Larry Ponemon

With cyber attacks growing increasingly frequent and complex, cybersecurity strategies are shifting: while prevention is still important, it is more about prevailing. Cyber resilience supports businesses efforts to ensure they’ll continue to thrive despite the increased likelihood of a data
breach.

That’s the essence of cyber resilience – aligning prevention, detection, and response capabilities to manage, mitigate, and move on from cyberattacks. But are businesses ready today to face cyber threats head on? To find out, Ponemon Institute, with sponsorship from Resilient Systems, surveyed 623 IT and IT security practitioners about their organizations’ approach to becoming resilient to security threats. The findings are presented in the study, The Cyber Resilient Organization: Learning to Thrive against Threats.

In the context of this research, we define cyber resilience as the capacity of an enterprise to
maintain its core purpose and integrity in the face of cyberattacks. A cyber resilient enterprise is
one that can prevent, detect, contain and recover from a plethora of serious threats against data, applications and IT infrastructure. A cyber resilient enterprise successfully aligns continuity management and disaster recovery with security operations in a holistic fashion.

Figure 1 shows why cyber resilience is emerging as the standard for which to strive. The
protection of high-value intellectual property and compliance with laws and
regulations are best achieved with cyber resilience, according to 91 percent and 90 percent of respondents, respectively. Cyber resilience also is considered to enhance brand value and reputation (75 percent of respondents) and maximize employee productivity (72 percent of respondents).

Key takeaways include the following:
The state of cyber resilience needs improvement. Only 25 percent of respondents rate their
organizations’ cyber resilience as high (7+ on a scale of 1 = low resilience to 10 = high resilience)
based on the definition described in the introduction. Moreover, a key component of cyber
resiliency is the ability to recover from a cyber attack and only 31 percent rate this as high.
Prevention is also rated fairly low at 33 percent. The ability to detect and contain cyber attacks is rated much higher by 45 percent and 47 percent of respondents, respectively.

Only 25 percent of respondents rate their organizations’ cyber resilience as high based on the definition described in the introduction. Moreover, a key component of cyber resiliency is the ability to recover from a cyber attack and only 32 percent rate this as high. Prevention is also rated fairly low. The ability to detect and contain cyber attacks are rated much higher by 44
percent and 47 percent of respondents, respectively.

Human error is the enemy of cyber resiliency. The IT-related threat believed to have the
greatest impact on an organization’s ability to be cyber resilient and the most likely to occur is
human error. Persistent attacks are considered to have the second greatest impact on cyber
resiliency but are less likely to occur. Planning and preparedness is key to cyber resiliency. It is interesting that a lack of knowledgeable staff or enabling technologies is not as much a hindrance as not devoting the necessary time and resources to planning and preparedness (65 percent of respondents) or insufficient risk awareness, analysis and assessments (55 percent of respondents).

The majority of companies are not prepared to respond to a cyber security incident.
Despite the importance to preparedness to cyber resilience, 60 percent of respondents either say their organization either does not have a cybersecurity incident response plan (CSIRP) (30
percent of respondents) or it is informal or “ad hoc” (30 percent of respondents). Only 17 percent of respondents have a well-defined CSIRP that is applied consistently across the entire
enterprise.

A high level of cyber resiliency is difficult to achieve if no one function clearly owns the
responsibility. Only 24 percent of respondents say the Chief Information Officer (CIO) is
accountable for making their organizations’ resilient to cyber threats. This is followed by 20
percent who say it is the business unit leader and 10 percent who say no one person has overall
responsibility.

Collaboration among business functions is essential to a high level of cyber resilience but it rarely happens. Only 15 percent of respondents say collaboration is excellent. Almost one third of respondents (32 percent of respondents) say collaboration is poor or non-existent.
Leadership and responsibility are critical to improving collaboration.

Organizational factors hinder efforts to achieve a high level of cyber resilience. The
importance of cyber resilience is often not recognized by senior management. Only 44 percent of respondents believe their organizations’ leaders recognize that cyber resilience affects enterprise risks and brand image. About half (50 percent of respondents) say cyber resilience does affect revenues. Other factors that are a hindrance are insufficient funding and staffing.
Preparedness and agility are most important to achieving a high level of cyber resilience.
Respondents were asked to rank those factors considered important to achieving a high level of
cyber resilience. Once again preparedness to deal with cyber threats is critical followed by agility and a strong security posture.

Technologies that enable efficient backup and disaster recovery operations are by far
most important to building a cyber resilient enterprise. Seventy-seven percent of
respondents say technologies that support efficient backup and disaster recovery operations are essential or very important. Also important are technologies that provide advance warning about threats and attackers (59 percent of respondents) and those that provide intelligence about the threat landscape (58 percent of respondents).

