Slashdot Mirror
Data-Breach Costs Rising, Study Finds
BobB-nw writes to tell us that a recent study of 43 companies that suffered from data breaches last year showed the total cost of dealing with the breach to have risen to $6.6 million per incident. The cost is about $202 per record compromised for first timers, while the repeat offenders seem to have their mojo down and only suffer about $192 per record. With 88% of all data loss cases for 2008 being traced back to insider negligence it's a wonder that a little upfront money isn't being directed at prevention; guess as soon as they idiot-proof it someone will build a better idiot.
"$6.6 million per incident"
Well, that's what they told the insurance company.
That's how much money is missing from the books that they haven't been able to cook since SOX.
2 cents,
QueenB.
HDGary secures my bank
If they need to try to Idiot-proof a system take out the "Idiot". If these companies hire more technology inclined workers (people who read /.) they they won't have this problem as often.
Its not my fault, someone put a wall in my way.
that nearly all of these are caused by companies running WIndows. Be it the server directly, or the client from which the password was stolen, it is costing loads of money. Perhaps it is time to start charging the OS companies for the costs of these insane break-ins when it can be traced to an opening in the OS.
As a network admin for a mid-sized company, we spend quite a lot of money every year with PCI Compliance, and outside intrusion detection, and our customers want even more every year. It's expensive and quite often a hassle to maintain good security. Many vendors have told us to 'just open it up' or 'Naw,that issue wont cause a problem' We schedule days when our operational servers will be down for windows updates, and our clients yell and scream because they are down. I've not yet found a way to install windows security patches, firewall security patches, and overall general security upgrades without interruption. I sincerely wish our clients would understand that we want to make money also, and keeping the clients happy AND SECURE, makes us money. So we have a reason for rebooting that terminal server once a month.
it's a wonder that a little upfront money isn't being directed at prevention
No it's not... Only in the last few years have management began to look at IT as something more than a "support" department. I have worked in companies where the IT department head reported to the Facilities Management Director (think landscaping and custodial services), who reported to the VP of Finance. Essentially, IT had no influence or budget to speak of, even when we pointed out that we were ripe for the picking when it concerned customer data and trade secrets.
Jump forward a few years, and now that same company has an VP of Information Technology and an annual IT budget of 4X the Finance department's total budget.
It's no surprise that it's still taking time to get pro-active expenditures approved. What I'm actually surprised about is that most Presidents/CEO's are actually aware of the risks now. If not for a few recent high profile leaks, most IT departments couldn't get any money for such projects.
Finally, there is no evidence that upfront money wasn't spent. Most companies just haven't figured out how to adequately secure their data, not for lack of resources or trying, but because there isn't a formula for guaranteed success.
Sometimes the best solution is to stop wasting time looking for an easy solution.
With 88% of all data loss cases for 2008 being traced back to insider negligence It is getting harder and harder for me to dismiss the possibility that some of this is the result of inside jobs.
Perhaps, the government should conduct fake breaches to teach them a lesson.
I find the problem has several facets.
1. Nearly everything requires Windows
2. Too many Windows applications want or require administrator privileges
3. Users like little gadget software so much they think they need them
4. Microsoft Internet Explorer (need I say more?)
Malware is ALWAYS an internal network security problem. You can bullet-proof your web site from intrusion all you like but when the threat comes from an internal machine on your network, you're done for. There are lots of ways to address the problem, but none of them make users or executives happy. For much data processing, I'd like to see a return of the green CRT and keyboard. They don't crash (easily) and don't get infected with malware and keyloggers. Sure, they don't tell you what the weather is outside, but this is sensitive/valuable data being processed. We don't WANT those things connected.
User technology culture is out of hand and does not address technical/functional needs.
I guess data doesn't just want to be "free" :)
I'm still waiting on the payment for loss of confidence from Monster.com. Seems they elected **not** to highlight that during their superbowl ad for some reason.
The cost is about $202 per record compromised for first timers, while the repeat offenders seem to have their mojo down and only suffer about $192 per record.
