Data breach costs, customer churn up a bit; Repeat offenders abound
Summary: The cost of a data breach runs companies $202 per compromised record, up 2.5 percent from $197 per record in 2007 and up 11 percent from 2006, according to research from Ponemon Institute.
The cost of a data breach runs companies $202 per compromised record, up 2.5 percent from $197 per record in 2007 and up 11 percent from 2006, according to research from Ponemon Institute.
In its fourth annual study on data breaches, the Ponemon Institute, a security research firm, examined the costs of 43 companies that had been hit by a data breach. The study, sponsored by PGP Corp., comes up with the following conclusions, which were similar to those offered in the 2007 report.
- The cost of lost business was the biggest effect of a breach. Lost business accounts for 69 percent of data breach costs. In 2006, lost business was 54 percent of data breach costs. "The real punishment is brand diminishment," says Ponemon Institute Chairman Larry Ponemon. "In some cases a company is facing the loss of customer trust."
- Third party data breaches are increasing. Outsourcers, contractors, consultants and partners are increasingly losing data. Third party data breaches were reported by 44 percent of respondents. In 2005, third parties were responsible for 21 percent of breaches.
- Third party data breaches are also more expensive--$231 per compromised record.
- Data breaches experienced by so called first timers are more costly--$243 per victim. Experienced companies--repeat data screw-ups--have the costs down to $192.
- Unfortunately, more than 84 percent of all cases examined by Ponemon were repeat data breach offenders. On the bright side, 49 percent of respondents are creating additional manual procedures and control processes. I suppose the other 51 percent are waiting to get hit again before finding a clue.
- Healthcare and financial services companies lose the most customers after a data breach. The healthcare customer churn rate is 6.5 percent followed by financial services' 5.5 percent.
Here's the breakdown by industry:
Also notable: Retail breaches are relatively cheap:
- Fifty-three percent of respondents say that training and awareness programs prevent future breaches. Why? Humans inadvertently are the weakest link in the data breach equation. This was a common theme at the Wharton Information Security Best Practices conference last week. Indeed, 88 percent of all data breach cases involved negligence.
The data breach cost breakdown is also interesting. Audit, consulting and churn costs are going up. Other items are stable.
Overall, it's clear that more work needs to be done on data breaches. At the Wharton conference Friday, a bevy of legal types and chief privacy officers weren't sure where to start. Sure, there were some companies with detailed plans and procedures--Lexis-Nexis comes to mind--but that's because those firms were either hit with a breach or acquired a company that was (ChoicePoint in this instance). In the end, companies may not get the data breach prevention thing until they get hit.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Prevent most net breaches!!!
keeping the Network(s) "UP," Provides a Real Time Global
Administrator that sits transparently over other OEM's
Network Management systems (i.e., IBM Websphere, HP
OPenview, SCADA, etc), the system also reduces tech support
costs by at least 65 - 85%, Interoperable (100% open system) in
any Network (nothing changes) by litterly bolting it on."
Another feature is that no wire closets are required, thus saving
large sums of capital in new construction. For the small-
medium marketplace, Service & VAR's can now manage there
client's nets autonomically, thus offering real time service and
handling adds, moves, changes, testing, repairing, etc remotely.
This "David" sized technology solution is the only OEM that is
backed by 100% by Science, and complying to the following
Standards: OSI, Common Criteria, PCI-DSS, & DARPA 98
"TODAY"
DtX could have prevented the following Network Critical
Infrastructure breaches: More recently, the SCADA network
control systems at Georgia Power's where the nuclear reactors
were breached, then that was followed by Verizon's Hq's
SCADA system breach. Prior to that, there was the CIA P.R.
(attached) of Panama's Electrical Grid being taken down for four
days. Of course there are the normal everyday corporate and
government networks that are breached .Examples include
Estonia's networks that were breached and taken down for 24
hours, LAX Airport breached for 48 hours with much resulting
chaos, Defense Secretary Gates's own Pentagon Networks being
taken down, TJX networks breach of which the WSJ reported
that the total costs will eventually approach several hundred
million. It just doesn't stop....What happens if they decide to hit
a large Utility, several Financial institutions, and perhaps one
larger City or Federal Emergency Services Network.....and of
course two weeks ago Heartland story, as well as "Phsissing."
