Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Security Businesses The Almighty Buck

Data-Breach Costs Rising, Study Finds 67

Posted by ScuttleMonkey
from the always-a-better-idiot dept.
BobB-nw writes to tell us that a recent study of 43 companies that suffered from data breaches last year showed the total cost of dealing with the breach to have risen to $6.6 million per incident. The cost is about $202 per record compromised for first timers, while the repeat offenders seem to have their mojo down and only suffer about $192 per record. With 88% of all data loss cases for 2008 being traced back to insider negligence it's a wonder that a little upfront money isn't being directed at prevention; guess as soon as they idiot-proof it someone will build a better idiot.
This discussion has been archived. No new comments can be posted.

Data-Breach Costs Rising, Study Finds

Comments Filter:
  • BS (Score:5, Insightful)

    by pondermaster (1445839) on Monday February 02, 2009 @04:31PM (#26699971)
    "$6.6 million per incident"
    Well, that's what they told the insurance company.
    • That's how much money is missing from the books that they haven't been able to cook since SOX.

      2 cents,

      QueenB.

      • by Znork (31774) on Monday February 02, 2009 @04:54PM (#26700321)

        Oh, no worries, cooked books taste just as good with SOX as without. As predicted, SOX hasn't changed jack; take a look at the average financial institution today and they have the vast majority of their liabilities in special purpose off balance sheet vehicles (see, as long as you only own 49% of the subsidiary, and the rest is owned by your cousins neighbours grammas old dog you don't have to bring the liabilities onto your balance sheet).

        And when rules to change that (strongly opposed by Citigroup, etc) were supposed to enter into force last november, it was suddenly 'impractical' and got delayed by the FASB.

        Right, 'impractical' as in 'the banks are insolvent and unless they get to cook their books it's going to be bloody obvious that actual bailout requirements are in the tens of trillions, which might be a bit unpalatable for taxpayers'.

        So SOX has merely added a bunch of expensive administrative crap with no actual extra security for stock holders; they'll get screwed anyway as politically expedient.

  • "idiot proof" (Score:4, Interesting)

    by mcfatboy93 (1363705) on Monday February 02, 2009 @04:38PM (#26700097) Homepage

    If they need to try to Idiot-proof a system take out the "Idiot". If these companies hire more technology inclined workers (people who read /.) they they won't have this problem as often.

    • by eln (21727) on Monday February 02, 2009 @04:45PM (#26700189) Homepage

      If they need to try to Idiot-proof a system take out the "Idiot". If these companies hire more technology inclined workers (people who read /.) they they won't have this problem as often.

      Maybe, but then they'd have to deal with everyone putting goatse links all over the company newsletter and sending out gay porn featuring the CEO of the company, so there's a little bit of a downside too.

      On the other hand, most Slashdotters never leave the basement, so you would save on office space.

      • by DrDrink (773701)

        If they need to try to Idiot-proof a system take out the "Idiot". If these companies hire more technology inclined workers (people who read /.) they they won't have this problem as often.

        Maybe, but then they'd have to deal with everyone putting goatse links all over the company newsletter and sending out gay porn featuring the CEO of the company, so there's a little bit of a downside too.

        On the other hand, most Slashdotters never leave the basement, so you would save on office space.

        Self Loathing

        See Also

        eln (21727)

      • Re: (Score:2, Funny)

        by gzipped_tar (1151931)

        and sending out gay porn featuring the CEO of the company

        Featuring the CEO of the company? I say "the CEO and the company"!!!

    • Re: (Score:3, Funny)

      by Jurily (900488)

      If these companies hire more technology inclined workers (people who read /.) they they won't have this problem as often.

      "shut the fuck up (Score:-1, Troll)
      by Anonymous Coward on 2009-02-02 21:34 (#26700021)
      you bunch of slashfaggots don't know anything. shut your fucking mouths and get an education instead of making up a bunch of lies."

      He's going to be the CEO.

    • Re: (Score:3, Insightful)

      by Korin43 (881732)
      My guess is that it's cheaper to leak confidential data all the time because of incompetence than to hire competent employees.
    • Re: (Score:3, Interesting)

      by olddotter (638430)
      I had an old manager who was both lauded and vilified for once saying "The company needs to hire smarter employees." I think this is part of the price to pay for trying to save on labor costs by hiring people who are almost but not quiet qualified to do their jobs.
    • If they need to try to Idiot-proof a system take out the "Idiot".