What, so now repeat data breachers get a frequent flier discount? No wonder security sucks so bad!!
"City hall" in German is "Rathaus" Kinda explains a few things......
You've probably already tried but technically, good load balancing and redundancy would be the answer (and/or where possible, scrap the funky Winboxen and squeeze in *nix). As a server platform, in my opinion Windows 2003 is still pretty backwards (the OS, not the businesses stuck using it), but if the goal is uptime and you don't have real (often costly) redundancy, down-time is the natural trade-off.
Quack, quack.
I suspect that $202 per record is a vast underestimate. One single record compromise could devastate someone's life, so they're obviously not factoring in the end-user cleanup effort required, or the insurance required to cover damages from a (possibly class-action) law suit based on that.
OK, here's the deal. You have options:
1. You can be the cracker, were you merely need to find one hole in the OS of one server out of 100 at the site, the 100 pieces of software installed on the servers, the firewall, or any other device or piece of software on the network to get a foot in the door. Or more likely, you just need to social engineer to get the 20% of users who don't have a clue to do your work for you. In other words 3 months of casing the joint, infinite payoffs.
2. Or you can be the IT staff who need to work about 200 hours a week to keep up with new security holes, zero day exploits, patches for the OS, patches for all the software, testing all the 1000 patches a week before deploying to the working environment, installing software for users who aren't admins (which means constant interruptions during the day, then refusals of installs when you actually have time to do it), training of users, logging every visit to the server room, checking event logs on 100 servers and the firewall, getting through the events to actually find valid information, going through event logs on 10 IDS systems which are placed at all the switches, going through the firewall at the remote 7 offices, visiting your users homes who remote in from there, sleeping over at the 10 bosses houses because they all have to VPN from their home with no anti-virus installed, etc. So after you get divorced and die of a heart attack, you can expect to be spat on by upper management when it's time to ask for some money to hire some help. Yeah, give it to meeeeeee!
3. You can do the most important aspects of your job in the IT dept, and hope that you aren't a target of a serious cracker.
single break-in can cost days (if not weeks) worth of business disruption/outage, or even secondary/failover site can add up to annual budget.
while cost of data can vary, breach in itself is very costly. in the article, user records cost/value seemed to be cost factor (emphasizing "per incident"), what about aftermath? i'm sure total cost is not as small as figure shown in the article, given that at least for proper preventive measure has been implemented after "first" incident.
"Don't let fools fool you. They are the clever ones."
I do a lot of teaching companies (employees) about security, and I do a lot of teaching of people about personal safety...these are fun for me and they are very informative for others...
One thing I teach is that you can never idiot proof or child proof or [insert favorite item here] proof anything.
It is a constant thing that people have to do and be mindful of...it is called education. I educate people about security at work and home, I educate children about "strangers" and firearms...
One thing that can be done is to make people more responsible.
If the data breaches are being traced back to employee negligence, it isn't because someone failed to make it idiot proof, it is because someone failed to educate the idiot...
We don't need smarter programs and more restrictions, we need smarter people. period.
What may be rising is the share of that cost shouldered by the companies that make money by warehousing data about individuals, as compared to the share shouldered by the individuals concerned. If that's true, that would be wonderful. It would create the right incentive for said companies to get real about data security.
I've not yet found a way to install windows security patches, firewall security patches, and overall general security upgrades without interruption.
Have two servers (physical or VMs) that each handle 50% of the load. Fail over everything to side B, patch side A. Fail over to side A and see if things are working properly. If the patch didn't break anything patch side B. Once its functionality has been confirmed go back to a 50/50 split.
This is how the telco industry handles phone switches (and just about everything else in their system) and it's worked pretty well for decades.
The only issue is purchases the two sides, which makes things a bit more expensive.
...data will actually become more of a liability for these companies, and maybe, just maybe, we will finally see the end of data-mining browser bars being included in everything under the sun.
