Monthly Archives: May 2014

Cost of data leaks rising, but there is a ray of hope

Larry Ponemon

Larry Ponemon

Throughout the world, companies are finding that data breaches have become as common as a cold but far more expensive to treat. With the exception of Germany, companies had to spend more on their investigations, notification and response when their sensitive and confidential information was lost or stolen. As revealed in the 2014 Cost of Data Breach Study: Global Analysis, sponsored by IBM, the average cost to a company was $3.5 million in US dollars and 15 percent more than what it cost last year.

Will these costs continue to escalate? Are there preventive measures and controls that will make a company more resilient and effective in reducing the costs? Nine years of research about data breaches has made us smarter about solutions.

Critical to controlling costs is keeping customers from leaving. The research reveals that reputation and the loss of customer loyalty does the most damage to the bottom line. In the aftermath of a breach, companies find they must spend heavily to regain their brand image and acquire new customers. Our report also shows that certain industries, such as pharmaceutical companies, financial services and healthcare, experience a high customer turnover. In the aftermath of a data breach, these companies need to be especially focused on the concerns of their customers.

As a preventive measure, companies should consider having an incident response and crisis management plan in place. Efficient response to the breach and containment of the damage has been shown to reduce the cost of breach significantly. Other measures include having a CISO in charge and involving the company’s business continuity management team in dealing with the breach.

In most countries, the primary root cause of the data breach is a malicious insider or criminal attack. It is also the most costly. In this year’s study, we asked companies represented in this research what worries them most about security incidents, what investments they are making in security and the existence of a security strategy.

Here are some bullet points from the study:

  • The cost of a data breach is on the rise. Most countries saw an uptick in both in the cost per stolen or lost record and in the average total cost of a breach.
  • Fewer customers remain loyal after a breach, particularly in the financial services industry.
  • For many countries, malicious or criminal attacks have taken the top spot as the root cause of the data breaches experienced by participating companies.
  • For the first time, the research reveals that having business continuity management involved in the remediation of a breach can help reduce the cost.

An interesting finding is the important role cyber insurance can play in not only managing the risk of a data breach but in improving the security posture of the company. While it has been suggested that having insurance encourages companies to slack off on security, our research suggests the opposite. Those companies with good security practices are more likely to purchase insurance.

Global companies also are worried about malicious code and sustained probes, which have increased more than other threats. Companies estimate that they will be dealing with an average of 17 malicious codes each month and 12 sustained probes each month. Unauthorized access incidents have mainly stayed the same and companies estimate they will be dealing with an average of 10 such incidents each month.

When asked about the level of investment in their organizations’ security strategy and mission, on average respondents would like to see it doubled from what they think will be spent—an average of $7 million to what they would like to spend—an average of $14 million. This may be a tough sell in many companies. However, our cost of data breach research can help IT security executives make the case that a strong security posture can result in a financially stronger company.

To download the complete report please use the following link:

www.ibm.com/services/costofbreach

Where trust is currency, we don't want a run on 'the bank'

Bob

Bob Sullivan

In the past few months, consumers have been deluged with one reason after another to fear technology and transactions. Target. Neiman Marcus. Michaels.  Millions of stolen credit cards. Millions of passwords leaked and lost by Adobe, and a little less recently, Yahoo. Net users are used to, and perhaps growing numb to, the constant bad news.

Then came Heartbleed.  The most recent scary Internet disaster is much worse than a compromised bank account. Heartbleed turns the very thing that was supposed to keep us safe into our worst technology nightmare. It’s a little like learning that every cop in your city is really working for the mob.  Perhaps better said, it’s like learning that every store you give your credit card to is really a hacker out to steal it.

What are we supposed to do now?  And I don’t mean reset your password, which is a lovely thing to do, but it may help and it may hurt you in this situation, and it doesn’t actually help with the real problem: Trust.  If consumers finally lose trust in our transaction systems, everybody loses. Even the hackers.

“This is the last thing consumers need in the wake of the Target breach and all the other security breaches we have been hearing about,” said Avivah Litan, the security analyst at Gartner Group who is the loudest voice you’ll hear when there is a big data leak.

To review, Heartbleed is a flaw in the encryption technology used to keep data safely scrambled while it flies around the Internet. You know of it mostly because of those little locks that appear next to web addresses in your browser. A technology that is designed to keep encrypted connections open over time — by sending a regular “heartbeat” message that lets one computer tell another “I’m still here” — was instead a hacker’s best friend.  Researchers figured out they could craft a heartbeat message that tricked a server into sending back every kind of data it stored. The heartbeat could be made to bleed data. That includes credit cards and passwords, but even worse, it even includes encryption keys.  A bit like the ominous hacker movie Sneakers, the Heartbleed bug truly meant an end to secrets online.

