The year 2014 will long be remembered for a series of mega security breaches and attacks starting with the Target breach in late 2013 and ending with Sony Pictures Entertainment. In the case of Target breach, 40 million credit and debit cards were stolen and 70 million records stolen that included the name, address, email address and phone number of Target shoppers. Sony suffered a major online attack that resulted in employees’ personal data and corporate correspondence being leaked. The financial consequences and reputation damage of both breaches have been widely reported. Other well-publicized mega breaches in 2014 in order of magnitude were:
- ebay (145 million people affected)
- JPMorgan Chase & Co. (76 million households and 7 million small businesses affected)
- Home Depot (56 million unique payment cards)
- CHS community Health Systems (4.5 million people affected)
- Michaels Stores (2.6 million people affected)
- Nieman Marcus (1.1 million people affected)
- Staples (point-of-sales systems at 115 of its more than 1,400 retail stores)
This year is predicted to be as bad or worse as more sensitive and confidential information and transactions are moved to the digital space and become vulnerable to attack. Will companies be prepared to deal with cyber threats? Are they taking steps to strengthen their cyber security posture? Ponemon Institute, with sponsorship from Identity Finder, conducted 2014: A Year of Mega Breaches to understand if and how organizations have changed their data protection practices as a result of these breaches.
Respondents believe security incidents such as Target and other mega breaches raised senior managements’ level of concern about how cyber crimes might impact their organizations. We surveyed 735 IT and IT security practitioners about the impact of the Target and other mega breaches on their IT budgets and compliance practices as well as data breaches their companies experienced. The participants in this study are knowledgeable about data or security breach incidents experienced by their companies. They are also very informed about the facts surrounding the Target and other mega breaches. Following are key steps companies have taken because of mega breaches:
More resources are allocated to preventing, detecting and resolving data breaches.
According to respondents, the Target breach did have a significant impact on the their organizations’ cyber defense. Sixty-one percent of respondents say the budget for security increased by an average of 34 percent. Most was used for SIEM, endpoint security and intrusion detection and prevention.
Senior management gets a wake up call and realizes the need for a stronger cyber defense posture.
More companies have the tools and personnel to do the following: prevent the breach (65 percent of respondents), detect the breach (69 percent of respondents), contain and minimize the breach (72 percent of respondents) and determine the root cause of the breach (55 percent of respondents). Sixty-seven percent of respondents say their organization made sure the IT function had the budget necessary to defend it from data breaches.
Operations and compliance processes are changing to prevent and detect breaches.
Sixty percent of respondents say they made changes to operations and compliance processes to establish incident response teams, conduct training and awareness programs and use data security effectiveness measures.
Many companies fail to prevent the breach with the technology they currently have.
With new investments, companies will hopefully prevent more data breaches. However, 65 percent of respondents say the attack evaded existing preventive security controls. Forty-six percent say the breach was discovered by accident.
Companies confident of understanding the root cause of the breach had incident response teams in place.
They also had the right security management tools and the expertise of a security consultant to help determine the root cause. After knowing the root cause, these companies stepped up their security training and enhanced their security monitoring practices.