Vulnerabilities / Threats

Pair of Reports Paint Picture of Enterprise Security Struggling to Keep Up

Many organizations have yet to create an effective cybersecurity strategy - and it's costing them millions.

The costs associated with data breaches continue to grow at a pace that exceeds the resources available to protect the organizations dealing with the breaches. Two new reports, from IBM and EY, make that same point with different data and slightly different, but definitely related, conclusions. Together they provide a picture of security incidents that are inevitably expensive but can be made less so through careful planning.

The first study, commissioned by IBM and conducted by the Ponemon Institute, looks at the cost of data breaches from the perspective of business continuity management (BCM). The study breaks the costs associated with a breach into four areas:

  • Detection and escalation: Finding out you've been breached and deciding what to do about it.
  • NotificationTelling the affected customers, partners, and employees about the breach and notifying any relevant regulators or law-enforcement agencies.
  • Ex-post response: Remediating the impact on the organization and the individuals affected by the breach.
  • Lost business cost: Business lost due to the reputation hit, distraction, or downtime due to the incident.

According to the study, 22 different factors — ranging from the lack of security analytics to the presence of the Internet of Things — can have an impact on the cost, with the overall thrust being that time equals money: The longer it takes to figure out what has happened and to do something about it, the more money the effort will consume. And in 2018, the average incident has consumed $4.24 million in the population studied.

EY also studied the cost of a cybersecurity breach, but from a slightly different perspective: that of cybersecurity in the context of overall business advantage. While 55% of the companies also surveyed by Ponemon on its behalf had some sort of business continuity management team in place, EY found that 87% of the companies were working with limited cybersecurity and resilience capabilities. While the two facts are not mutually exclusive, they suggest that companies have business continuity or cybersecurity teams who operate within very tightly constrained resources. 

Those constrained resources still have room for cybersecurity incidents that cost companies an average of $3.62 million per incident. While a different total than in IBM's study, the two numbers are in the same financial neighborhood, with each representing a significant sum for many organizations.

With different beginning points for their work, the two report reach different conclusions. The IBM report focuses on the impact that a BCM team and plan can have on the cost of an incident once it has occurred. According to the report, an in-place BCM team can save 82 days throughout the total span of an incident, save the company more than $5,700 per day, and lower the overall cost of an incident to an average of $3.55 million.

EY makes the point in its report that organizations must do three things simultaneously:

  • Protect the enterprise: Identify assets and build lines of defense.
  • Optimize cybersecurity: Stop low-value activities, increase efficiency, and reinvest the resulting funds in innovative security technology.
  • Enable growth: Implement security-by-design as a key success factor for digital transformation.

All are critical in the face of 6.4 billion fake email messages sent every day, EY says. The overwhelming number of potential attacks launched against organizations means that cybersecurity must be part of the business strategy and reflected in the organization's governance. Yet, according to the report, "At the moment, there is significant room for improvement. Fewer than 1 in 10 organizations say their information security function currently fully meets their needs — and many are worried that vital improvements are not yet under way."

With approaches that include working to prevent incidents and preparing to deal with incidents when they do occur, the studies show that many organizations have yet to effectively create a cybersecurity strategy that meets the needs of the business — or the incident at hand.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
10/12/2018 | 8:46:23 AM
4. Increase C-Suite awareness
Lower level staff and cyber expets are well aware of the dangers and methods used by foreign actors, phishing emails and such - but education UP and down the corporae ladder is essential.  C-Suite MUST back the security effort fully and without excuses (Equifax) so it becomes part of IT structure.  Lower levle staff must know the  basics - phishing emails most common cause, malicious websites (no porn) and such.   Unless the knowledge is spread around, other fixes remain problematic at best and ineffective at worst. 
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6485
PUBLISHED: 2019-02-22
Citrix NetScaler Gateway 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5 before build 69.5 and Application Delivery Controller (ADC) 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5...
CVE-2019-9020
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc...
CVE-2019-9021
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR extension may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse the file...
CVE-2019-9022
PUBLISHED: 2019-02-22
An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dns_get_record misparses a DNS response, which can allow a hostile DNS server to cause PHP to misuse memcpy, leading to read operations going past the buffer allocated for DNS data. This affects php_parser...
CVE-2019-9023
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcom...