Sergey Nivens - Fotolia
While the term has become a cliché in the security industry, if ever there were a "year of the data breach" in the U.S., 2014 would be a strong contender.
Now, a report released this week by Ponemon Institute LLC may definitively prove that 2014's epic string of major corporate data breaches is not only unprecedented, but also resulting in dire consequences.
Ponemon's 2014 Global Report on the Cost of Cyber Crime, which surveyed 257 companies in seven countries, reported a 10.5% increase in the number of cybercrimes in 2014 versus 2013. The average cost of cybercrime per company also rose from $7.2 million last year to $7.6 million this year. The report also highlighted that it took an average of 31 days to contain a breach, costing the affected company an average of $640,000 during the time period, or just over $20,600 per day. This increased 23% over 2013's 27-day, $510,000 cost.
Social media was abuzz with the facts and figures; Twitter users are grumbling about the findings:
However, when it came to solely U.S. cybercrime, the figures were much bleaker. The average cost of a breach in 2014 in the U.S. was $12.7 million, a 96% increase over the course of five years. The U.S. also saw a 176% increase in the number of attacks, with an average of 138 successful attacks per week in 2014 versus 50 per week when the survey was first conducted in 2010. The average number of days to resolve an attack in the U.S. increased in the same time period by 33% to 45 days -- two weeks longer than the national average -- at a cost of nearly $1.6 million during the period, or $35,400 per day.
A similar survey by Ovum Consulting offered a far worse picture of national data breach averages; in a survey of 450 senior IT decision makers from North America, Asia-Pacific, Europe and Middle East-Africa, the average cost of a data loss incident was estimated to be $350 per breached record, or $3 million overall.
"The average total cost of a data loss/breach incident is $350 per breached record (or $3million, on an overall basis)." #OvumGRC Webinar— Axway (@Axway) October 15, 2014
Time to contain; top types of attacks
The global Ponemon report also highlighted the positive correlation between the time to contain an attack and cost incurred. Businesses that detected and contained an attack in fewer days ended up enduring a lower cost. Additionally, certain attacks took far longer to detect than others. For example, malicious insider attacks took an average 58 days to contain and malicious code attacks took 46 days while malware attacks took an average five days to detect, botnets 2.7 days and viruses/worms/Trojans 2.6 days.
These statistics held true in the U.S. report as well. Malicious insider took U.S. companies an average of 65.5 days to detect, with malicious code attacks at nearly 50 days and Web-based attacks at 45.1 days.
Lowering the cost of data breaches
In its report, Ponemon suggests enterprises use security information and event management systems, intrusion prevention systems with updated reputation feeds, network intelligence systems and big data analytics to help reduce the cost and frequency of cybercrime.
Average security breach now at $20k USD/day, 30 days to fix or $600k+. Cost of proactive mobile security? Priceless. http://t.co/yy2AWa5hwq— Adam Stein (@apstein2) October 15, 2014
After a cyberattack, top defense contractors can remediate damage in under 12 hours. "That's awesome." http://t.co/ScYRITaXMy— Matthew Brodsky (@MatthewLBrodsky) October 15, 2014
"Adversaries only need to be successful once to gain access to your data, while their targets must be successful every time to stop the barrage of attacks their organizations face each day," said Art Gilliland, senior vice president and general manager, enterprise security products at HP. "No amount of investment can completely protect organizations from highly sophisticated cyberattacks, but improving and prioritizing your organization's ability to disrupt the adversary with actionable intelligence solutions such as SIEM, can significantly improve attack containment and reduce the overall financial impact."
Is the "average" cost to remediate a breach a truly useful number to throw around in any way? http://t.co/T3htH92bug— Packet Dude (@packetdude) October 16, 2014
In other news
- An analyst brief released this week from NSS Labs Inc. examined the shifting landscape of cloud-based security services, namely the growth of services that create an overlay to protect confidential data as it moves to cloud-based applications such as Dropbox or Salesforce. The report found that cloud computing security challenges created an outlet for security as a service (SaaS) vendors, and that these services were attractive to potential customers due to their promises of lowered costs, ability to scale quickly, reduced complexity and ability to address regulatory requirements. The report outlined the market drivers for SaaS vendors as well as market inhibitors, such as difficulty supporting legacy applications and mobile users and concerns about updates and service level agreements.
- Documentary film director and producer Laura Poitras, who was one of the three journalists who met and received leaked documents from NSA whistleblower Edward Snowden in 2013 and whose documentary Citizenfour detailing the meetings with Snowden will be released at the end of the month, highlighted the importance of free security software in a recent interview with Wired. In the credits of Citizenfour, Poitras credits the tools used during the making of the movie, including Tor, Tails and TrueCrypt. Without these technologies, Poitras said, the film would have never come to fruition. "I have a lot of respect for the cyberpunk movement," Poitras told Wired. "The free software community should be supported more widely. I'm totally in solidarity with what they do."
- Tim Berners-Lee, best known for his invention of the World Wide Web and outspoken proponent for an open Internet without baked-in security mechanisms, backed the start up of Sgrouples' private communication network MeWe, which launched on Wednesday. Berners-Lee is also a member of the MeWe advisory board. Online privacy advocate Mark Weinstein and Jonathan Wolfe co-founded the platform, which "provides an online environment for people to be authentic and uncensored, the way they are in their real lives." MeWe combines social networking, cloud storage and both individual and group communications in one. It also claims it will not share any personal user information or ever use tracking cookies. MeWe is available on Android and iOS smartphones and tablets as well as desktops.
Gain further insight into the slew of data breaches in 2014.