Read more about resilience, and a Q&A with Larry, at ResiliantSystems.com

Larry Ponemon

CMOs know that website performance in turn drives marketing performance. While marketers
control some of the factors that sharpen the online experience—accurate content and prudent
use of banner ads, for example—the more technical factors are in the hands of colleagues in IT.
Ideally, Marketing and IT collaborate to deliver excellence. Doing that means knowing what visitors like, and don’t.

The purpose of this research, conducted by Ponemon Institute and sponsored by Neustar is to understand the online experience from the customer’s point of view. What expectations do
consumers have for the reliability of the website, security of information they share, and
availability of information? What is the tolerance or tipping point for problems like unavailable
sites, slow-loading pages, or inscrutable navigation?

We surveyed 761 consumers in the United States between the ages of 18 and 65+. On average,
respondents spend 59 hours per week online mostly doing email, shopping, and social
networking. Some respondents do more advanced activities such as posting blogs and creating
websites.

The findings reveal that consumers expect a high level of website performance—and their
frustrations are aimed at marketers and engineers alike.

Perceptions about a website’s security can decide whether consumers stay or go. As
shown in Figure 1, 78 percent of respondents say slow load times cause
them to worry about security. However, just over half of respondents (54 percent
of respondents) are concerned about the reliability of slow loading web pages. The
findings in this research also reveal that 69 percent of respondents have left a
website because of security concerns. Other concerns, but to a lesser extent, are
annoyance with feature ads that interfere with content (55 percent of respondents)
and feature ads that redirect them to different sites (52 percent of respondents).

Seventy-one percent of respondents say that data breaches negatively impacted their perception of company’s brands. On average, respondents have received two notifications from
organizations telling them that their personal information was lost, stolen or compromised. Even after more than a year, 24 percent of respondents say they still do not perceive those companies’ brands in a positive light.

Overall, fifty-five percent of respondents believe security is important to the perception of a
company’s brand and 50 percent say the same about privacy (protection of identity and other
personal information). Not surprising, respondents overwhelmingly expect financial sites to be
secure (95 percent of respondents).

A bad experience is measured in dollars, not just performance metrics. Sixty-one percent of
respondents say they would be willing to give a website that goes offline only two chances before giving up. Consumers are most likely to discontinue using unavailable sites in financial services (80 percent of respondents) and retail (59 percent).

They are also willing to wait no more than an average of 10 seconds to wait for a website to load.

In fact, seventy-eight percent of respondents are very concerned about the security of web pages that load longer than expected. Forty-one percent of respondents say response time is most important when making a payment (at checkout) and navigating to other web pages within the site (23 percent).

Read the full report at Neustar.

Charlie Miller, who helped find the flaw, installing the patch. Click for Twitter feed.

Bob Sullivan

Consumers are becoming more and more aware that hacking isn’t just a gadget nuisance any more.  Computer security problems, like viruses, increasingly come with real-world consequences — like the potential to screw with an airplane’s flight system, or more recently, a car.  Wired’s Andy Greenberg last month revealed to the world the latest hacking horrible — security researchers were able to “kill” a Jeep while he was in it.

“Though I hadn’t touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system,” Greenberg wrote. “Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass.”

Later, the hackers demonstrated they could stop and steer the car remotely using a software vulnerability.  Yikes.

The digital carjacking incident incident was a huge embarrassment for Jeep maker Fiat Chrysler, which recalled 1.4 million cars to fix the software.

But pity poor Chrysler, which just happened to be the first car maker to end up with egg on its face.  Increasingly, cars are run by computers, and increasingly, that means hacks like this are inevitable.

Consumers  seem to implicitly understand this.  Kelley Blue Book jumped at the news to churn out a survey of users showing that, yes, they all know about the Jeep incident, and yes, they all (Ok, 4 out of 5) think car hacking will be a problem within the next three years. Much to my surprise, many even said they’d pay for hacking protection services, with $8 a month being the preferred cost.  I smell a marketing opportunity for antivirus makers!  I also smell a rat — why should consumers have to pay extra to keep computer criminals out of their cars?  (And while I’m at it, could I make a final, fruitless plea to save at least some dashboard gauges and knobs?  I *hate* digital displays.)

On to the results:

• 72 percent said they are aware of the recent Jeep Cherokee hacking incident.
• 41 percent said they will consider this recent vehicle hacking incident when buying/leasing their next car.
• 78 percent said vehicle hacking will be a frequent problem in the next three years or less.
• 33 percent classified vehicle hacking as a “serious” problem; 35 percent classified it as a “moderate” problem.
• 58 percent do not think there will ever be a permanent solution to vehicle hacking.
• 41 percent think pranking is the most common reason for hacking a vehicle; 37 percent think theft is the most common reason for hacking a vehicle.
• 81 percent think the vehicle manufacturer is most responsible to secure a vehicle from hacking; only 11 percent consider themselves most responsible to secure a vehicle from hacking, and 5 percent see it as the responsibility of their wireless provider.
• 64 percent would prefer to go into a dealership to get a vehicle’s security patch installed; only 24 percent would prefer to do it wirelessly, and a mere 12 percent would prefer to have the software mailed so they could install it themselves.
• 47 percent said they would go to a dealership “immediately” if they knew they had to install a security patch to protect their vehicle from hacking; 31 percent said “within a week,” and 17 percent said “within a month.”
• 44 percent would prefer to be notified via mail, and 41 percent would prefer to be notified via e-mail, in the event their vehicle was recalled.  Only 11 percent preferred notification via a phone call, and 5 percent preferred text.
• 52 percent indicated they would be willing to pay for a monthly subscription to ensure that their vehicle would be completely protected from hacking, with $8 being the average respondents would be willing to pay each month.