      In other words: don't hire idiots.

      If these companies hire more technology inclined workers (people who read /.)...

      In other words: hire idiots.

      • No, no, no.....people who just read /. aren't idiots.

        It's the people who comment on /. that are the idiots.

        Oh.....wait.....

        • I too had a chilling sense of proving my own point unintentionally. Weird huh? Wonder where that was coming from.

          Oops, forgot to make a 1, 2, ??? profit joke.

          • It could be that /. is where clever people come to exercise the idiocy that's stifled in the corporate environment. But what would I know, I work from home...

    • And require your workers to learn. That's the quintessential base for security. You can employ the tightest security standards if your users are not able to see a problem in a security breach.

      What people do not understand, they will not take serious. It's the "can't someone else do it" attitude that causes the problem. Not the lack of /. readers in business positions. An IT person cannot replace an auditor, and, frankly, I'd be rather found dead than in an auditor's position.

      People, especially in the leadin

  • by sempiterna (1463657) on Monday February 02, 2009 @04:48PM (#26700241)
    As a network admin for a mid-sized company, we spend quite a lot of money every year with PCI Compliance, and outside intrusion detection, and our customers want even more every year. It's expensive and quite often a hassle to maintain good security. Many vendors have told us to 'just open it up' or 'Naw,that issue wont cause a problem' We schedule days when our operational servers will be down for windows updates, and our clients yell and scream because they are down. I've not yet found a way to install windows security patches, firewall security patches, and overall general security upgrades without interruption. I sincerely wish our clients would understand that we want to make money also, and keeping the clients happy AND SECURE, makes us money. So we have a reason for rebooting that terminal server once a month.
    • I'm by no means a network admin, and I have zero experience in the field, but is there no way in which the services for each client can be shared across multiple machines, and then the updates can be progressively 'rolled' across each? (i.e. update machine A and restart, whilst leaving the load to machine B and C, do the same to machine B leaving the load to A and C etc.)

      Or is that more prohibitive/expensive to maintain? (I suppose it depends entirely on what machines you're running and what services you pr

    • by msimm (580077)
      You've probably already tried but technically, good load balancing and redundancy would be the answer (and/or where possible, scrap the funky Winboxen and squeeze in *nix). As a server platform, in my opinion Windows 2003 is still pretty backwards (the OS, not the businesses stuck using it), but if the goal is uptime and you don't have real (often costly) redundancy, down-time is the natural trade-off.
  • by jhfry (829244) on Monday February 02, 2009 @04:49PM (#26700257)

    it's a wonder that a little upfront money isn't being directed at prevention

    No it's not... Only in the last few years have management began to look at IT as something more than a "support" department. I have worked in companies where the IT department head reported to the Facilities Management Director (think landscaping and custodial services), who reported to the VP of Finance. Essentially, IT had no influence or budget to speak of, even when we pointed out that we were ripe for the picking when it concerned customer data and trade secrets.

    Jump forward a few years, and now that same company has an VP of Information Technology and an annual IT budget of 4X the Finance department's total budget.

    It's no surprise that it's still taking time to get pro-active expenditures approved. What I'm actually surprised about is that most Presidents/CEO's are actually aware of the risks now. If not for a few recent high profile leaks, most IT departments couldn't get any money for such projects.

    Finally, there is no evidence that upfront money wasn't spent. Most companies just haven't figured out how to adequately secure their data, not for lack of resources or trying, but because there isn't a formula for guaranteed success.

    • by vux984 (928602)

      Only in the last few years have management began to look at IT as something more than a "support" department. I have worked in companies where the IT department head reported to the Facilities Management Director (think landscaping and custodial services), who reported to the VP of Finance. Essentially, IT had no influence or budget to speak of, even when we pointed out that we were ripe for the picking when it concerned customer data and trade secrets.

      Here's an interesting aside...

      "landscaping and custodia

      • by tsstahl (812393) on Monday February 02, 2009 @05:33PM (#26700785)

        I would probably start a unit in charge of security -- ALL Security, and have them monitor and interact with IT and janitorial and anyone else to manage security.

