Vulnerabilities / Threats

10/11/2018
06:30 PM
50%
50%

Pair of Reports Paint Picture of Enterprise Security Struggling to Keep Up

Many organizations have yet to create an effective cybersecurity strategy - and it's costing them millions.

The costs associated with data breaches continue to grow at a pace that exceeds the resources available to protect the organizations dealing with the breaches. Two new reports, from IBM and EY, make that same point with different data and slightly different, but definitely related, conclusions. Together they provide a picture of security incidents that are inevitably expensive but can be made less so through careful planning.

The first study, commissioned by IBM and conducted by the Ponemon Institute, looks at the cost of data breaches from the perspective of business continuity management (BCM). The study breaks the costs associated with a breach into four areas:

  • Detection and escalation: Finding out you've been breached and deciding what to do about it.
  • NotificationTelling the affected customers, partners, and employees about the breach and notifying any relevant regulators or law-enforcement agencies.
  • Ex-post response: Remediating the impact on the organization and the individuals affected by the breach.
  • Lost business cost: Business lost due to the reputation hit, distraction, or downtime due to the incident.

According to the study, 22 different factors — ranging from the lack of security analytics to the presence of the Internet of Things — can have an impact on the cost, with the overall thrust being that time equals money: The longer it takes to figure out what has happened and to do something about it, the more money the effort will consume. And in 2018, the average incident has consumed $4.24 million in the population studied.

EY also studied the cost of a cybersecurity breach, but from a slightly different perspective: that of cybersecurity in the context of overall business advantage. While 55% of the companies also surveyed by Ponemon on its behalf had some sort of business continuity management team in place, EY found that 87% of the companies were working with limited cybersecurity and resilience capabilities. While the two facts are not mutually exclusive, they suggest that companies have business continuity or cybersecurity teams who operate within very tightly constrained resources. 

Those constrained resources still have room for cybersecurity incidents that cost companies an average of $3.62 million per incident. While a different total than in IBM's study, the two numbers are in the same financial neighborhood, with each representing a significant sum for many organizations.

With different beginning points for their work, the two report reach different conclusions. The IBM report focuses on the impact that a BCM team and plan can have on the cost of an incident once it has occurred. According to the report, an in-place BCM team can save 82 days throughout the total span of an incident, save the company more than $5,700 per day, and lower the overall cost of an incident to an average of $3.55 million.

EY makes the point in its report that organizations must do three things simultaneously:

  • Protect the enterprise: Identify assets and build lines of defense.
  • Optimize cybersecurity: Stop low-value activities, increase efficiency, and reinvest the resulting funds in innovative security technology.
  • Enable growth: Implement security-by-design as a key success factor for digital transformation.

All are critical in the face of 6.4 billion fake email messages sent every day, EY says. The overwhelming number of potential attacks launched against organizations means that cybersecurity must be part of the business strategy and reflected in the organization's governance. Yet, according to the report, "At the moment, there is significant room for improvement. Fewer than 1 in 10 organizations say their information security function currently fully meets their needs — and many are worried that vital improvements are not yet under way."

With approaches that include working to prevent incidents and preparing to deal with incidents when they do occur, the studies show that many organizations have yet to effectively create a cybersecurity strategy that meets the needs of the business — or the incident at hand.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
10/12/2018 | 8:46:23 AM
4. Increase C-Suite awareness
Lower level staff and cyber expets are well aware of the dangers and methods used by foreign actors, phishing emails and such - but education UP and down the corporae ladder is essential.  C-Suite MUST back the security effort fully and without excuses (Equifax) so it becomes part of IT structure.  Lower levle staff must know the  basics - phishing emails most common cause, malicious websites (no porn) and such.   Unless the knowledge is spread around, other fixes remain problematic at best and ineffective at worst. 
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
2019 Attacker Playbook
Ericka Chickowski, Contributing Writer, Dark Reading,  12/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
[Sponsored Content] The State of Encryption and How to Improve It
[Sponsored Content] The State of Encryption and How to Improve It
Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19790
PUBLISHED: 2018-12-18
An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restricti...
CVE-2018-19829
PUBLISHED: 2018-12-18
Artica Integria IMS 5.0.83 has CSRF in godmode/usuarios/lista_usuarios, resulting in the ability to delete an arbitrary user when the ID number is known.
CVE-2018-16884
PUBLISHED: 2018-12-18
A flaw was found in the Linux kernel in the NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel id and cause a use-after-free. Thus a malicious container user can cause a host kernel memory corruption and a system ...
CVE-2018-17777
PUBLISHED: 2018-12-18
An issue was discovered on D-Link DVA-5592 A1_WI_20180823 devices. If the PIN of the page "/ui/cbpc/login" is the default Parental Control PIN (0000), it is possible to bypass the login form by editing the path of the cookie "sid" generated by the page. The attacker will have acc...
CVE-2018-18921
PUBLISHED: 2018-12-18
PHP Server Monitor before 3.3.2 has CSRF, as demonstrated by a Delete action.