“Technology offers a wide range of enhanced convenience for today’s new vehicle buyers, but it also offers the increasing potential for unauthorized access and control,” said Karl Brauer, senior analyst for Kelley Blue Book.  “Cyber-security is still a relatively new area of specialization for automakers, but it’s one they need to take seriously to ensure they are ahead of the curve.  If automotive engineers find themselves playing catch-up in this field, it could have disastrous results for both consumers and the industry.”

Charlie Miller, who helped find the flaw, installing the patch. Click for Twitter feed.

Bob Sullivan

Consumers are becoming more and more aware that hacking isn’t just a gadget nuisance any more.  Computer security problems, like viruses, increasingly come with real-world consequences — like the potential to screw with an airplane’s flight system, or more recently, a car.  Wired’s Andy Greenberg last month revealed to the world the latest hacking horrible — security researchers were able to “kill” a Jeep while he was in it.

“Though I hadn’t touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system,” Greenberg wrote. “Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass.”

Later, the hackers demonstrated they could stop and steer the car remotely using a software vulnerability.  Yikes.

The digital carjacking incident incident was a huge embarrassment for Jeep maker Fiat Chrysler, which recalled 1.4 million cars to fix the software.

But pity poor Chrysler, which just happened to be the first car maker to end up with egg on its face.  Increasingly, cars are run by computers, and increasingly, that means hacks like this are inevitable.

Consumers  seem to implicitly understand this.  Kelley Blue Book jumped at the news to churn out a survey of users showing that, yes, they all know about the Jeep incident, and yes, they all (Ok, 4 out of 5) think car hacking will be a problem within the next three years. Much to my surprise, many even said they’d pay for hacking protection services, with $8 a month being the preferred cost.  I smell a marketing opportunity for antivirus makers!  I also smell a rat — why should consumers have to pay extra to keep computer criminals out of their cars?  (And while I’m at it, could I make a final, fruitless plea to save at least some dashboard gauges and knobs?  I *hate* digital displays.)

On to the results:

• 72 percent said they are aware of the recent Jeep Cherokee hacking incident.
• 41 percent said they will consider this recent vehicle hacking incident when buying/leasing their next car.
• 78 percent said vehicle hacking will be a frequent problem in the next three years or less.
• 33 percent classified vehicle hacking as a “serious” problem; 35 percent classified it as a “moderate” problem.
• 58 percent do not think there will ever be a permanent solution to vehicle hacking.
• 41 percent think pranking is the most common reason for hacking a vehicle; 37 percent think theft is the most common reason for hacking a vehicle.
• 81 percent think the vehicle manufacturer is most responsible to secure a vehicle from hacking; only 11 percent consider themselves most responsible to secure a vehicle from hacking, and 5 percent see it as the responsibility of their wireless provider.
• 64 percent would prefer to go into a dealership to get a vehicle’s security patch installed; only 24 percent would prefer to do it wirelessly, and a mere 12 percent would prefer to have the software mailed so they could install it themselves.
• 47 percent said they would go to a dealership “immediately” if they knew they had to install a security patch to protect their vehicle from hacking; 31 percent said “within a week,” and 17 percent said “within a month.”
• 44 percent would prefer to be notified via mail, and 41 percent would prefer to be notified via e-mail, in the event their vehicle was recalled.  Only 11 percent preferred notification via a phone call, and 5 percent preferred text.
• 52 percent indicated they would be willing to pay for a monthly subscription to ensure that their vehicle would be completely protected from hacking, with $8 being the average respondents would be willing to pay each month.

“Technology offers a wide range of enhanced convenience for today’s new vehicle buyers, but it also offers the increasing potential for unauthorized access and control,” said Karl Brauer, senior analyst for Kelley Blue Book.  “Cyber-security is still a relatively new area of specialization for automakers, but it’s one they need to take seriously to ensure they are ahead of the curve.  If automotive engineers find themselves playing catch-up in this field, it could have disastrous results for both consumers and the industry.”

Ashley Madison website. Turns out “shhhh” isn’t effective security.

Bob Sullivan

Some secrets are more valuable than others. And some secrets are more valuable TO others.  In perhaps the most predictable extortion hack ever, cheating website Ashley Madison has confirmed to Brian Krebs that some of its data has been stolen.  It now appears that tens of millions of people are at risk of being exposed.  As you’ve already deduced, Ashley Madison users are not really all that worried about having the credit card numbers stolen and used for fraud.