        Great, so to work for you, in addition to Linux/Windows certs, I now need a Johnson Controls cert, journeyman electricians papers, and an endorsement for use of lethal force?

        Do you really want your net admin to carry a gun and/or taser backed up with a hammer? Just sayin...

        • Re: (Score:3, Insightful)

          by vux984 (928602)

          Great, so to work for you, in addition to Linux/Windows certs, I now need a Johnson Controls cert, journeyman electricians papers, and an endorsement for use of lethal force?

          Only if your applying to be a one man security ninja hero or something. It would be far more likely though to have more than one person, each with different areas of expertise.

          Do you really want your net admin to carry a gun and/or taser backed up with a hammer? Just sayin...

          Not at all. But I also don't want my net security team to be

        • by PPH (736903)

          Look at the advantages. You've got only one person to call if your toilets back up or your servers don't.

      • That analogy doesn't completely apply, as it assumes that the 'landscaping and custodial services' people were to suddenly step beyond the scope of their responsibilities as is traditionally assigned by management. The problem is, most of the time, management's stance is: Information Security is a computer problem, so IT is responsible.

        I do wholeheartedly agree, however, with the idea of a separated IT/helpdesk team (call it Computer Support, as part of facilities management) and an 'Information Security
      • by Ironica (124657)

        I would probably start a unit in charge of security -- ALL Security, and have them monitor and interact with IT and janitorial and anyone else to manage security.

        I think it might make sense to have a department (or at least person) that is in charge of developing, distributing, and enforcing policies that have a bearing on all forms of security... but I think you'll have a problem finding someone competent to supervise *both* the physical maintenance and server maintenance staff.

        • by vux984 (928602)

          I think it might make sense to have a department (or at least person) that is in charge of developing, distributing, and enforcing policies that have a bearing on all forms of security... but I think you'll have a problem finding someone competent to supervise *both* the physical maintenance and server maintenance staff.

          Just as your CEO is incompetent to do much of anything but is ultimately responsible for seeing that everything gets done -- solution: delegate.

          Delegate overall security to someone with a fi

          • by Ironica (124657)

            Just as your CEO is incompetent to do much of anything but is ultimately responsible for seeing that everything gets done

            Clearly our physical security needs some work, because you've been spying on our office! ;-)

            Delegate overall security to someone with a firm grasp of what real security is (vs security theatre) and who has a good head for risk assessment and return-on-investment, and above all the competence to surround himself with specialized people competent in specific fields of security and you'll be fine.

            Your right that will definitely result in different people managing network and physical security. But working together under one person, you won't spend millions on vault-like physical security while you have a hundred dollar linksys router protecting what's inside... or vice versa.

            But one issue still remains, which is that while physical security is somewhat intuitive (you can note that it's way too easy for you to walk in after someone else and bypass the card reader, for example), it may be difficult if not impossible to determine whether your information security measures are in place. It takes a different skillset to check for security holes in your network, website, etc.

            Ultimately (and t

      • by jhfry (829244)

        This depends on how the organization is structured. Sure you could have a VP who oversees all security related issues, and in some organizations where security is a very high priority it makes sense (banks for example).

        However most small-medium companies don't have significant physical security needs, except perhaps to hire a consultant to assess, recommend, and implement. And maybe contract a security company to patrol or monitor the cameras. These kind of companies need someone with some weight in the I

  • negligence (Score:3, Insightful)

    by Presto Vivace (882157) <marshall@prestovivace.biz> on Monday February 02, 2009 @04:50PM (#26700259) Homepage Journal
    With 88% of all data loss cases for 2008 being traced back to insider negligence It is getting harder and harder for me to dismiss the possibility that some of this is the result of inside jobs.
    • by pegr (46683)

      From the Stats-Pulled-From-My-Nether-Regions:

      85% of all system intrusions are inside jobs. Why would this be any different?

  • Perhaps, the government should conduct fake breaches to teach them a lesson.
  • by erroneus (253617) on Monday February 02, 2009 @05:01PM (#26700401) Homepage

    I find the problem has several facets.

    1. Nearly everything requires Windows
    2. Too many Windows applications want or require administrator privileges
    3. Users like little gadget software so much they think they need them
    4. Microsoft Internet Explorer (need I say more?)

