Every day, there is yet another survey or report highlighting people’s perceptions of information security and identifying issues that need attention. Most of them tend to repeat what we already know, but two stood out recently and got me thinking.
Data Breach Costs
The first is the 2015 Cost of Data Breach by IBM and the Ponemon Institute. The average per-record cost of lost or stolen data in the United States was $217, and the average total cost of a single data breach in the United States was $6.5 million. Data breach figures vary significantly by industry and geography. The average total cost of a breach worldwide was $3.79 million, and the per-record cost worldwide was $154, the survey found.
If you are in the health care industry, keep in mind the average per-record cost was a staggering $363. It makes sense—payment card numbers have a short shelf life since criminals have to use the numbers before the credit card company cancels them. Health data includes names, addresses and Social Security numbers—none of which have expiration dates. That’s why health records tend to be more valuable on the black market than credit cards.
While the numbers were eye-catching, I found it more interesting that customers are reacting to data breaches. Higher customer turnover, increased customer acquisition costs, impact to reputation, and loss of goodwill added up to $1.57 million per company. This is a significant figure—and a growing piece. Data breach costs aren’t just about expenses related to cleaning up and regulatory fines. Loss of business counts, too.
The Buck Stops Here
No one likes data breaches, but does your job depend on your organization not getting breached? The CSO, or the person responsible for the compromised system, typically has been the one in the hot seat. In a conversation about things CISOs wish for, Eric Cowperthwaite, vice-president of advanced security and strategy at Core Security, said, “If I was a practicing CISO right now, the very first thing on my wish list would be a 'keep me from getting fired' gift card.” The card would be something CISOs can hand to the CEO after the inevitable attack, breach and theft of critical assets and say, “can't fire me this time,” he said.
Are perspectives changing? A joint Veracode and the New York Stock Exchange Governance Services survey of 200 corporate directors found more than 2-in-5 respondents said CEOs should be held responsible for a data breach. The order of the blame game is interesting, with the CEO at the top, followed by the CIO, the full C-Suite, the CISO, and then, finally, the board.
The Work Ahead
The past few weeks have been full of data breaches. Websites, government agencies, financial services firms, retailers…the news just keeps coming. It’s quite clear there is a lot of work for security professionals to secure data, defend the networks, and thwart attackers. What are your goals and priorities?
I’ve always been a fan of security awareness programs. By that, I don’t mean training our way to security. Organizations shouldn’t skimp on controls and other defenses just because they invested in training, but I think there is value in having users who are aware their actions can have consequences. Our recent series on social media use by employees by our expert contributor Dale “Woody” Wooden showed just how attackers can combine social media and social engineering to target businesses. So when I see reports like the one from CompTIA, which found just 54 percent of companies offer any kind of security training, I find it distressing. Especially since most of them just include it as part of employee onboarding.
RSA Conference partnered with ISACA earlier this year for a state of cybersecurity survey. Considering the respondents were ISACA members, I wasn’t surprised that majority of them said they have an awareness program in place in their organizations, 72 percent felt the programs were effective. However, there was an intriguing—no, surprising—finding. The survey results also found that enterprises that weren’t doing awareness training were actually faring better than the ones that are.
Let’s walk through that again, and I asked Rob Stroud, international president at ISACA, to clarify: Results show that the enterprises that have an awareness program in place actually have a higher rate of human-dependent incidents such as social engineering, phishing and loss of mobile devices. The camp who say focusing on security awareness programs is not the best use of an organization’s time and money may be on to something. We will be discussing this survey later this month, so stay tuned.
We are going to be talking about security awareness this month. What does this mean? What works for your organization? What doesn’t? Awareness training is important, but it isn’t enough. How do we measure our effectiveness? What is the balance and how do we find it? As always, I welcome your perspectives.