According to Krebs, the hackers — who go by the name The Impact Team — say they will slowly dribble out data from the site until its owners take the cheating site, and companion site “Established Men,” offline.

“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails,” Krebs quotes the hackers from a post they left behind.

This is hacking 2.0.  It’s not about the data, it’s about the context.  Using stolen data, like credit cards, to get money is hard work.  Extorting someone who has more to lose than money is a lot more profitable.

When Sony was hit by a combination hack / extortion plot in December, I described this new era of hacking.  Sony corporate emails were stolen by hackers, who then embarrassed the heck out of the firm. Execs said inappropriate, even racist, things.  Actresses were insulted and underpaid.  It all reminded me of a smaller, but no less scary, incident several years ago involving a government contractor named HB Gary, which had Anonymous similarly terrorized.

Criminals don’t have to steal financial information to make money hacking. They just have to steal any data that’s valuable to anyone.

Making matters worse for corporate security teams is this reality: In recent years, they’ve all invested heavily in protecting financial data, spending money fortifying the most valuable data.  Credit cards, yes. Email servers, maybe not. Slowly, this will change.  But right now, every executive at every firm in the country should be hard at work doing an honest assessment about what their valuable data really is.   Then, they need to invest wisely in protecting data that might seem inconsequential if stolen in one context, but a disaster of stolen in another.  Because every company will have to plan for ransom and extortion requests now.

It’s hard to understand why Ashley Madion’s owners didn’t see this coming…particularly when AdultFriendFinder.com was hacked two months ago.  But that is how these things go.

The next question in this incident is: How will Avid Life Media get out of this mess?  One possibility is paying a ransom.  A few months ago, I started researching ransom and what I’ll call “data kidnapping” after I’d gotten a whiff this was going on.  The raging success of malware called cryptolocker, which forced victims to pay a few hundred dollars’ ransom to unscramble their data, certainly proved extortion demands can work.  Cryptolocker made $27 million just in its first two months, from both home users and small organizations. 

When I talked to Lisa Sotto, a cyberlaw expert at Hunton & Williams,  about this recently, she said she believed things were only going to get worse.

“That’s exactly how I see it going. Companies and individuals paying, because they potentially have no choice,” Sotto said to me. In fact, ransoms are already common, she said. “I do not believe there is a heck of a lot of negotiation involved…They are not asking for exorbitant amounts, so for the most part, what I hear is people are paying.”

In February, a blog post by Christopher Arehart made me even more convinced that ransom and extortion are hacking 2.0. Arehard is is the global product manager for crime, kidnap/ransom and extortion, and workplace violence expense insurance for the Chubb Group of Insurance Companies.  In his post, he warned companies that cyber-insurance policies often don’t cover extortion situations.

“Cyber liability insurance policies may  help companies deal with first-party cleanup costs, the cost of privacy notifications and lawsuit expenses, but these policies may only provide limited assistance with extortion threats. Extortion threats should be investigated and handled by professionals and small businesses need to know where to turn for assistance,” he wrote.

He then wrote that many businesses should consider adding the same kind of insurance that multinational companies purchase when they must send employees into dangerous parts of the world.

“A kidnap and ransom policy — technically a kidnap, ransom and extortion (KRE) policy — responds when an extortion threat has been made against a company, before there has been any data breach,” he wrote.

I tried to ask Arehart and Chubb about incidents involving extortion or “data kidnapping,” but the firm just pointed me back to his blog.

“Although some criminals eventually back down and do not follow through with their extortion threats, some threats do get carried out and these incidents can often be expensive. The tools available to criminals are vast and they have the power of the Internet behind them. Businesses, especially small businesses, need access to security consultants to help them manage these threats. A KRE policy would provide small businesses with access to those professionals.”

In other words, kidnapping and ransom policies aren’t just for dealing with employees who might run into the Mexican drug cartel any more.

They are for anyone who has data that might be valuable to someone, in some future context.  Secrets are almost always valuable to someone.

Ashley Madison website. Turns out “shhhh” isn’t effective security.

Bob Sullivan

Some secrets are more valuable than others. And some secrets are more valuable TO others.  In perhaps the most predictable extortion hack ever, cheating website Ashley Madison has confirmed to Brian Krebs that some of its data has been stolen.  It now appears that tens of millions of people are at risk of being exposed.  As you’ve already deduced, Ashley Madison users are not really all that worried about having the credit card numbers stolen and used for fraud.

According to Krebs, the hackers — who go by the name The Impact Team — say they will slowly dribble out data from the site until its owners take the cheating site, and companion site “Established Men,” offline.

“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails,” Krebs quotes the hackers from a post they left behind.

