Attacks/Breaches
6/5/2013
12:16 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Mistakes Approach Malice As Data Breach Cause

Malicious attacks are the leading cause of data breaches, but employee and contractor errors are a growing reason, study finds.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
U.S. businesses that experience a data breach spend about $188 per exposed record in cleanup costs.

That finding comes from the eighth annual Cost of Data Breach report released Wednesday by Ponemon Institute. The report, which was sponsored by Symantec, is based on surveys of 277 businesses across nine countries, and defines an exposed record as "information that identifies the natural person (individual) whose information has been compromised in a data breach."

The study found that each data breach cost U.S. businesses, on average, $5.4 million in 2012, down slightly from $5.5 million in 2011. But Germany, second after the U.S. with a total cleanup cost of $4.8 million, actually had the highest per-record cost of $199. Cleanup costs vary widely based on country due to various factors, such as regulations. The lowest per-record breach costs were reported by businesses in Brazil ($58) and India ($42), with total costs of $1.3 million and $1.1 million, respectively.

[ Yahoo is the latest major company to suffer data theft embarrassment. Read Yahoo Japan Data Breach: 22M Accounts Exposed. ]

Overall, the study found that 37% of breaches stem from malicious attacks, followed by human error or negligence on the part of an employee or contractor (35%), and system glitches (29%). Malicious attacks -- most often malware infections, malicious insiders, phishing attacks, social engineering attacks and SQL injection exploits -- imposed the highest cleanup costs, which include expenses related to detecting and responding to breaches and notifying affected consumers, as well as further cleanup.

While malicious attacks continue to make headlines, employee negligence is a growing concern. "Eight years of research on data breach costs has shown employee behavior to be one of the most pressing issues facing organizations today, up 22% since the first survey," said Larry Ponemon, chairman of the Ponemon Institute, in a statement.

In fact, causes other than malicious attacks were most often to blame in some countries. Although intentional attacks were the leading data breach culprit in Germany, human error was most often to blame in Brazil, while the leading reported cause of breaches at Indian businesses was traced to system glitches or business process failures.

The industries with the highest breach costs were healthcare ($233 per exposed record), financial services ($215), and pharmaceuticals ($207). Both the healthcare and financial services industries reported that the greatest cost associated with a data breach was lost business -- defined as lost customers, the cost of acquiring new customers and loss of brand reputation.

How can businesses keep data breach cleanup costs under control? According to the study, the top three proactive ways to minimize cleanup costs are to create and maintain a data breach response plan, which reduced per-record cleanup costs by an average of $42 per record for U.S. businesses, followed by having a strong security posture ($34) as well as a chief information security officer ($23).

Issuing data breach notifications to affected customers or consumers remains costly, accounting for 10% of total cleanup costs for U.S. businesses and 7% for German businesses. But the study found that notifying consumers too quickly -- meaning, less than 30 days after a breach -- added an average of $37 to a U.S. business's per-record cleanup costs. That's because by rushing to disclose breaches before wrapping related investigations and forensic analysis, businesses often over-estimate the extent of a breach.

Other factors that lead to costlier breaches include third parties being responsible for the breach, as well as the breach stemming from lost or stolen devices.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
timsed
50%
50%
timsed,
User Rank: Apprentice
6/5/2013 | 10:07:48 PM
re: Mistakes Approach Malice As Data Breach Cause
Thanks for the article Mathew - While I agree that malicious attacks can be costly, employee negligence or mistakes are the most painful. Privileged user access has expanded over the years and more cooks in the kitchen seemingly means more mistakes. As Product Manager for an operational security and change management toolset at Dell, I talk to people who needed to recover from that inadvertent drag and drop, or mistaken change of a value in infrastructure architecture like Microsoft Active Directory. As IT becomes more interconnected across tools, infrastructure and services, what was once a simple mistake can cost companies millions in lost revenue and productivity.

The approach I recommend to people is to put controls in place that not only track changes, but can prevent dangerous or damaging changes - even for privileged users. Unfortunately granularity of infrastructure and management interfaces isn't always what we would like - so you have to find a way to work around it. After all, the problem you prevent is the sweetest time and money you'll ever save!

Thanks again for pointing out the Ponemon Report!

#TimSedlack1

Tim Sedlack
Dell Software, GRC
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2008-3277
Published: 2014-04-15
Untrusted search path vulnerability in a certain Red Hat build script for the ibmssh executable in ibutils packages before ibutils-1.5.7-2.el6 in Red Hat Enterprise Linux (RHEL) 6 and ibutils-1.2-11.2.el5 in Red Hat Enterprise Linux (RHEL) 5 allows local users to gain privileges via a Trojan Horse p...

CVE-2010-2236
Published: 2014-04-15
The monitoring probe display in spacewalk-java before 2.1.148-1 and Red Hat Network (RHN) Satellite 4.0.0 through 4.2.0 and 5.1.0 through 5.3.0, and Proxy 5.3.0, allows remote authenticated users with permissions to administer monitoring probes to execute arbitrary code via unspecified vectors, rela...

CVE-2011-3628
Published: 2014-04-15
Untrusted search path vulnerability in pam_motd (aka the MOTD module) in libpam-modules before 1.1.3-2ubuntu2.1 on Ubuntu 11.10, before 1.1.2-2ubuntu8.4 on Ubuntu 11.04, before 1.1.1-4ubuntu2.4 on Ubuntu 10.10, before 1.1.1-2ubuntu5.4 on Ubuntu 10.04 LTS, and before 0.99.7.1-5ubuntu6.5 on Ubuntu 8.0...

CVE-2012-0214
Published: 2014-04-15
The pkgAcqMetaClearSig::Failed method in apt-pkg/acquire-item.cc in Advanced Package Tool (APT) 0.8.11 through 0.8.15.10 and 0.8.16 before 0.8.16~exp13, when updating from repositories that use InRelease files, allows man-in-the-middle attackers to install arbitrary packages by preventing a user fro...

CVE-2013-4768
Published: 2014-04-15
The web services APIs in Eucalyptus 2.0 through 3.4.1 allow remote attackers to cause a denial of service via vectors related to the "network connection clean up code" and (1) Cloud Controller (CLC), (2) Walrus, (3) Storage Controller (SC), and (4) VMware Broker (VB).

Best of the Web