Slashdot Mirror
Data-Breach Costs Rising, Study Finds
BobB-nw writes to tell us that a recent study of 43 companies that suffered from data breaches last year showed the total cost of dealing with the breach to have risen to $6.6 million per incident. The cost is about $202 per record compromised for first timers, while the repeat offenders seem to have their mojo down and only suffer about $192 per record. With 88% of all data loss cases for 2008 being traced back to insider negligence it's a wonder that a little upfront money isn't being directed at prevention; guess as soon as they idiot-proof it someone will build a better idiot.
"$6.6 million per incident"
Well, that's what they told the insurance company.
If they need to try to Idiot-proof a system take out the "Idiot". If these companies hire more technology inclined workers (people who read /.) they they won't have this problem as often.
Its not my fault, someone put a wall in my way.
As a network admin for a mid-sized company, we spend quite a lot of money every year with PCI Compliance, and outside intrusion detection, and our customers want even more every year. It's expensive and quite often a hassle to maintain good security. Many vendors have told us to 'just open it up' or 'Naw,that issue wont cause a problem' We schedule days when our operational servers will be down for windows updates, and our clients yell and scream because they are down. I've not yet found a way to install windows security patches, firewall security patches, and overall general security upgrades without interruption. I sincerely wish our clients would understand that we want to make money also, and keeping the clients happy AND SECURE, makes us money. So we have a reason for rebooting that terminal server once a month.
it's a wonder that a little upfront money isn't being directed at prevention
No it's not... Only in the last few years have management began to look at IT as something more than a "support" department. I have worked in companies where the IT department head reported to the Facilities Management Director (think landscaping and custodial services), who reported to the VP of Finance. Essentially, IT had no influence or budget to speak of, even when we pointed out that we were ripe for the picking when it concerned customer data and trade secrets.
Jump forward a few years, and now that same company has an VP of Information Technology and an annual IT budget of 4X the Finance department's total budget.
It's no surprise that it's still taking time to get pro-active expenditures approved. What I'm actually surprised about is that most Presidents/CEO's are actually aware of the risks now. If not for a few recent high profile leaks, most IT departments couldn't get any money for such projects.
Finally, there is no evidence that upfront money wasn't spent. Most companies just haven't figured out how to adequately secure their data, not for lack of resources or trying, but because there isn't a formula for guaranteed success.
Sometimes the best solution is to stop wasting time looking for an easy solution.
Oh, no worries, cooked books taste just as good with SOX as without. As predicted, SOX hasn't changed jack; take a look at the average financial institution today and they have the vast majority of their liabilities in special purpose off balance sheet vehicles (see, as long as you only own 49% of the subsidiary, and the rest is owned by your cousins neighbours grammas old dog you don't have to bring the liabilities onto your balance sheet).
And when rules to change that (strongly opposed by Citigroup, etc) were supposed to enter into force last november, it was suddenly 'impractical' and got delayed by the FASB.
Right, 'impractical' as in 'the banks are insolvent and unless they get to cook their books it's going to be bloody obvious that actual bailout requirements are in the tens of trillions, which might be a bit unpalatable for taxpayers'.
So SOX has merely added a bunch of expensive administrative crap with no actual extra security for stock holders; they'll get screwed anyway as politically expedient.
I find the problem has several facets.
1. Nearly everything requires Windows
2. Too many Windows applications want or require administrator privileges
3. Users like little gadget software so much they think they need them
4. Microsoft Internet Explorer (need I say more?)
Malware is ALWAYS an internal network security problem. You can bullet-proof your web site from intrusion all you like but when the threat comes from an internal machine on your network, you're done for. There are lots of ways to address the problem, but none of them make users or executives happy. For much data processing, I'd like to see a return of the green CRT and keyboard. They don't crash (easily) and don't get infected with malware and keyloggers. Sure, they don't tell you what the weather is outside, but this is sensitive/valuable data being processed. We don't WANT those things connected.
User technology culture is out of hand and does not address technical/functional needs.
I guess data doesn't just want to be "free" :)