Once More unto the Breach Report
The Ponemon Cost of Data Breach 2016 report has recently given its annual update on how data breaches happen, and their financial impact on organizations. And sure enough, they’re getting more costly year on year, and taking longer to fix. The 2016 study found that the average cost of a breach is now over $4 million per incident, a 29% increase since 2013 and 5% up on last year. It also revealed that the time taken to discover a breach averages 201 days, with organizations typically taking a further 70 days to contain breaches.
These findings are not unexpected – after all, organizations are facing more cyberattacks, and holding more sensitive data on their increasingly complex IT estates, than ever before. But the Ponemon study found that data breaches are not just the result of malicious attacks. In fact, less than half of all breaches (48%) involved a criminal exploit. The other 52% were the result of human error by employees or contractors (25%), and system glitches that includes both IT and business process failures (27%).
And while the average cost of data breaches due to malicious or criminal attacks was $170 per record breached, compared with the cost for breaches caused by system glitches ($138) and human factors ($133), these security lapses are still proving expensive, no matter how they happen.
Evidently, there’s more to protecting against damaging breaches than just buying and deploying a few shiny new products: this is just applying a band-aid to the problem. No, stopping breaches happening needs a fundamental security mind-shift, and a new approach in which network and data protection isn’t just a commodity you go out and purchase, but something that needs to be worked on every day.
The 3 ‘P’s of security planning
How do you go about implementing this new approach to security? There are three ‘P’s to consider: products, people, and processes. ‘Products’ covers specific product features, system commands or compliance issues which hackers can identify and exploit. 'People’ covers both human error and malicious intent from inside an organization. Employees might leave passwords in obvious places, or fall victim to social engineering attacks; IT teams might inadvertently leave a port to the network open. ‘Processes’ covers issues such as how products or services are installed or configured, and even the method and timing of deployments of patches and upgrades.
Vulnerabilities in any of these three areas can occur from development, through deployment, to operation. However, a comprehensive security strategy delivers protection across all three areas, as is outlined in this article about mitigating security risks and realizing ongoing savings.
Investing in the strategies described there – regular testing during development of applications or services, security training, in-depth monitoring, and defending against threats – is pennies on the dollar when compared to that $4M cost for a single, average data breach mentioned in the latest Ponemon study.
It does require a change in mindset, to one that sees security as an ongoing process that is practiced on a daily basis both by IT teams, and by an organization’s workforce. But for those companies making that change, it delivers ongoing rewards – cutting their exposure to breaches, and the subsequent financial losses that these entail.