And require your workers to learn. That's the quintessential base for security. You can employ the tightest security standards if your users are not able to see a problem in a security breach.
What people do not understand, they will not take serious. It's the "can't someone else do it" attitude that causes the problem. Not the lack of /. readers in business positions. An IT person cannot replace an auditor, and, frankly, I'd be rather found dead than in an auditor's position.
People, especially in the leading positions, have to understand that a nominal knowledge of IT security becomes more and more critical for people working with computers. As much as a nominal knowledge of office software has become a requirement for office workers, IT security knowledge will become a requirement. People will not be required to be able to build VPN tunnels, but they have to understand why using them is important.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Its all about TRUST!
Its all about TRUST! Once lost, trust is very difficult to rebuild. Since many businesses simply refuse to change their business practices, I am of the opinion that too many simply do NOT understand that. If they did, they would make sure that they did NOT get hit the first time. Which means hiring qualified professionals and giving them the time to do the job right!.
Just last week I was offered a System Administration job at a company not too far from me. I was told that they were they had been in business for over 10 years and where the Cadillac of the web server hosting business. They really focused on their customers needs, unlike a company, she called them by name , I do NOT like them however still do not see the reason to state their name, that advertises during the Super Bowl.
I did not laugh when she offered me a rate that was $28 less per hour than what current jobs are paying in my area now, even with this economy. I did not mention that the rate was $12.00 per hour less than what I was paid to do the equivalent job at a company in the mid 1980s. My guess is that whoever they hire will be on call 24/7 and will be responsible for their server security in short order. They probably will not be allowed time to monitor those servers for Break Ins either. Just too few people and too much work. Oh and you can bet that they are not hiring additional bodies, just because they are getting them at a lower rate. And were I live it is not considered cheaper to live than most other areas of the country.
The would be smarter to re evaluate all their hardware and software licensing and annual renewals to see how much they could save by replacing them with effective open source and FOSS solutions.
In this specific case, I am confidant that the company will get what they are willing to pay for. And when the economy turns around, which it will do eventually, whoever they hire will be the first to leave them and they will be starting all over again. And that is their upside; their downside is getting hit by crackers and losing their customers trust.
Actions speak louder than words.
So many companies will pay lip service to so many things that they claim are important, yet when it comes time to do the right thing, they do NOT. The proof is always in their actions, regardless of their words, whether verbal or on paper, business cards and news releases.
Its more expensive to get a new customer than retain an existing customer.
They will say that it is harder (and more expensive) to get a a new customer, than keep an existing customer. Yet their business policies, specifically their customer no service response to their customers problems say otherwise. Are there any companies that do NOT fall in this category today, as I would like to seek employment with them as they are obviously in business for the long haul. (And if I can Google the company name + (problem or fraud or issue) OR if they have too many problems listed on Ripoff Reports, please do NOT suggest to me or anyone else that they are not customer â" no â" service â" entities.)
At least with Ripoff Reports, when a company gets listed it is forever, they can respond to the complaint; however unlike the most Better Business Bureaus, the company can NOT pay to have the incident closed. Note: Often the person making the complaint to the BBB is not a member, however the company can be, is encouraged to be or is.
The customer is almost always right!
The customer is always right. Personally I do not believe this is true, yet have followed th
Is your Internet Throttled? Install DD-Wrt, OpenWRT or Tomato to learn the truth! Google: 1Gbps/1Gbps: 5 Communities
Remember that "compromised" does not only mean "used by criminals". It also applies to all those millions of accounts on CDs or DVDs genuinely lost in the post, where the data is never used. In these cases the per-record cost is low, so it brings down the average.
Reduce, reuse, cycle
Oh man, I feel you..
I've seen this BS as well - go for the cheapest, and then complain when it collapses around your ears. I worked for a company with mismanagement which caused the revolving door effect, and what do you think HR did? They developed a process so they could push people out of the door by alleging bad performance, thus saving redundancy money - casually ignoring the fact that training a replacement costs about 1..2x their annual salary in lost time, effort taken up from others and general admin - and that's not counting the risk of competitive information leaving with the people involved. But I guess it's easier to lick up to management than to fix the problem, because that takes honest talk and a functional personality that does not confuse wearing a suit with the presence of intelligent thought.
