Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Cost Of A Data Breach Jumps By 23%
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
aws0513
aws0513,
User Rank: Ninja
10/15/2014 | 10:31:02 AM
Pressure points for change
Good article.  It is helpful to see generalized quantification of the costs related to IR and breach remediation.

But I have found that compliance pressure still has an upper hand on changing security programs within organizations.  If an organization cannot resolve audit findings, there is more and more pressure from the regulatory side of the house when they threaten to cut funding or accesses necessary for business to continue.  It seems that organization managers feel more immediate pressure from these forms of punishment.  It is a known known as opposed to an known unknown.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
10/15/2014 | 9:54:23 AM
Re: Cost of a breach
"I guess you are only fined when you fail an audit, but not when you are breached."

Great point, @jsturonas600 Says a lot about regulatory effectiveness (or lack thereof)
Charlie Babcock
Charlie Babcock,
User Rank: Ninja
10/14/2014 | 10:09:47 PM
The real cost of security
The better it's understood what these attacks really cost, the better financed the security team is likely to be. In the end, secure cloud operations, if such a thing doesn't become an oxymoron, will be a powerful argument to do enterprise computing there. It's easier to impose security on a more uniform environment than on a complex, heterogeneous enterprise environment.  
Broadway0474
Broadway0474,
User Rank: Apprentice
10/14/2014 | 10:07:00 PM
Re: Cost of a breach
In many states, public companies that are breached have to pay for public notification of the event, then pay for every affected consumer to get credit services. Couldn't those charges be considered "de facto fines"?
jsturonas600
jsturonas600,
User Rank: Apprentice
10/14/2014 | 9:29:04 PM
Cost of a breach
it is interesting that while we hear about the importance of compliance for regulations around protecting sensitive information, the cost of a breach does not seem to include any fines from the industry that are regulating the sensitive information. Maybe there are fines, but they pale in comparison to the other losses, but I am not aware of any fines being issued for any of the most recent breaches. I guess you are only fined when you fail an audit, but not when you are breached. 
Stratustician
Stratustician,
User Rank: Moderator
10/14/2014 | 4:00:54 PM
Those malicious insiders...
 "The most expensive attacks are malicious insiders, denial of service, web-based attacks and malicious code. Malware attacks are most frequently encountered and, hence, represent a relatively low unit cost."

Malicious insiders still a key threat.  This definitely ties into the need for more practive controls including employee training, but also ensuring the right data policies are in place to make sure users only have access to what they should have access to based on role.  Additionally, ensuring that the right policies are in place to deal with removing users from access, and managing the right controls for third parties and contractors.
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
10/14/2014 | 3:55:09 PM
Re: Cost +
Those would definitely be interesting elements in the fallout analysis, @IMjustinkern. As we've seen, stock prices tend to rebound fairly well in some of the big retail companies. =)
IMjustinkern
IMjustinkern,
User Rank: Strategist
10/14/2014 | 3:52:41 PM
Cost +
Ponemon always does a solid job with these surveys. Sobering but important to put financial figures behind this. I wonder if there's a way for future surveys to summarize "secondary" sources of fiscal damage? I'm thinking drops in stock value? Or something noting how many people were canned or resigned from a huge breach? I don't think these figures would be out of line in the "cost" side of a breach and would certainly catapult the impact.
<<   <   Page 2 / 2


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-31017
PUBLISHED: 2022-06-25
Zulip is an open-source team collaboration tool. Versions 2.1.0 through and including 5.2 are vulnerable to a logic error. A stream configured as private with protected history, where new subscribers should not be allowed to see messages sent before they were subscribed, when edited causes the serve...
CVE-2022-31016
PUBLISHED: 2022-06-25
Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the repo-server service, resulting in a Denial of Service. The attacker must be an authenticated A...
CVE-2022-24893
PUBLISHED: 2022-06-25
ESP-IDF is the official development framework for Espressif SoCs. In Espressif&acirc;&euro;&trade;s Bluetooth Mesh SDK (`ESP-BLE-MESH`), a memory corruption vulnerability can be triggered during provisioning, because there is no check for the `SegN` field of the Transaction Start PDU. This can resul...
CVE-2022-29168
PUBLISHED: 2022-06-25
Wire is a secure messaging application. Wire is vulnerable to arbitrary HTML and Javascript execution via insufficient escaping when rendering `@mentions` in the wire-webapp. If a user receives and views a malicious message, arbitrary code is injected and executed in the context of the victim allowi...
CVE-2019-25071
PUBLISHED: 2022-06-25
** DISPUTED ** A vulnerability was found in Apple iPhone up to 12.4.1. It has been declared as critical. Affected by this vulnerability is Siri. Playing an audio or video file might be able to initiate Siri on the same device which makes it possible to execute commands remotely. Exploit details have...