2015 is likely to be ‘as bad or worse’ for large-scale data breaches than 2014, when a series of incidents at large companies exposed the sensitive information of millions of people and businesses, according to a new report.
The Ponemon Institute report 2014: A Year of Mega Breaches, argues this year is likely to be worse than last year because more information and transactions are being moved to digital environments where they are vulnerable to attack.
In 2014, a range of companies – including Target, eBay, JPMorgan Chase & Co., Staples and Sony Pictures Entertainment experienced what the Ponemon Institute described as ‘mega breaches’. The research firm surveyed 735 IT and IT security practitioners about the impact of the Target breach in late 2013, and other major breaches, on IT budgets and compliance practices. The survey also covered business and government organisations’ own experiences with data breaches.
The report – which included interviews with organisations in a range of industries, including finance (18 percent of respondents), federal government bodies (9 percent of respondents), tech and software (8 percent of respondents) and retail (7 percent of respondents) – found data breaches were felt in nearly every industry over the past year.
The researchers said the Target breach had prompted senior management to allocate more sizeable budgets to security; 61 percent of respondents said their security budgets had increased by an average of 34 percent.
Asked about the key steps their organisations had taken in response to mega-breaches, 72 percent of respondents agreed they had provided the tools and personnel to contain and minimise breaches. Sixty nine percent of respondents agreed their organisations had invested in the ability to quickly detect breaches, while 67 percent agreed their organisations had allocated the budget necessary to defend their data from incursions.
The top technology investments made in response to mega-breaches included security incident and event management (SIEM) solutions (50 percent of respondents said their organisation had invested in these solutions), endpoint security (invested in 48 percent of respondents’ organisations), and intrusion detection and prevention (44 percent). Only 29 percent of respondents reported investing in identity and access management tools.
The researchers also probed further into the data breaches experienced by nearly half (45 percent) of the respondents’ organisations in the last 24 months. Focusing on the one data breach at each of those organisations that had the most serious economic impact on them, the Ponemon Institute found that customer account data was compromised in 68 percent of cases, and customer data in 65 percent. The organisation’s own intellectual property was the third most compromised type of information, but well behind the first two at 28 percent.
How can you notify others if you don’t know yourself?
Organisations’ ability to notify regulators and customers of a data breach can be hampered by their own lack of understanding of when, where and how the incident occurred. This lack of understanding can also stop them making the right decisions about where to strengthen their IT defences.
Of respondents from organisations that experienced one or more breaches in the last 24 months, 20 percent could not determine when the breach was discovered, while another 15 percent did not detect the breach until more than two years later. Even harder for organisations to identify was the location of the breach − 55 percent were unable to determine where exactly they were breached. A further 20 percent of respondents were unable to say when the breach was resolved.
Of those organisations that found the root cause of the breach (where malware was all or part of the cause in 44 percent of cases, a trusted advisor all or part of the cause in 30 percent of cases and a hacker involved in 27 percent of cases), nearly 46 percent did so by accident. Fifty seven percent of those organisations that found the root cause of the breach implemented security training, 54 percent enhanced security monitoring and 38 percent deployed additional security tools.
Reputational damage significant
Almost half of respondents from organisations that experienced one or more data breaches in the past 24 months ranked lost reputation, brand value and marketplace image as a result. They also lost time and productivity (reported by 42 percent of respondents from companies that experienced data breaches), as well as revenue and customers (reported by 42 percent). The cost of newly purchased technology also added up, being reported by 38 percent of respondents in this category.Read more: Defending Your Castle from the Inside: Data Breaches and How to Minimise Their Impact
The cost of notifying affected individuals also impacted breached companies (nominated by 27 percent of organisations that had experienced one or more data breaches). Other expenses included engaging external consultants and attorneys (an issue for 23 percent of organisations).
Free guide to retail security
The Ponemon Institute report revealed that the Target incident had prompted senior management teams at most companies to treat information security much more seriously.
More than half (55 percent) of respondents believed senior management at their organisation were extremely concerned about a data breach following the incident, compared to only 13 percent beforehand.
Management teams at retail companies that collect and process large volumes of the customer data prized by information security attackers have particular cause to review their systems and processes. To navigate the risks to this industry in particular, please check out this free guide.
The online booklet provides a detailed overview of retail's state of security and incorporates recommendations on safeguarding customer financial information.
About the author
Thu Pham covers current events in the tech industry with a focus on information security. Prior to joining Duo Security, Pham covered security and compliance for the infrastructure as a service (IaaS) industry at Online Tech. Based in Ann Arbor, Michigan, she earned her BS in Journalism from Central Michigan University.
This article is brought to you by Enex TestLab, content directors for CSO Australia.