This is hacking 2.0.  It’s not about the data, it’s about the context.  Using stolen data, like credit cards, to get money is hard work.  Extorting someone who has more to lose than money is a lot more profitable.

When Sony was hit by a combination hack / extortion plot in December, I described this new era of hacking.  Sony corporate emails were stolen by hackers, who then embarrassed the heck out of the firm. Execs said inappropriate, even racist, things.  Actresses were insulted and underpaid.  It all reminded me of a smaller, but no less scary, incident several years ago involving a government contractor named HB Gary, which had Anonymous similarly terrorized.

Criminals don’t have to steal financial information to make money hacking. They just have to steal any data that’s valuable to anyone.

Making matters worse for corporate security teams is this reality: In recent years, they’ve all invested heavily in protecting financial data, spending money fortifying the most valuable data.  Credit cards, yes. Email servers, maybe not. Slowly, this will change.  But right now, every executive at every firm in the country should be hard at work doing an honest assessment about what their valuable data really is.   Then, they need to invest wisely in protecting data that might seem inconsequential if stolen in one context, but a disaster of stolen in another.  Because every company will have to plan for ransom and extortion requests now.

It’s hard to understand why Ashley Madion’s owners didn’t see this coming…particularly when AdultFriendFinder.com was hacked two months ago.  But that is how these things go.

The next question in this incident is: How will Avid Life Media get out of this mess?  One possibility is paying a ransom.  A few months ago, I started researching ransom and what I’ll call “data kidnapping” after I’d gotten a whiff this was going on.  The raging success of malware called cryptolocker, which forced victims to pay a few hundred dollars’ ransom to unscramble their data, certainly proved extortion demands can work.  Cryptolocker made $27 million just in its first two months, from both home users and small organizations. 

When I talked to Lisa Sotto, a cyberlaw expert at Hunton & Williams,  about this recently, she said she believed things were only going to get worse.

“That’s exactly how I see it going. Companies and individuals paying, because they potentially have no choice,” Sotto said to me. In fact, ransoms are already common, she said. “I do not believe there is a heck of a lot of negotiation involved…They are not asking for exorbitant amounts, so for the most part, what I hear is people are paying.”

In February, a blog post by Christopher Arehart made me even more convinced that ransom and extortion are hacking 2.0. Arehard is is the global product manager for crime, kidnap/ransom and extortion, and workplace violence expense insurance for the Chubb Group of Insurance Companies.  In his post, he warned companies that cyber-insurance policies often don’t cover extortion situations.

“Cyber liability insurance policies may  help companies deal with first-party cleanup costs, the cost of privacy notifications and lawsuit expenses, but these policies may only provide limited assistance with extortion threats. Extortion threats should be investigated and handled by professionals and small businesses need to know where to turn for assistance,” he wrote.

He then wrote that many businesses should consider adding the same kind of insurance that multinational companies purchase when they must send employees into dangerous parts of the world.

“A kidnap and ransom policy — technically a kidnap, ransom and extortion (KRE) policy — responds when an extortion threat has been made against a company, before there has been any data breach,” he wrote.

I tried to ask Arehart and Chubb about incidents involving extortion or “data kidnapping,” but the firm just pointed me back to his blog.

“Although some criminals eventually back down and do not follow through with their extortion threats, some threats do get carried out and these incidents can often be expensive. The tools available to criminals are vast and they have the power of the Internet behind them. Businesses, especially small businesses, need access to security consultants to help them manage these threats. A KRE policy would provide small businesses with access to those professionals.”

In other words, kidnapping and ransom policies aren’t just for dealing with employees who might run into the Mexican drug cartel any more.

They are for anyone who has data that might be valuable to someone, in some future context.  Secrets are almost always valuable to someone.

Larry Ponemon

Security risks are pervasive and becoming more difficult to prevent or minimize. Without the support of senior management, much needed investments in people, processes and technologies are not made. The findings of the research reveal the difficulty IT security practitioners face in achieving a stronger security posture because of inadequate budgets and the lack of C-level and boards of directors’ involvement in decisions related to IT security investments. This suggests the importance of IT security practitioners becoming more integral to their companies’ IT spending and investment process.

Ponemon Institute is pleased to present the 2015 Global Study on IT Security Spending & Investments. The purpose of this study is to understand how companies are investing in technologies, qualified personnel and governance practices to strengthen their security posture within the limitations of their budget.

We surveyed 1,825 IT management and IT security practitioners in the following global regions: North America, Europe, Middle East, Africa (EMEA), Asia, Pacific, Japan (APJ) and Latin America (LATAM) in a total of 42 countries. All respondents are involved to some degree in securing or overseeing the security of their organizations’ information systems or IT infrastructure.

They are also familiar with their organization’s budget process and/or spending on IT security activities. According to participants in this research, boards of directors and C-level executives are not often briefed and often not given necessary information to help them make informed budgeting decisions. As shown in Figure 1, 51 percent of respondents do not agree (34 percent) or are unsure (17 percent) that C-level executives are briefed on security priorities and what investments in technology and personnel need to be made.

