Reports Paint Mixed Picture of the State of Business Information Security
Global research by Verizon Communications suggests cybercrime generally worsened and the number of stolen customer records skyrocketed last year, but a Ponemon Institute study of U.S. business data compromised during 2011 finds the average cost of each incident declined substantially.
Albert G. Holzinger
April 11, 2012
The 2012 edition of New York-based Verizon Communications Inc.'s annual Data Breach Investigations Report (PDF) suggests the threat of global cybercrime has worsened. "The online world was rife [in 2011] with the clashing of ideals, taking the form of activism, protests, retaliation, and pranks," says the research report, produced with input from the U.S. Secret Service and the National High Tech Crime Unit of the Netherlands. "While these activities encompassed more than data breaches — denial of service attacks, for example — the theft of corporate and personal information was certainly a core tactic."
The report estimates more than 855 business data breaches occurred worldwide in 2011. The 80-page document says the number of records compromised as a result of these incidents skyrocketed to 174 million, from just 4 million a year earlier. In fact, the number of records compromised last year was the second highest since Verizon began collecting and analyzing breach data in 2004.
CAEs should note the sources and means of the 2011 attacks defy conventional wisdom: 98 percent were perpetrated by external agents; less than 5 percent involved employees or business partners. Correspondingly the report says, 81 percent of breaches resulted from some form of hacking (up 31 percent from the previous year) while just 5 percent resulted from employee or third-party privilege misuse (down 12 percent). The research finds the leading "commonalities" among the studied incidents are:
- 97 percent of breaches likely were avoidable by implementing relatively rudimentary controls, up 1 percent from the previous year.
- 96 percent of attacks were not highly difficult to accomplish, up 4 percent.
- 96 percent of victimized organizations subject to the Payment Card Industry Data Security Standard (PCI DSS) had not achieved compliance, up 7 percent.
- 94 percent of compromised data was stored on a server computer, up 18 percent.
- 92 percent of incidents were discovered by a third party, up 6 percent.
- 85 percent of breaches took weeks or even months to discover, up 6 percent.
- 79 percent of victim organizations were targets of opportunity, down 4 percent.
A somewhat more heartening analysis of U.S.-only business data finds the average organizational cost of a breach incident was US $5.5 million in 2011, down 24 percent from a year earlier. On a per-breached-record basis, says the U.S. Cost of a Data Breach report, business costs — including a prorated share of incident investigation costs — decreased an average of 10 percent last year to US $194.
The largest factor in both declines was a 6 percent average drop in breach detection costs, to an average US $428,330 per incident in 2011, notes the report by the Dublin, Mich.-based Ponemon Institute and the research arm of security provider Symantec Corp., in Mountain View, Calif. "We think that companies are more efficient now in investigating the data breach and organizing themselves around their incident response plan," says institute Chairman Larry Ponemon.
However, the report notes customer notification costs increased an average of 10 percent in 2011 to US $561,495 per incident. Ponemon ascribes the increase to organizations' efforts to ensure they are compliant with states' increasingly proscriptive and stringent breach notification rules.
In 2011, malicious attacks accounted for more than one-third (37 percent) of total breaches, up from 31 percent a year earlier. The document notes that for the first time, malicious breaches were the most costly ones, averaging US $222 per compromised record. "Accordingly, organizations need to focus on processes, policies, and technologies that address threats from the malicious insider or hacker," the report advises.
CAEs who are unsure of their organization's exposure to information security risk and its effectiveness in managing it may be interested in reviewing the 16-page Deloitte publication Risk Intelligent Governance in the Age of Cyber Threats (PDF). The document contains a detailed cyber threat risk management maturity model, among other useful information.