The findings, however, drive home just how big the difference is. Ponemon’s most recent report, The Post Breach Boom, found that, on average, malicious – or intentional – breaches cost affected organizations $840,000 in overall impact, compared with $470,000 for non-malicious data loss incidents.
The data was compiled independently by the Ponemon Institute, which polled 3,529 IT and IT security professionals in eight countries (US, Canada, UK, Australia, Brazil, Japan, Singapore, and the UAE).
The report, sponsored by Solera Networks, also found the average malicious data breach took 80 days to detect, and more than four months (123 days) to resolve. The report also highlights deficiencies in organizations’ security capabilities, with one third of malicious breaches being discovered by a third party or accidentally; in addition, 34% of non-malicious breaches were discovered by accident, and not by the affected organization’s security program.
Perhaps even more worrisome is that, even after detection, sources for 28% of malicious breaches could not be determined by the affected organization, a finding that was highlighted by Ponemon Institute founder, Larry Ponemon, in a briefing with Infosecurity at the RSA Conference in San Francisco.
“There are some interesting issues in security that center around culture…many companies get new-found religion for security when they experience a significant material data or security breach”, Ponemon said, responding to a question about the study’s motivation. “We wanted to find out whether organizations that suffer a malicious criminal attack respond differently.”
What the survey found is that these organizations do respond quite differently when victimized by a malicious attack, a “sonic boom” reaction, as Ponemon described it. In fact, 65% of the organizations polled admitted to increasing their investments in security technology after being affected by a malicious breach, whereas 51% of those who suffered a non-malicious event did not. Sixty-three percent of respondents in this same group of malicious victims said their organization changed compliance and operation processes to detect future breach events.
But with 28% of organizations unable to determine the root cause of malicious breaches, their ability to respond is severely hampered. “Organizations that can’t tell you the root cause of a breach often can’t determine the entire impact” of the incident, said John Vecchi, VP of marketing with Solera Networks. “Unless organizations have the tools to determine the cause, there is very little chance they can respond effectively to future incidents.”
“Organizations sometimes think they don’t need to know the gory details” about how a breach occurred, Ponemon said, adding that they oftentimes choose to remain tight-lipped about such incidents or simply don’t have the detection tools in place to make an accurate assessment. “They need to know”, he insisted.
Interestingly, there were obvious regional trends gleaned from the report, with respondents in Japan and Singapore expressing far more confidence in their ability prevent, detect, and understand the causes of a breach. Conversely, more mature markets like the US and UK demonstrated far less confidence in these areas, while Brazil ranked at or near the bottom of the confidence scale across nearly every variable examined in the study.
“There is a stigma in the industry: when you get breached, organizations go into hiding”, said Vecchi. “We wanted to better understand the process organizations undertake after a breach. We want to move this industry to a place where we can be comfortable talking about breaches and why they happened”, he added, highlighting Solera’s motivation for sponsoring the report.
“Most security leaders want to talk about these causes, share information, and learn from this – not only within their own organization, but with peers within their own industry verticals”, he continued. “I think research like this is a step in that direction.”
Ponemon hypothesized before the research was conducted that malicious attacks would be more costly than non-malicious ones, but admitted that even he was surprised by how large the gap was. “The moral of the story”, Ponemon said in closing, “is that it’s all about good security culture, and you need proactive technology to help detect and evaluate when and why you are breached if you ever expect to respond appropriately or detect future incidents.”