Fully 64 percent of respondents do not agree (41 percent) or are unsure (23 percent) their boards of directors are made fully aware of security priorities and required investments. The study reveals the following problems with today’s approach to security spending and investments:

• The CEO and boards of directors are rarely believed to be most responsible for ensuring IT security objectives are achieved. Very few participants say their CEO or boards of directors are held most responsible for ensuring IT security objectives are met (6 percent and 3 percent of respondents, respectively). As a consequence of this lack of accountability, only 24 percent of respondents strongly agree that their organization sees security as one of the top two strategic priorities across the enterprise.

• Who owns the IT security budget? It is not the CISO. Only 19 percent of respondents say the IT security leader has control over how resources are allocated. Instead it is the CIO/CTO and business leaders who own the budget. This suggests the importance of security leaders learning how to influence these individuals if they are going to change how budgets are allocated.

• Security spending is not on the board’s agenda. Despite the increase in well-publicized security breaches, IT security investments are not getting the board’s attention and support. Without support from C-level executives and boards it is understandable that 50 percent of respondents say budgets will be flat or decreasing in the next two years.

• The budgeting process is too complex. The majority of respondents say the annual budget process is too complex (53 percent of respondents). This might lead to poor investment decisions such as purchasing technologies that do not lead to a stronger security posture or delayed investment in much needed resources.
• Many organizations are stuck in a middle stage of maturity. Necessary funding and proper planning are critical to move to a more mature security posture. Only 43 percent of respondents say their organizations’ IT security budgets are adequate and most security programs are only partially deployed.

• Companies are disappointed in technology purchases. According to the research, a lack of qualified personnel is undermining the effectiveness of technology solutions and the overall security posture of organizations. This is mainly because they don’t have the necessary in-house expertise and vendor support. Such buyer’s remorse may discourage companies from considering state-of-the art technologies.

• Compliance with regulations is difficult without adequate resources. The majority of respondents (58 percent of respondents) do not have sufficient resources to achieve compliance with security standards and laws. Non-compliance puts organizations at risk for legal action and fines.

Want to read the rest of this report?  Download it from Dell here. 

Larry Ponemon

Security risks are pervasive and becoming more difficult to prevent or minimize. Without the support of senior management, much needed investments in people, processes and technologies are not made. The findings of the research reveal the difficulty IT security practitioners face in achieving a stronger security posture because of inadequate budgets and the lack of C-level and boards of directors’ involvement in decisions related to IT security investments. This suggests the importance of IT security practitioners becoming more integral to their companies’ IT spending and investment process.

Ponemon Institute is pleased to present the 2015 Global Study on IT Security Spending & Investments. The purpose of this study is to understand how companies are investing in technologies, qualified personnel and governance practices to strengthen their security posture within the limitations of their budget.

We surveyed 1,825 IT management and IT security practitioners in the following global regions: North America, Europe, Middle East, Africa (EMEA), Asia, Pacific, Japan (APJ) and Latin America (LATAM) in a total of 42 countries. All respondents are involved to some degree in securing or overseeing the security of their organizations’ information systems or IT infrastructure.

They are also familiar with their organization’s budget process and/or spending on IT security activities. According to participants in this research, boards of directors and C-level executives are not often briefed and often not given necessary information to help them make informed budgeting decisions. As shown in Figure 1, 51 percent of respondents do not agree (34 percent) or are unsure (17 percent) that C-level executives are briefed on security priorities and what investments in technology and personnel need to be made.

Fully 64 percent of respondents do not agree (41 percent) or are unsure (23 percent) their boards of directors are made fully aware of security priorities and required investments. The study reveals the following problems with today’s approach to security spending and investments:

• The CEO and boards of directors are rarely believed to be most responsible for ensuring IT security objectives are achieved. Very few participants say their CEO or boards of directors are held most responsible for ensuring IT security objectives are met (6 percent and 3 percent of respondents, respectively). As a consequence of this lack of accountability, only 24 percent of respondents strongly agree that their organization sees security as one of the top two strategic priorities across the enterprise.

• Who owns the IT security budget? It is not the CISO. Only 19 percent of respondents say the IT security leader has control over how resources are allocated. Instead it is the CIO/CTO and business leaders who own the budget. This suggests the importance of security leaders learning how to influence these individuals if they are going to change how budgets are allocated.

• Security spending is not on the board’s agenda. Despite the increase in well-publicized security breaches, IT security investments are not getting the board’s attention and support. Without support from C-level executives and boards it is understandable that 50 percent of respondents say budgets will be flat or decreasing in the next two years.

• The budgeting process is too complex. The majority of respondents say the annual budget process is too complex (53 percent of respondents). This might lead to poor investment decisions such as purchasing technologies that do not lead to a stronger security posture or delayed investment in much needed resources.
• Many organizations are stuck in a middle stage of maturity. Necessary funding and proper planning are critical to move to a more mature security posture. Only 43 percent of respondents say their organizations’ IT security budgets are adequate and most security programs are only partially deployed.