Then on January 18th. all of Kyrgyzstan's nets were breached..
Cyber Attacks, now are almost Ranked # 2; but never does the
Media ever challenge or discuss "solutions." The established
OEM's like Microsoft's, Cisco's, RSA's, Mcafee's, Sourcefire's,
Cloudshild's, DNS's products & other Firewalls, SCADA, etc
systems has ever provided any scientific evidence, besides any
specificity or independent analysis that there systems cannot be
penetrated. We the gray beards & those who wrote the NSA's
Orange and Red books all had it correct from the 1960's when
we had dedicated terminals and mainframes. Once, the client-
server model was born in early 1980 along with Microsoft's OS,
we started down hill because everyone wanted it on the cheap
as the government and industry downsized. The bottom line is
we know how to build secure and cost effective systems. The
world has been sold on the value of "Firewalls, etc., and other
appliances to which we also agree are required.". However, at
least 99 + % plus of them are Layer 2 & 3 devices which make
them all hackerble even with encryption. The "Science" says so! .
Nothing changes in the network except that their S/W &
Appliances now should be running through our Open Layer
One OSI Platform.
Two of our clients are: The Canadian Govt. Dept of Public Safety
(DHS), but we are precluded to discuss these projects. Another is
the Passaic Countys Data Centers with 10 systems. These latest
OS Revision have been in 24X7X365 day usage for over two
years without one nit, s/w or h/w glitch, and not one service call
to date..Prior to this, clients included Global Crossing, Blue
Cross Blue Shield, US Navy, etc.
Conceived, Designed, Engineered, & Manufactured in the USA
with 95% US & 5% Canadian propriety chips, components &
sub assemblies.
As for Vitualization, my CTO's mail speaks for itself.
Bob,
I was reading on this Web Site (www.itpro.co.uk ) IT articles on
Cyber Security and threats, and I pick-up an article from an
interview of a lady from HP who prieviously worked at
Mercury (article is from Mary Branscombe). She comments on a
solution using virtualization tools to bring automation between
hardware and software. The things that she is missing in her
analysis is that all of that exchange of data goes trought a
physical media connecting network device such as network
switches or routers. Yes at the emd you can still make your
network to talk to each other but when it is time to act you have
to send someone to fix things or you have to turn -off a device to
stop the damage from spreading. What she is missing in here is
that an Automation Solution start with a Virtual Management
Solution automated and supported by a physical-
interconnecting system like ours. Rebooting servers does not
solve the problems you still have to go back to that machine and
fix it. with a physical solution you replace the active server
with a mirrors servers and you isolate the defective server and
bring it to a different network or a service network to be taking
care of later. The exercise of bringing back the server to service
is less painfull and expensive compare to a human on site.
Imagine a network device that need to be isolated or replace
immediataly! Ok you can virtually re-route traffic but it will
not change the fact that 10,000 banking transactions are
pending or 10,000 people are not getting there money at an
ATM. What I am saying here is what I have been saying for
years, no mater what virtual solution you bring, there is still a
gap!
Probably someone with some technical background will realize
that we are the solution when this person read an article from a
giant like HP with so many holes in Automation for Mission
Critical infrastructure and Cyber Defense mechanism.
Pierre
Below, here's what two of the four ex NSA top security experts
have to say.
1) Roger Schell, PhD: Following is his recent assessment. Roger
is internationally recognized as a major contributor to the
advancement of computer security concepts and the overall
definition of network security. At Novell, he led their Class C2
network evaluation and managed development of product
security. He was VP for Engineering at Gemini Computers
where he developed their highly secure (Class A1) commercial
product. He served as the founding Deputy Director of the
National Computer Security Center, which he grew into a
respected organization of more than 150 security professionals.
For his work there he is widely regarded as the "father" of the
Trusted Computer System Evaluation Criteria (the "Orange
Book"), which has been the most widely used international
security standard for computers and networks.
