Share

Related Stories

  • Chip-and-PIN Cards a Key to Consumer Fraud Fears
    In the wake of this year’s spate of point-of-sale (PoS)-driven data breaches at large retailers including Target and Michaels, it should come as no shock that 45% of credit card holders are very concerned about hackers gaining access to their personal account information. Today’s environment of high-profile security breaches and privacy threats will drive organizations to do more to allay consumer fears of becoming fraud victims – which is good news for proponents of chip-and-PIN technology.
  • MI5: Spies and Thieves are Targeting & Grooming Insiders
    MI5 has warned British corporate chiefs that foreign intelligence agencies are targeting IT workers within big organisations in a bid to gain privileged access to sensitive data.
  • Executive Fallout from Breach Mounts as Target CEO Resigns
    The CEO of Target has resigned, presumably as a direct result the company’s disastrous holiday data breach, which compromised 40 million cardholders. Clearly, the case demonstrates that C-level executives can no longer afford to ignore security as a backwater of the IT organization, unless they don't value their jobs.
  • Cost of Data Breaches Spikes 15% in Last Year
    The Ponemon Institute’s ninth annual 'Cost of Data Breach Study' reports that the average total cost of a data breach increased 15% in the last year, to $3.5 million.
  • Target Appoints New CIO, Adds Chip and PIN to Payment Cards
    Still smarting from the after-effects of a massive data breach that hit during the busy 2013 holiday shopping season, Target has hired a new CIO to “help guide the company's information technology transformation.”

Top 5 Stories

News

Data Breach Costs: Damage and Danger are Greater than Many Realize

08 May 2014

According to the Ponemon Institute's ninth annual Cost of Data Breach Study, the consolidated total cost of a data breach increased 15% in the last year, to $3.5 million. But some experts say those figures likely underestimate the full scope of the damage.

Duncan Fisken, senior vice president and general manager for EMEA at RedSeal Networks, believes the actual cost of a breach is considerably higher than the consolidated average of $145 per record that Ponemon estimates, even though that in and of itself represents an increase of more than 9% year-over-year.

"These figures are likely to be very conservative and may well be confined to the actual cost of the breach remediation and measurable loss of revenue,” Fisken told Infosecurity in an email. “There are other hidden costs which are much harder to quantify, for example reputational damage, illustrated by the battering a company’s share price can take in the wake of a much-publicized breach as in the Target case, further hit by [CEO] Steinhafel’s departure. Reputational damage can also be the area from which there's the longest road to recovery. Most would agree that the cost of recovering a lost customer is many multiples of the cost of acquiring a new customer in the first place.”

Other collateral costs that cannot be overlooked are those associated with recruiting new C-level executives; Target has had to find a new CIO and now a new CEO, he pointed out. “Executive searches at this level can often be long and expensive affairs. More difficult to monetize are the opportunity costs incurred during the ‘rebuilding’ period.”

The Ponemon report also revealed that the probability of a company having a data breach involving 10,000 or more confidential records is 22% over a two-year period – and that most IT departments don’t feel prepared. Only 38% of Ponemon study respondents said they have a security strategy to protect their IT infrastructure, and the majority of companies (50%) have low or no confidence that they are making the right investments in people, process and technologies to address potential and actual threats.

Those results run counter to findings in a new survey from Tripwire, which found that 64% of respondents have confidence in their incident response plan. And 40% of retail and financial organizations said that they only need two to three days to detect a breach.

“It is great that recent breaches have increased cybersecurity awareness and internal dialogue,” said Dwayne Melancon, CTO for Tripwire, in a statement. “However, the improved internal communication may be biased by a false sense of security. For example, 95% of respondents said they would be able to detect a breach on critical systems within a week. In reality, nearly all of the recent publicly disclosed breaches have gone on for months without detection.”

Melancon continued, “Furthermore, only 60% of respondents believe their systems have been hardened enough to prevent the kind of data loss similar to that seen in recent high profile breaches. These attitudes seem to indicate a high degree of overconfidence or naiveté among information security practitioners. I believe a number of these organizations may be in for a rude awakening if their systems are targeted by criminals.”

Fisken noted that the situation will only worsen over time if attitude changes aren’t made. "Networks are becoming ever more complex as enterprises grow through acquisition and the need to seek more innovative ways to differentiate themselves against their competitors; this is now true of almost every market vertical,” he said. “The increasing complexity and size of networks presents the CISO with the significant problem of preparedness; the need to be in proactive mode, rather than reactive; to predict threats by having sight of the attack surface of the network and, more especially, what those attack vectors mean in terms of the exposure of business-critical assets to would-be attackers.”

This article is featured in:
Data Loss  •  Industry News  •  IT Forensics

 

Comments

jisantangelo says:

09 May 2014
Thinking about how the danger might be greater than we think. Exactly how many copies of our data are roaming around uncontrolled in Target's (or any other company's) environment? Do we know, do they know, are there some copies of data that are more vulnerable than others?

Joe Santangelo
@DataPrivacyDude

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×