Attacks/Breaches
6/5/2013
12:16 PM
Connect Directly
RSS
E-Mail
50%
50%

Mistakes Approach Malice As Data Breach Cause

Malicious attacks are the leading cause of data breaches, but employee and contractor errors are a growing reason, study finds.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
U.S. businesses that experience a data breach spend about $188 per exposed record in cleanup costs.

That finding comes from the eighth annual Cost of Data Breach report released Wednesday by Ponemon Institute. The report, which was sponsored by Symantec, is based on surveys of 277 businesses across nine countries, and defines an exposed record as "information that identifies the natural person (individual) whose information has been compromised in a data breach."

The study found that each data breach cost U.S. businesses, on average, $5.4 million in 2012, down slightly from $5.5 million in 2011. But Germany, second after the U.S. with a total cleanup cost of $4.8 million, actually had the highest per-record cost of $199. Cleanup costs vary widely based on country due to various factors, such as regulations. The lowest per-record breach costs were reported by businesses in Brazil ($58) and India ($42), with total costs of $1.3 million and $1.1 million, respectively.

[ Yahoo is the latest major company to suffer data theft embarrassment. Read Yahoo Japan Data Breach: 22M Accounts Exposed. ]

Overall, the study found that 37% of breaches stem from malicious attacks, followed by human error or negligence on the part of an employee or contractor (35%), and system glitches (29%). Malicious attacks -- most often malware infections, malicious insiders, phishing attacks, social engineering attacks and SQL injection exploits -- imposed the highest cleanup costs, which include expenses related to detecting and responding to breaches and notifying affected consumers, as well as further cleanup.

While malicious attacks continue to make headlines, employee negligence is a growing concern. "Eight years of research on data breach costs has shown employee behavior to be one of the most pressing issues facing organizations today, up 22% since the first survey," said Larry Ponemon, chairman of the Ponemon Institute, in a statement.

In fact, causes other than malicious attacks were most often to blame in some countries. Although intentional attacks were the leading data breach culprit in Germany, human error was most often to blame in Brazil, while the leading reported cause of breaches at Indian businesses was traced to system glitches or business process failures.

The industries with the highest breach costs were healthcare ($233 per exposed record), financial services ($215), and pharmaceuticals ($207). Both the healthcare and financial services industries reported that the greatest cost associated with a data breach was lost business -- defined as lost customers, the cost of acquiring new customers and loss of brand reputation.

How can businesses keep data breach cleanup costs under control? According to the study, the top three proactive ways to minimize cleanup costs are to create and maintain a data breach response plan, which reduced per-record cleanup costs by an average of $42 per record for U.S. businesses, followed by having a strong security posture ($34) as well as a chief information security officer ($23).

Issuing data breach notifications to affected customers or consumers remains costly, accounting for 10% of total cleanup costs for U.S. businesses and 7% for German businesses. But the study found that notifying consumers too quickly -- meaning, less than 30 days after a breach -- added an average of $37 to a U.S. business's per-record cleanup costs. That's because by rushing to disclose breaches before wrapping related investigations and forensic analysis, businesses often over-estimate the extent of a breach.

Other factors that lead to costlier breaches include third parties being responsible for the breach, as well as the breach stemming from lost or stolen devices.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
timsed
50%
50%
timsed,
User Rank: Apprentice
6/5/2013 | 10:07:48 PM
re: Mistakes Approach Malice As Data Breach Cause
Thanks for the article Mathew - While I agree that malicious attacks can be costly, employee negligence or mistakes are the most painful. Privileged user access has expanded over the years and more cooks in the kitchen seemingly means more mistakes. As Product Manager for an operational security and change management toolset at Dell, I talk to people who needed to recover from that inadvertent drag and drop, or mistaken change of a value in infrastructure architecture like Microsoft Active Directory. As IT becomes more interconnected across tools, infrastructure and services, what was once a simple mistake can cost companies millions in lost revenue and productivity.

The approach I recommend to people is to put controls in place that not only track changes, but can prevent dangerous or damaging changes - even for privileged users. Unfortunately granularity of infrastructure and management interfaces isn't always what we would like - so you have to find a way to work around it. After all, the problem you prevent is the sweetest time and money you'll ever save!

Thanks again for pointing out the Ponemon Report!

#TimSedlack1

Tim Sedlack
Dell Software, GRC
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4840
Published: 2014-07-28
Unspecified vulnerability in HP and H3C VPN Firewall Module products SECPATH1000FE before 5.20.R3177 and SECBLADEFW before 5.20.R3177 allows remote attackers to cause a denial of service via unknown vectors.

CVE-2014-2974
Published: 2014-07-28
Cross-site request forgery (CSRF) vulnerability in php/user_account.php in Silver Peak VX through 6.2.4 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts.

CVE-2014-2975
Published: 2014-07-28
Cross-site scripting (XSS) vulnerability in php/user_account.php in Silver Peak VX before 6.2.4 allows remote attackers to inject arbitrary web script or HTML via the user_id parameter.

CVE-2014-3303
Published: 2014-07-28
The web framework in Cisco WebEx Meetings Server does not properly restrict the content of query strings, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer logs, or (3) the browser history, aka Bug ID CSCuj81713.

CVE-2014-3304
Published: 2014-07-28
The OutlookAction Class in Cisco WebEx Meetings Server allows remote attackers to enumerate user accounts by entering crafted URLs and examining the returned messages, aka Bug ID CSCuj81722.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.