Monthly Archives: October 2017

Cybercrime costs up 23 percent in just two years; firms investing in wrong technologies

Larry Ponemon

Over the last two years, the accelerating cost of cyber crime means that it is now 23 percent more than last year and is costing organizations, on average, US$11.7
million. Whether managing incidents themselves or
spending to recover from the disruption to the business
and customers, organizations are investing on an unprecedented scale—but current spending priorities show that much of this is misdirected toward security capabilities that fail to deliver the greatest efficiency and effectiveness.

A better understanding of the cost of cyber crime could help executives bridge the gap between their own defenses and the escalating creativity—and numbers— of threat actors. Alongside the increased cost of cyber crime—which runs into an average of more than US$17 million for organizations in industries like Financial Services and Utilities and Energy—attackers are getting smarter. Criminals are evolving new business models, such as ransomware-as-a-service, which mean that attackers are finding it easier to scale cyber crime globally.

With cyber attacks on the rise, successful breaches per company each year has risen more than 27 percent, from an average of 102 to 130. Ransomware attacks alone have doubled in frequency, from 13 percent to 27 percent, with incidents like WannaCry and Petya
affecting thousands of targets and disrupting public services and large corporations across the world. One of the most significant data breaches in recent years has been the successful theft of 143 million customer records from Equifax—a consumer credit reporting agency—a cyber crime with devastating consequences due to the type of personally identifiable information stolen and knock-on effect on the credit markets. Information theft of this type remains
the most expensive consequence of a cyber crime. Among the organizations we studied, information loss represents the largest cost component with a rise from 35 percent in 2015 to 43 percent in 2017. It is this threat landscape that demands organizations reexamine
their investment priorities to keep pace with these more sophisticated and highly motivated attacks.

To better understand the effectiveness of investment decisions, we analyzed nine security technologies across two dimensions: the percentage spending level between them and their value in terms of cost-savings to the business. The findings illustrate that many organizations may be spending too much on the wrong technologies. Five of the nine security technologies had a negative value gap where the percentage spending level is higher than the
relative value to the business. Of the remaining four technologies, three had a significant positive value gap and one was in balance. So, while maintaining the status quo on advanced identity and access governance, the opportunity exists to evaluate potential over-spend in areas which have a negative value gap and rebalance these funds by investing in the breakthrough innovations which deliver positive value.

Following on from the first Cost of Cyber Crime report launched in the United States eight years ago, this study, undertaken by the Ponemon Institute and jointly developed by Accenture, evaluated the responses of 2,182 interviews from 254 companies in seven countries—Australia,
France, Germany, Italy, Japan, United Kingdom and the United States. We aimed to quantify the economic impact of cyber attacks and observe cost trends over time to offer some practical guidance on how organizations can stay ahead of growing cyber threats.


Security intelligence systems (67 percent) and advanced identity and access governance (63
percent) are the top two most widely deployed enabling security technologies across the enterprise. They also deliver the highest positive value gap with organizational cost savings of US$2.8 million and US$2.4 million respectively. As the threat landscape constantly evolves, these investments should be monitored closely so that spend is at an appropriate
level and maintains effective outcomes. Aside from systems and governance, other investments show a lack of balance. Of the nine security technologies evaluated, the highest percentage spend was on advanced perimeter controls. Yet, the cost savings associated with technologies in this area were only fifth in the overall ranking with a negative value gap of
minus 4. Clearly, an opportunity exists here to assess spending levels and potentially reallocate investments to higher-value security technologies.

Spending on governance, risk and compliance (GRC) technologies is not a fast-track to increased security. Enterprise-wide deployment of GRC technology and automated policy management showed the lowest effectiveness in reducing cyber crime costs (9 percent and 7 percent respectively) out of nine enabling security technologies. So, while compliance technology is important, organizations must spend to a level that is appropriate to achieve the required capability and effectiveness, enabling them to free up funds for breakthrough innovations.

Innovations are generating the highest returns on investment, yet investment in them is low. For example, two enabling security technology areas identified as “Extensive use of cyber analytics and User Behavior Analytics (UBA)” and “Automation, orchestration and machine learning” were the lowest ranked technologies for enterprise-wide deployment
(32 percent and 28 percent respectively) and yet they provide the third and fourth highest cost savings for security technologies. By balancing investments from less rewarding technologies into these breakthrough innovation areas, organizations could improve the effectiveness of their security programs.

The foundation of a strong and effective security program is to identify and “harden” the higher-value assets. These are the “crown jewels” of a business— the assets most critical to operations, subject to the most stringent regulatory penalties, and the source of important trade secrets and market differentiation. Hardening these assets makes it as difficult and costly as possible for adversaries to achieve their goals, and limits the damage they can cause if they do obtain access.

