Data Breach Costs are Up (Again), But Some Companies Know Just What to Do…

The Ponemon Institute, in collaboration with IBM, has released its annual study on the costs of data breaches globally and here in the United States. The “2016 Cost of Data Breach Study:
Global Analysis,” was published last week, and it contains some important findings to take note of, most of which reveal the rising costs associated with a data breach.

rising costs IBM release
“Slow Response and Lack of Planning Cost Companies Millions”

Among the study’s findings:

Although these statistics are sure to garner headlines, perhaps the most valuable findings from the report concern factors that can actually decrease the costs of a data breach. According to the study (page 14 of the Report), there are ten (10) actions that, when taken, are associated with lower data breach costs. They include:

  • Maintaining an incident response team ($16 per capita)
  • Extensive use of encryption ($13)
  • Training employees ($9)
  • Participating in sharing of threat information ($9)
  • Having a company’s board involved ($6)
Data breach costs saving efforts
“…an incident response team, extensive use of encryption, employee training, participation in threat sharing or business continuity management decreased the per capita cost of data breach.”

This latest Ponemon study confirms the continuing trend of rising costs associated with data breaches, both globally and in the United States. It offers some hope, however, as well. It is now increasingly clear that while data security incidents might well be an inevitable part of doing business, there are concrete actions that smart organizations can take  – and some that they can avoid taking – which can lower risks and resulting costs associated with those incidents. Cyber-savvy organizations will train their employees, maintain an IR team and involve their boards as they consider, plan and prepare for cybersecurity incidents. These actions and others will propel these organizations forward and add to their competitive edge in the marketplace.

Recipe for Disaster: as Phishing & Ransomware Attacks Spike, Companies “Turn a Blind Eye”

According to a recent report by the the Anti-Phishing Working Group (APWG), phishing activity is at an all time high. APWG “observed more phishing attacks in the first quarter of 2016 than at any other time in history…the total number of unique phishing websites observed in Q1 2016 was a record 289,371, with 123,555 of those phishing sites detected in March 2016.” (Source: Phishing Activity Trends Report, 1st Quarter 2016, May 23, 2016).

At the same time, ransomware attacks have also spiked. “Kevin Haley, the director of product management at Symantec Security Response, said his group has seen an average of over 4,000 ransomware attacks per day since Jan. 1, a 300-percent increase over the approximately 1,000 attacks per day in 2015…” Ransomware attacks in the first quarter of 2016 are “coming at quadruple the rate seen last year…” according to figures from the group. (Source: fedscoop, “Ransomware attacks quadrupled in Q1 2016,” by By Greg Otto, April 29, 2016).

ransomware trends
Ransomware activity has spiked in the first half of 2016.

So are companies responding, training their people and prioritizing cybersecurity as one might hope? Apparently not, at least according to a newly published study by Experian Data Breach Resolution and Ponemon Institute.

The study, entitled “Managing Insider Risk Through Training & Culture,” found that 60% of companies surveyed believe that their employees are “not knowledgeable or have no knowledge of the company’s security risks…Additionally, the study showed a lack of concern by C-suite executives. Only 35% of respondents said that senior management sees it as a priority that employees are knowledgeable about how data security risks affect their organization.” (Source: info security magazine, “Orgs Turn Blind Eye to Risky Employee Behavior,” by Tara Seals, May 23, 2016).

blind eye
“While employee-related security risks are the No.1 concern for security professionals, organizations are not taking adequate steps to prevent negligent employee behavior.”

According to Info Security Magazine which reported on the study, other findings of concern revealed that:

  • less than half (46%) of surveyed companies make training mandatory for all employees;
  • 60% of companies do not require employees to retake security training courses following a data breach, “missing a key opportunity to emphasize security best practices;”
  • about 43% of companies provide only one basic course for all employees;
  • phishing and social engineering attacks are covered in less than half of basic programs; mobile device security in 38%; and using cloud services safely is covered in less than a third (29%);
  • 67% provide no incentives to employees for being proactive in protecting sensitive information or reporting potential issues; and,
  • only 29% mention security in performance reviews. (Source: Id.)

These findings are a real concern. They make clear that despite increasing cyberattacks, especially those like phishing and ransomware directed at employees, organizations are not taking the steps necessary to prepare those employees to defend themselves and their company. We can only expect employees to ‘play their part’ in cyberdefense if and when we train them and make them aware of the dangers. Successful, savvy business leaders will do that, and they will make cybersecurity a priority in the months and years to come.