The Heartbleed code is now fixed, and companies are racing to install the fix, and consumers are stumbling through changing passwords and doing the usual “have I been robbed?” inventory on their bank accounts.  Crisis averted.  This time. (Aside: If you have already changed your passwords, you should really change them again in about a month, because there’s no way to know if you updated your security while a hacker still controlled the website you logged into. )

The question has to be asked: How many times can we warn consumers to check their bank account statements carefully? Hanging over the Heartbleed incident, and Target before it, and Yahoo before that, is a dark feeling that the whole thing might not be safe.  Consumers always react to large credit card hacks by saying they will now buy with cash.  Most of the time, data shows, they don’t mean it.  But Target had to admit last quarter that its revenue was materially impacted by the credit card incident.  This is getting serious.

In the credit card world, the response to Target was straightforward. Journalists discovered that U.S. credit cards were a decade behind the times, and folks started pushing to add computer chips to our old-fashioned plastic, using a technology known as EMV. Of course, if EMV were so great, U.S. card issuers would have installed the chips 10 or even 15 years ago. Folks who know credit card security will admit privately that moving to EMV isn’t really much of a solution — fraudsters can just move to other kinds of credit card fraud the chips can’t stop. But there is still a very good reason to add the chips.

Trust.

EMV will make shoppers feel better.  That’s not a placebo. Trust is a very real thing.  In fact, it’s the only thing.

If — when? — consumers finally get fed up by all the bad news, and a real trust gap arises, lots of people are going to lose lots of money.  When a consumer pays for something with a $20 bill instead of swiping a card, at least 4 different entities miss out on getting a cut of that transaction. Trust means you don’t think, you just pull out your plastic. A trust gap means, perhaps, you don’t bother logging into that website and changing your password, you simply go somewhere else.

In other words, trust is basically the currency of our time.  A tipping point on trust would create the equivalent of a run on a bank during a currency crisis.  Lack of trust can snowball.  With each “withdrawal,” the trust gap only grows.

In the credit card world, only comprehensive changes to the entire, end-to-end system of payments will really take a bite out of crime. I recently spoke to Visa’s Chief Risk Officer, Ellen Richey, who told me that a move to chip cards should be accompanied by new technology that makes online credit card fraud more difficult.

We don’t need to plug a hole in the dam with our thumb, we need a new dam.

This same thinking needs to govern online transactions, and privacy in general. It’s terrible that folks around the world are being told, in rather panicked tones, “CHANGE ALL YOUR PASSWORDS!”  But it’s even more terrible that most of our digital and financial lives are guarded only by 50-year-old technology involving 8 upper or lower case letters and maybe a number or two. Two years ago, after a series of high-profile password list leaks from sites like LinkedIn, experts proclaimed the password dead.  Heartbleed proves it’s more like a vampire that seems to live forever and come out to threaten us once in a while.

Litan, the Gartner analyst, has some good news about Heartbleed.  Remember, this is a flaw discovered by good guys, not an active crime (like Target). That means the damage can be contained, and she thinks it will be. This time.

“I don’t think this is an uncontrollable disaster,” she said. “It’s manageable and as long as the companies who use this version of Open SSL act responsibly – i.e. patch and secure their systems and ask users to change passwords – we are OK.  There is no evidence that the criminals have used this attack vector yet.  And if these security steps are taken and upgrades are made – they won’t be able to.”

So, there’s no run on the trust bank this time.  But I guarantee that consumer patience is not infinite.  We can only come up with so many variations of our pets’ names. Tokens? Fingerprints? Disposable passcodes?  Something needs to change before we ask users to invent new passwords one time too many, and the trust gap swallows up the whole thing.

Where trust is currency, we don’t want a run on ‘the bank’

Bob

Bob Sullivan

In the past few months, consumers have been deluged with one reason after another to fear technology and transactions. Target. Neiman Marcus. Michaels.  Millions of stolen credit cards. Millions of passwords leaked and lost by Adobe, and a little less recently, Yahoo. Net users are used to, and perhaps growing numb to, the constant bad news.

Then came Heartbleed.  The most recent scary Internet disaster is much worse than a compromised bank account. Heartbleed turns the very thing that was supposed to keep us safe into our worst technology nightmare. It’s a little like learning that every cop in your city is really working for the mob.  Perhaps better said, it’s like learning that every store you give your credit card to is really a hacker out to steal it.