By taking the following three steps, organizations can further improve the effectiveness of their cybersecurity efforts to fend of and reduce the impact of cyber crime:

Invest in the “brilliant basics” such as security intelligence and advanced access management and yet recognize the need to innovate to stay ahead of the hackers. Organizations should not rely on compliance alone to enhance their security profile but undertake extreme pressure testing to identify vulnerabilities more rigorously than even the most highly motivated attacker.
Balance spend on new technologies, specifically analytics and artificial intelligence, to enhance program effectiveness and scale value.

Organizations need to recognize that spending alone does not always equate to value. Beyond prevention and remediation, if security fails, companies face unexpected costs from not being
able to run their businesses efficiently to compete in the digital economy. Knowing which assets must be protected, and what the consequences will be for the business if protection fails, requires an intelligent security strategy that builds resilience from the inside out and an industry-specific strategy that protects the entire value chain. As this research shows, making wise security investments can help to make a difference.

To learn more about the study, visit


Q: Why would anyone at Equifax have access to 143 million SSNs? A: Greed

Click for Beyond Trust Five Deadly Sins white paper.

Bob Sullivan

There’s lots of juicy details about the Equifax hack in a story published today by Bloomberg. It makes the strongest case yet that the massive heist of American SSNs was probably pulled off by a nation-state. That’s likely true about the huge theft of federal employee data back in 2015, also, so it’s not a surprise.

One thing has been gnawing at me from the beginning about Equifax, however, and it should be gnawing at you, too: Why would anyone, anywhere, have access to 143 million Social Security numbers?

What business use would there ever be at a place like Equifax to access a database like that, or to access various data files and put them together?

The answer is: There isn’t one.

Equifax was never going to put money into each of our Social Security “accounts.”  It should never have even contemplated something like a mass mailing to every America that required our SSNs.  CEO Richard Smith was never going home at night and reading a “book” of American personal identification just to understand his business from a holistic point of view.

Nope. I can’t think of a reason. Well, except laziness and arrogance.

Bloomberg’s story provides food for thought on this count. It cites a LinkedIn post by Steve VanWieren, an executive who left Equifax in January 2012.

“It bothered me how much access just about any employee had to the personally identifiable attributes. I would see printed credit files sitting near shredders, and I would hear people speaking about specific cases, speaking aloud consumer’s personally identifiable information,” the post reads.  VanWieren was describing incidents at least five years old, as he left the firm in 2012. Still, they clearly paint the same picture I am.

Too many privileges!

One basic premise of modern security is limiting employees to only those resources they need to do their jobs.  And when those jobs are over, the access must be cut off. For example, desktop support doesn’t need access to human resource files, unless there’s a specific problem — and when there is, access to salary data, etc., should be as limited and temporary as possible.  Access permitted on a need-to-know basis, and no more.

Managing privileges is annoying, but it works.  Morey Haber, vice president of technology at security firm Beyond Trust, recently told me that fully 94 percent of vulnerabilities require administrative rights on targeted machines.  So, no admin rights, no problem.

Back to Equifax.  Who ever created an architecture that would allow anyone to peek at, let alone remove, 143 million SSNs? What account had the rights to do that? Why?

BeyondTrust recently tied up a bunch of security principles in a tidy narrative it called “Five Deadly Sins that Increase the Risks of a Data Breach.”  It includes Envy, Pride, Ignorance, and Apathy.  But I suspect the real blame for the Equifax hack is the first sin:


Greedy people, in the security sense, need access to as much data and resources as they can get. And when they get it, they don’t want to give it up.  In the tech world, privileges are like the old workplace concept of “turf.”  Heaven help someone trying to get a worker to give up tech turf.

I asked Haber about the role of greed in the Equifax case. He speculated that one could imagine a marketing use for pulling together that massive Equifax database, but even then, that data should be obfuscated immediately.

“Obviously, (someone) had to have full access to all that data,” he said. “There was no reason to.”

And now, a hacker — perhaps even a nation-state — has access to all that data. Forever.

VanWieren’s comments pretty much make the case here.  Clearly, a wide selection of employees had access to far more than “need-to-know” data. It was standard operating procedure.

Your workplace is probably like this, too.  Greed is common, but despite what you may have heard in the movies, it’s not good. Why is that? In part, Haber said, it’s because employees react very emotionally to having their network privileges restricted, and even worse to having them revoked.

“(It can be) like taking away someone’s guns,” he said.  Tech workers are used to having admin rights and “Doing what I want to do.”

The time for accommodating such greed is over, he warned.

“We live in a different set of times now,” he said. “We have to rethink how to be safe.”