• Companies are disappointed in technology purchases. According to the research, a lack of qualified personnel is undermining the effectiveness of technology solutions and the overall security posture of organizations. This is mainly because they don’t have the necessary in-house expertise and vendor support. Such buyer’s remorse may discourage companies from considering state-of-the art technologies.

• Compliance with regulations is difficult without adequate resources. The majority of respondents (58 percent of respondents) do not have sufficient resources to achieve compliance with security standards and laws. Non-compliance puts organizations at risk for legal action and fines.

Want to read the rest of this report?  Download it from Dell here. 

Larry Ponemon

IBM and Ponemon Institute are pleased to release the 2015 Cost of Data Breach Study: Global Analysis. According to our research, the average total cost of a data breach for the 350 companies participating in this research increased from 3.52 to $3.79 million . The average cost paid for each lost or stolen record containing sensitive and confidential information increased from $145 in 2014 to $154 in this year’s study.

In the past, senior executives and boards of directors may have been complacent about the risks posed by data breaches and cyber attacks. However, there is a growing concern about the potential damage to reputation, class action lawsuits and costly downtime that is motivating executives to pay greater attention to the security practices of their organizations.

In a recent Ponemon Institute study, 79 percent of C-level US and UK executives surveyed say executive level involvement is necessary to achieving an effective incident response to a data breach and 70 percent believe board level oversight is critical. As evidence, CEO Jamie Dimon personally informed shareholders following the JPMorgan Chase data breach that by the end of 2014 the bank will invest $250 million and have a staff of 1,000 committed to IT security.

For the second year, our study looks at the likelihood of a company having one or more data breach occurrences in the next 24 months. Based on the experiences of companies participating in our research, we believe we can predict the probability of a data breach based on two factors: how many records were lost or stolen and the company’s industry. According to the findings, organizations in Brazil and France are more likely to have a data breach involving a minimum of 10,000 records. In contrast, organizations in Germany and Canada are least likely to have a breach. In all cases, it is more likely a company will have a breach involving 10,000 or fewer records than a mega breach involving more than 100,000 records.

In this year’s study, 350 companies representing the following 11 countries participated: United States, United Kingdom, Germany, Australia, France, Brazil, Japan, Italy, India, the Arabian region (United Arab Emirates and Saudi Arabia) and, for the first time, Canada. All participating organizations experienced a data breach ranging from a low of approximately 2,200 to slightly more than 101,000 compromised records4 . We define a compromised record as one that identifies the individual whose information has been lost or stolen in a data breach.

In this report, for the first time, we will examine two factors that affected the financial consequences of a data breach. The first is executive involvement in their organization’s IT security strategy and response to data breaches. The second is the purchase of cyber insurance to mitigate the cost of a data breach. With the increasing cost and volume of data breaches, IT security is quickly moving from being considered by business leaders as a purely technology issue to a larger business risk. This shift has spurred increased interest in cyber insurance.

The three major reasons contributing to a higher cost of data breach in 2015:

Cyber attacks have increased in frequency and in the cost to remediate the consequences. The cost of data breaches due to malicious or criminal attacks increased from an average of $159 in last year’s study to $170 per record. Last year, these attacks represented 42 percent of root causes of a data breach and this increased to 47 percent of root causes in this year’s study.

The consequences of lost business are having a greater impact on the cost of data breach. Lost business has potentially the most severe financial consequences for an organization. The cost increased from a total average cost of $1.33 million last year to $1.57 million in 2015. This cost component includes the abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill. The growing awareness of identity theft and consumers’ concerns about the security of their personal data following a breach has contributed to the increase in lost business.

Data breach costs associated with detection and escalation increased. These costs typically include forensic and investigative activities, assessment and audit services, crisis team management and communications to executive management and board of directors. This total average cost increased from $.76 million last year to $.99 million in this year’s report

More companies are integrating forensic tools into their incident response procedures. In the long-term, deployment of these solutions will prove beneficial to companies because they will provide a clearer picture of the root causes of their data breaches. However, in many cases, these tools enable companies to discover the full extent of the breach. This may result in the reporting of higher data breach costs than in previous years.

NOTE: You may have heard about a Verizon report about data breach costs that came to a different conclusion than our report. We discuss the differences in methodology at this blog post.  And we have a few additional observations about Verizon’s report at this post. 