What are we supposed to do now?  And I don’t mean reset your password, which is a lovely thing to do, but it may help and it may hurt you in this situation, and it doesn’t actually help with the real problem: Trust.  If consumers finally lose trust in our transaction systems, everybody loses. Even the hackers.

“This is the last thing consumers need in the wake of the Target breach and all the other security breaches we have been hearing about,” said Avivah Litan, the security analyst at Gartner Group who is the loudest voice you’ll hear when there is a big data leak.

To review, Heartbleed is a flaw in the encryption technology used to keep data safely scrambled while it flies around the Internet. You know of it mostly because of those little locks that appear next to web addresses in your browser. A technology that is designed to keep encrypted connections open over time — by sending a regular “heartbeat” message that lets one computer tell another “I’m still here” — was instead a hacker’s best friend.  Researchers figured out they could craft a heartbeat message that tricked a server into sending back every kind of data it stored. The heartbeat could be made to bleed data. That includes credit cards and passwords, but even worse, it even includes encryption keys.  A bit like the ominous hacker movie Sneakers, the Heartbleed bug truly meant an end to secrets online.

The Heartbleed code is now fixed, and companies are racing to install the fix, and consumers are stumbling through changing passwords and doing the usual “have I been robbed?” inventory on their bank accounts.  Crisis averted.  This time. (Aside: If you have already changed your passwords, you should really change them again in about a month, because there’s no way to know if you updated your security while a hacker still controlled the website you logged into. )

The question has to be asked: How many times can we warn consumers to check their bank account statements carefully? Hanging over the Heartbleed incident, and Target before it, and Yahoo before that, is a dark feeling that the whole thing might not be safe.  Consumers always react to large credit card hacks by saying they will now buy with cash.  Most of the time, data shows, they don’t mean it.  But Target had to admit last quarter that its revenue was materially impacted by the credit card incident.  This is getting serious.

In the credit card world, the response to Target was straightforward. Journalists discovered that U.S. credit cards were a decade behind the times, and folks started pushing to add computer chips to our old-fashioned plastic, using a technology known as EMV. Of course, if EMV were so great, U.S. card issuers would have installed the chips 10 or even 15 years ago. Folks who know credit card security will admit privately that moving to EMV isn’t really much of a solution — fraudsters can just move to other kinds of credit card fraud the chips can’t stop. But there is still a very good reason to add the chips.

Trust.

EMV will make shoppers feel better.  That’s not a placebo. Trust is a very real thing.  In fact, it’s the only thing.

If — when? — consumers finally get fed up by all the bad news, and a real trust gap arises, lots of people are going to lose lots of money.  When a consumer pays for something with a $20 bill instead of swiping a card, at least 4 different entities miss out on getting a cut of that transaction. Trust means you don’t think, you just pull out your plastic. A trust gap means, perhaps, you don’t bother logging into that website and changing your password, you simply go somewhere else.

In other words, trust is basically the currency of our time.  A tipping point on trust would create the equivalent of a run on a bank during a currency crisis.  Lack of trust can snowball.  With each “withdrawal,” the trust gap only grows.

In the credit card world, only comprehensive changes to the entire, end-to-end system of payments will really take a bite out of crime. I recently spoke to Visa’s Chief Risk Officer, Ellen Richey, who told me that a move to chip cards should be accompanied by new technology that makes online credit card fraud more difficult.

We don’t need to plug a hole in the dam with our thumb, we need a new dam.

This same thinking needs to govern online transactions, and privacy in general. It’s terrible that folks around the world are being told, in rather panicked tones, “CHANGE ALL YOUR PASSWORDS!”  But it’s even more terrible that most of our digital and financial lives are guarded only by 50-year-old technology involving 8 upper or lower case letters and maybe a number or two. Two years ago, after a series of high-profile password list leaks from sites like LinkedIn, experts proclaimed the password dead.  Heartbleed proves it’s more like a vampire that seems to live forever and come out to threaten us once in a while.

Litan, the Gartner analyst, has some good news about Heartbleed.  Remember, this is a flaw discovered by good guys, not an active crime (like Target). That means the damage can be contained, and she thinks it will be. This time.

“I don’t think this is an uncontrollable disaster,” she said. “It’s manageable and as long as the companies who use this version of Open SSL act responsibly – i.e. patch and secure their systems and ask users to change passwords – we are OK.  There is no evidence that the criminals have used this attack vector yet.  And if these security steps are taken and upgrades are made – they won’t be able to.”

So, there’s no run on the trust bank this time.  But I guarantee that consumer patience is not infinite.  We can only come up with so many variations of our pets’ names. Tokens? Fingerprints? Disposable passcodes?  Something needs to change before we ask users to invent new passwords one time too many, and the trust gap swallows up the whole thing.