Data Breaches: Looking Back, Moving Forward
Article on July 15, 2013
Since the first data breach that generated big media awareness back in 2003, companies have become savvier about the dangers and costs of data breaches. Recent Ponemon Institute research, the 2013 Cost of Data Breach Study, shows companies are doing a better job in responding to the breach incident and in determining the root causes of information losses. C-level executives and boards now realize the costly consequences of material data loss and, hence, appear to be more willing to approve investments in data protection technologies and expert personnel.
And these investments are paying off: The study found that in 2012, data breaches cost American companies an average of $188 per lost record, and $5.4 million per incident, down from $194 per lost record, and $5.5 million per incident in 2011.
Number of Data Breaches: Trending Up
While the cost of data breaches has declined, the number of breach incidents has soared. Another Ponemon research study, theThird Annual Benchmark Study on Patient Privacy and Data Securityreveals that 94 percent of healthcare organizations surveyed suffered at least one data breach during the past two years. Several factors contribute to the increase:
1. Our research shows the emergence of insecure mobile devices (including BYOD), cloud computing, virtualization, and other disruptive information technologies substantially increase the risk of material data breaches. Driving this trend are unrealistic consumer expectations in having instant access to everything, all of the time. It’s what I called in a Baseline article the “consumerization of IT.”
2. Another trend is the increase in stealth and sophistication of malicious or criminal attackers both inside and external to the organization. In short, these “modern-day” attackers have an ability to steal the most sensitive and confidential information without detection. As I recently wrote in the Harvard Business Review, a lively international market for logins, passwords, and medical records has sprung into being. Each pilfered name or number might not be worth much on its own, but a theft of millions of records can earn a hacker an enormous profit.
3. A final big trend is the emergence of cyber attacks against a nation’s critical IT infrastructure (a.k.a. cyber warfare). A flurry of nation-sponsored attacks has already been revealed. Many cyber attackers have banded into government-sponsored syndicates who develop malware that doesn’t even resemble the attack software of five years ago. It’s now much more sophisticated, stealthier, and difficult to identify.
This Will Get Worse Before They Get Better
It appears that the malicious or criminal attackers—including hacktivists and national states—have an advantage over the today’s defenders of corporate data and IT infrastructure. These bad guys only have to be successful once to cause havoc for governments, companies, and people. Further, many organizations do not have the capability to withstand security exploits and information system compromises. For the longer term, however, I predict that the information security community will rise to the occasion and overcome this imbalance of power through innovations that strengthen our counter intelligence and offensive capabilities. More thoughts on this topic are in the article A Decade of Data Breach: Tracking an Evolving Threat.
“Data breaches cost average U.S. firm $5.4M per incident last year, says Ponemon,” FierceEnterpriseCommunications, June 5, 2013