KEY FINDINGS

• Data breaches cost the most in the US and Germany and the lowest in Brazil and India. The average per capita cost of data breach is $217 in the US and $211 in Germany. The lowest cost is in Brazil ($78) and India ($56). The average total organizational cost in the US is $6.5 million and in Germany $4.9 million. The lowest organizational cost is in Brazil ($1.8 million) and India ($1.5 million).
• The cost of data breach varies by industry. The average global cost of data breach per lost or stolen record is $154. However, if a healthcare organization has a breach the average cost could be as high as $363 and in education the average cost could be as high as $300. The lowest cost per lost or stolen record is in transportation ($121) and public sector ($68). The retail industry’s average cost increased dramatically from $105 last year to $165 in this year’s study.
• Hackers and criminal insiders cause the most data breaches. Forty-seven percent of all breaches in this year’s study were caused by malicious or criminal attacks. The average cost per record to resolve such an attack is $170. In contrast, system glitches cost $142 per record and human error or negligence is $134 per record. The US and Germany spend the most to resolve a malicious or criminal attack ($230 and $224 per record, respectively).
• Malicious or criminal attacks vary significantly by country. Fifty-seven percent of all breaches in the Arabian Cluster and in France 55 percent of all breaches are due to hackers and criminal insiders. Only 32 percent of all data breaches occurring in India are due to malicious attacks and in Brazil it is 30 percent. However, India and Brazil have the most data breaches due to system glitches. Breaches due to human error are highest in Canada.
• Board involvement and the purchase of insurance can reduce the cost of a data breach. For the first time, we looked at the positive consequences that can result when boards of directors take a more active role when an organization had a data breach. Board involvement reduces the cost by $5.5 per record. Insurance protection reduces the cost by $4.4 per record.
• The loss of customers increases the cost of data breach. Certain countries have more problems retaining customers following a data breach and, therefore, can have higher costs. These are France, Italy, UK and Japan. Countries with the lowest churn rate are Canada, India and Brazil. Industries with the highest churn are health, pharmaceuticals and financial services.
• Notification costs remain low, but costs associated with lost business steadily increase. Lost business costs are abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished good will. The average cost has increased from $1.45 million in 2014 to $1.57 million in 2015. Notification costs have declined from $0.19 million in 2014 to $0.17 million in this year’s study.
• Certain countries are more likely to have a data breach. Last year’s study introduced a new analysis on the likelihood of one or more data breach occurrences. It is interesting that the likelihood of a data breach varies considerably across countries. Brazil and France are most likely to have a data breach involving a minimum of 10,000 records. Canada and Germany are least likely to have a data breach.
• Time to identify and contain a data breach affects the cost. For the first time, our study shows the relationship between how quickly an organization can identify and contain data breach incidents and financial consequences. Malicious attacks can take an average of 256 days to identify while data breaches caused by human error take an average of 158 days to identify. As discussed earlier, malicious or criminal attacks are the most costly data breaches.
• Business continuity management plays an important role in reducing the cost of data breach. The research reveals that having business continuity management involved in the remediation of the breach can reduce the cost by an average of $7.1 per compromised record.

To read the entire report, visit IBM’s Cost of a Data Breach website.

I discuss the alleged Cardinals hack with NBC’s Kevin Tibbles. Click to watch.

First of all, if you haven’t read it, you must: The FBI is investigating baseball’s St. Louis Cardinals for hacking the Houston Astros, according to the New York Times. Someone from the Cardinals allegedly stole data offering insight into the Astros player evaluation files, details on possible trades, and so on.  This kind of corporate espionage goes on all the the time, and if you didn’t believe that, well, there you are.

Here’s what’s interesting for you.  The story-in-the-story here is that the Astros hired a hot-shot Cardinals employee named Jeff Luhnow and made him general manager. He took some Cardinals employees with him.  That created bad blood. Apparently, it also created a beachhead for the hacker. The Times reported today that someone from the Cardinals used old passwords from those former employees when breaking into the Astros’ computers.

“Investigators believe Cardinals officials, concerned that Mr. Luhnow had taken their idea and proprietary baseball information to the Astros, examined a master list of passwords used by Mr. Luhnow and the other officials who had joined the Astros when they worked for the Cardinals. The Cardinals officials are believed to have used those passwords to gain access to the Astros’ network, law enforcement officials said,” the Times says.

In other words, Cardinals employees re-used passwords they had used when they worked for the Astros.  Let that be a lesson to you: When you switch jobs, switch whatever password creation trick you have been using.

Still, the situation is a bit unusual.  Computer networks are designed so such passwords cannot be retrieved, even by system administrators.  They’re encrypted. Even firms that store previous passwords to prevent re-use scramble them so they can’t be accessed, according to security expert Harri Hursti. At least, that’s “best practice.”

On the other hand, “there are a lot of crazy organizations out there that store passwords in clear text,” Hursti said.

There are other possibilities, of course.  That details in the New York Times story could be wrong.  A former Cardinals employee could have shared his or her password with others in the team’s front office — that’s not unusual. Maybe a post-it note was left behind on a computer monitor.  Maybe the password was “password.”

But here’s your nearly daily reminder that you might be hacked, and the hacker might be a surprise — it might be a former friend or colleague.  So be vigilant about your passwords.  And when you change companies, change your password habits.