The problem is that the clued up ones then take you to court, and even with an out of court settlement (because you cannot possibly win this) people will talk. I left pretty soon on my own terms, but I heard of an ex colleague who was not allowed to leave the meeting room until he had underwritten some document. So he had the police come in and interrogate the idiot for wrongful imprisonment - that settlement costed the company dearly.
Anyway, I'm through with cheapskates and idiots. I now work as an independent for very high grade people who care about quality, not cost (withing sensible limits, of course) and my reputation and the trust I am granted is now something *I* control, not some flunky in an office who has been tasked by his superior to flog the troops some more because he needs a new Rolls.
There's an entertaining side effect to this: I now influence the clients of this former company, and it means quality is back on the agenda. For which they don't have the people. Payback is a bitch..
Yes, but how do you KNOW the data is never used? I could receive one of those CDs, sit on it for five years, then take someone's life savings.
They developed a process ...
I am sure they called it something fancy too, lmao...thanks for the laugh, still smiling as I type this.
Anyway, I'm through with cheapskates and idiots. I now work as an independent for very high grade people who care about quality, not cost (withing sensible limits, of course) and my reputation and the trust I am granted is now something *I* control, not some flunky in an office who has been tasked by his superior to flog the troops some more because he needs a new Rolls.
Congrats on finally getting there and I hope that you are able to maintain it through the foreseeable future, something tells me that you will.
Hey companies hiring tech workers. Take a good look at your requirements in your job posting. Are you expecting a Senior level person but paying at a Junior level rate?
Are you listing 20 years worth of requirements but looking for someone with a minimum of three years of experience?
Are you looking for a paper tiger? (Certifications that are either unnecessary or that have nothing to do with the actual job that the person is performing for the company; or making any specific certification a MUST have instead of considering equivalent experience.)
Are you looking for someone with 5 years of experience with a technology that has only been out of the labs for two years or less? (I have personally seen this with a new application or new development tool / language more than once, I make sure to give the consulting company a heads up that they can NOT get a person with that many years of experience as the new tool was NOT in development for that long, much less released to the public for consumption for more than a year. I always wondered if any of them ever gave a heads up to the hiring company or not. I know I got a laugh out of it.)
Most important, if you are in Human Resources and you want to save your company some money by bringing in a Junior person at a little (not massively lower) lower rate to save the company some money, how about reducing the number of years of experience to only 1 or at most two for any one requirement; or better yet state outright that you are looking for someone with no experience with a specific skill but equivalent experiences (X language development experience preferred) and train them up. Push some pressure back on Management and suggest to them that they could help you save the company some money by working up a technical training program for new hires in their department. And than make sure that the new hires are spending at least 20% of their time actually being trained by the Manager. (Or even better than that, encourage the Manager to work with the more Senior member of their team for a specific technical skill and have that Senior development person develop a training program for the skill they have mastered and get the entire team cross trained and new hires up to speed faster! Talk about team building at its best.) Have your Senior team members develop tasks that will help a new hire come up to speed on the applications and systems that are critical to your company. This would benefit even experienced professionals at coming up to speed quickly as a new hire.
While this seems pretty basic to most of you reading this, based on my personal experience I have rarely seen this type of coming up to speed for new hire training programs unless I implemented myself as the Manager or Senior member of the team.
When I first started in IT, there were those that thought by hoarding knowledge it gave them power over others and/or the company. At one company the IT shop was split between three Managers, one was attempting to force everyone to sign out the 7, 8 and 9 track tapes (yeppers it was a mainframe environment back in the late 70s) thus he controlled them. What he did not know is that the System P
Is your Internet Throttled? Install DD-Wrt, OpenWRT or Tomato to learn the truth! Google: 1Gbps/1Gbps: 5 Communities