speaks to the need of the healthcare sector to pay more attention to all those cost reduction strategies that extend beyond a security program that's already in place, she says.

The biggest cost factor for breaches in the US stemmed from lost business, such as customer turnover, system downtime, and business disruption. More than half ($4.5 million) of the total cost of a breach in the US, in fact, was tied to lost business — double that for organizations in other countries. "In general, we expect increasing data privacy standards and regulation like GDPR will increase regulatory and compliance costs for companies who experience a breach," Kessem notes.

Generally, data breaches caused by malicious cyberattacks cost businesses in the IBM-Ponemon study about $1 million more on average than data compromises caused by an accident. The data shows the percentage of companies in the study that experienced a malicious external data breach was 51% compared with 42% six years ago. Forty-nine percent of the breaches were caused by human error and system problems and cost victims $3.5 million and $3.24 million on average, respectively.

The study shows that breach costs can escalate sharply depending on the number of records that are breached. The projected final cost for companies in the IBM-Ponemon study that experienced a breach of more than 1 million records — a relatively rare occurrence — was $42 million. The figure skyrocketed to $388 million for breaches involving more than 50 million records.

Significantly, the financial impact of a data breach can last for years, Kessem says. Most organizations incur only about two-thirds (67%) of their data breach costs in the first 12 months. They spend 22% in the second year and the remaining 11% more than two years after the incident.

Such "long-tail" costs tend to be higher in regulated industries such as healthcare, financial services, and energy. A lot of it has to do with the fact that compliance and regulatory processes tend to be complex and often move slower as well. Therefore, fines and legal fees accumulate in the years following a breach, and not in the immediate aftermath of one, she says.

Related Content:

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/25/2019 | 9:21:13 AM
Repetitive but needed

Increasingly, companies are talking about a "cloud-first" strategy for some projects and about "multicloud" configurations, involving the use of AWS alongside Azure or Google Cloud, Deveaux says. "What this means from a data security perspective is that there are more attack vectors that leave organizations susceptible to data breaches."

Interesting, I don't agree with that, I think lack of knowledge, experience, strategy and inadequate education can leave a company susceptible to attack. The cloud is an extension of the organization. No matter how secure the cloud provider is, the individuals that are responsible for its functions will carry those same practices over to the cloud. Look at a few companies that have been hit by incompetence (Cloud S3 Issues):
  • Attunity - S3 bucket left open without specific controls
  • Accenture Federal Services - S3 bucket left open with company data
  • Microsoft, Yahoo, iCloud, Dropbox
  • Booz Allen Hamilton
  • Dow Jones & Co
  • Verizon Wireless
  • Time-Warner Cable

Again, all you have to have is a person who leaves one door open. Think about creating a VM on any CSP, look at the /var/log/*.log files and run the following:
  • "yum install logwatch -y"
  • "/usr/sbin/logwatch --detail High --mailto <email> --range Today --filename logwatch-`date '+%m-%d-%Y'`.html --format html" 

Be sure to look at the number of attempts of someone trying to access ssh, this is alarming, now you have the option of locking down ssh using iptables and cloud rules (NSG or ACL IP filtering):
  • "iptables -I INPUT 1 -m multiport --dport 22 -s 192.168.0.0/16 -d 192.168.0.0/16 -m conntrack --ctstate -j ACCEPT #isolate ports on the network and monitor that access with conntrack

Just a word to the wise.

Todd
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
7/25/2019 | 8:21:22 AM
Re: woa
I rather think this a brain-dead article - obvious in all respects.  Equifax did everything wrong and anybody in security knows these steps.  Not the most challenging subject. 
josephvespiritu
50%
50%
josephvespiritu,
User Rank: Apprentice
7/25/2019 | 2:20:40 AM
woa
thank for your post
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...