Dr. Schell originated several key modern security design and
evaluation techniques and holds patents in cryptography and
authentication. He participated in sponsored "tiger team"
penetration tests of several commercial and security enhanced
operating systems and networks for various government
activities including the Defense Intelligence Agency, the U. S. Air
Force, the Office of the Joint Chiefs of Staff, and the Central
Intelligence Agency. He has more than 60 publications, and was
Associate Professor of Computer Science at the Naval
Postgraduate School. The NIST and NSA recognized him with
the 1991 National Computer System Security Award, the
nation's highest honor in the computer security field. Dr. Schell
is a retired USAF Colonel. He received a Ph.D. in Computer
Science from the MIT, an M.S.E.E. from Washington State, and a
B.S.E.E. from Montana State.
"no software capability can provide more overall security than
the platform it is hosted on. Factually, you are transparent to
all IT networks & software today." Today, to our knowledge,
your platform is the "only commercial transparent appliance"
that today can deal with standard & proprietary software. If
you can get a major institution like TJ Maxx (TJX) to take the
next step with their Executives (NOT IT Staff) folks at first, they
might at least understand how they can benefit today.
Although you are partnered with IBM's Autonomics Division
(on the hardware side), none of their software folks, or any of
the others like the Ciscos, Microsofts, Boeing, General Dynamics,
Nortel, Lucent, etc. understand the story. Of course these same
folks got them into this problem in the first place?? The fox is
in the hen house!!!
These "experts" are pushing encryption, totally ignoring that to
the professional attacker, which they don't seem to recognize.
This encryption would make little difference since they would
steal the keys or decrypt the data to get a plain text copy.
Crypto is indeed the "opiate of the naive".Remember all
software is hackerble.
2) Professor Bill Caeili: The problem haunting all critical
information-sharing efforts is the threat of deliberately planted
malicious software designed to subvert the very protection
mechanisms relied upon to protect valuable assets from
compromise. No vendor today can procure or offer a platform
that offers the technical basis to trust system protections
respecting integrity or confidentiality of the data of different
domains against subversion by a targeted attack using
deliberately planted malicious software.
Encryption doesn't solve the problem -- a fact that will continue
to bedevil MLS efforts on any platform in the market today.
Professor Bill Caelli has written:
"It is common ... for the banking and finance industry to explain
their security parameters to customers in terms of 128 & 256-bit
cipher, SSL implementation without any discussion at all of the
system security at each end of the "line".... This trend totally
ignores the fundamental fact that such encryption will only be
as secure as the operating system structure in which it sits. The
emphasis must then move back to the
"TCSEC/Common Criteria" environment and reasonable proof
that software and hardware based encryption structures are
fully protected. Contrary to accepted ideas, then, the use of
cryptography actually enhances the need to reconsider security
functionality and evaluation at the operating system and
hardware levels ... " "Relearning "Trusted Systems" in an Age of
NIIP: Lessons from the past for the Future", 2003.
3) This seminal journal publication is the one single best
document that defines the problems and suggests the solution:
"SNAKE-OIL SECURITY CLAIMS"
THE SYSTEMATIC MISREPRESENTATION
OF PRODUCT SECURITY IN THE
E-COMMERCE ARENA
John R. Michener, Ph.D.*
Steven D. Mohan, D.CS.**
James B. Astrachan, J.D., LL.M.***
David R. Hale, J.D.****
Cite as: John R. Michener, Steven D. Mohan,
James B. Astrachan and David R. Hale,
"Snake-Oil Security Claims" The Systematic Misrepresentation
of Product Security in the E-Commerce Arena
9 Mich. Telecomm. Tech. L. Rev. 211 (2003),
available at http://www.mttlr.org/volnine/Michener.pdf
RE: Data breach costs, customer churn up a bit; Repeat offenders abound
The author, David Scott, has an interview that is a great exposure: www.businessforum.com/DScott_02.html -
The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.
In the realm of risk, unmanaged possibilities become probabilities ? read the book BEFORE you suffer a bad outcome ? or propagate one.
RE: Data breach costs, customer churn up a bit; Repeat offenders abound
The author, David Scott, has an interview that is a great exposure: www.businessforum.com/DScott_02.html -
The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.
In the realm of risk, unmanaged possibilities become probabilities ? read the book BEFORE you suffer a bad outcome ? or propagate one.