    Malware is ALWAYS an internal network security problem. You can bullet-proof your web site from intrusion all you like but when the threat comes from an internal machine on your network, you're done for. There are lots of ways to address the problem, but none of them make users or executives happy. For much data processing, I'd like to see a return of the green CRT and keyboard. They don't crash (easily) and don't get infected with malware and keyloggers. Sure, they don't tell you what the weather is outside, but this is sensitive/valuable data being processed. We don't WANT those things connected.

    User technology culture is out of hand and does not address technical/functional needs.

  • Cost (Score:4, Funny)

    by DoofusOfDeath (636671) on Monday February 02, 2009 @05:03PM (#26700431)

    I guess data doesn't just want to be "free" :)

  • The cost is about $202 per record compromised for first timers, while the repeat offenders seem to have their mojo down and only suffer about $192 per record.

    What, so now repeat data breachers get a frequent flier discount? No wonder security sucks so bad!!

  • I suspect that $202 per record is a vast underestimate. One single record compromise could devastate someone's life, so they're obviously not factoring in the end-user cleanup effort required, or the insurance required to cover damages from a (possibly class-action) law suit based on that.

    • by giafly (926567)
      Remember that "compromised" does not only mean "used by criminals". It also applies to all those millions of accounts on CDs or DVDs genuinely lost in the post, where the data is never used. In these cases the per-record cost is low, so it brings down the average.
      • Yes, but how do you KNOW the data is never used? I could receive one of those CDs, sit on it for five years, then take someone's life savings.
  • Cracker vs IT staff (Score:1, Interesting)

    by Anonymous Coward

    OK, here's the deal. You have options:

    1. You can be the cracker, were you merely need to find one hole in the OS of one server out of 100 at the site, the 100 pieces of software installed on the servers, the firewall, or any other device or piece of software on the network to get a foot in the door. Or more likely, you just need to social engineer to get the 20% of users who don't have a clue to do your work for you. In other words 3 months of casing the joint, infinite payoffs.

    2. Or you can be the IT staff

    • So duck an cover is the strategy again? Teach snakeoil and hope you won't be caught in the fallout?

  • single break-in can cost days (if not weeks) worth of business disruption/outage, or even secondary/failover site can add up to annual budget.

    while cost of data can vary, breach in itself is very costly. in the article, user records cost/value seemed to be cost factor (emphasizing "per incident"), what about aftermath? i'm sure total cost is not as small as figure shown in the article, given that at least for proper preventive measure has been implemented after "first" incident.

  • Probably the costs of data breaches are about the same as they've been for years.

    What may be rising is the share of that cost shouldered by the companies that make money by warehousing data about individuals, as compared to the share shouldered by the individuals concerned. If that's true, that would be wonderful. It would create the right incentive for said companies to get real about data security.

  • ...data will actually become more of a liability for these companies, and maybe, just maybe, we will finally see the end of data-mining browser bars being included in everything under the sun.

  • Its all about TRUST!

    Its all about TRUST! Once lost, trust is very difficult to rebuild. Since many businesses simply refuse to change their business practices, I am of the opinion that too many simply do NOT understand that. If they did, they would make sure that they did NOT get hit the first time. Which means hiring qualified professionals and giving them the time to do the job right!.

    Just last week I was offered a System Administration job at a company not too far from me. I was told that they were they had been in business for over 10 years and where the Cadillac of the web server hosting business. They really focused on their customers needs, unlike a company, she called them by name , I do NOT like them however still do not see the reason to state their name, that advertises during the Super Bowl.

    I did not laugh when she offered me a rate that was $28 less per hour than what current jobs are paying in my area now, even with this economy. I did not mention that the rate was $12.00 per hour less than what I was paid to do the equivalent job at a company in the mid 1980s. My guess is that whoever they hire will be on call 24/7 and will be responsible for their server security in short order. They probably will not be allowed time to monitor those servers for Break Ins either. Just too few people and too much work. Oh and you can bet that they are not hiring additional bodies, just because they are getting them at a lower rate. And were I live it is not considered cheaper to live than most other areas of the country.

    The would be smarter to re evaluate all their hardware and software licensing and annual renewals to see how much they could save by replacing them with effective open source and FOSS solutions.

    In this specific case, I am confidant that the company will get what they are willing to pay for. And when the economy turns around, which it will do eventually, whoever they hire will be the first to leave them and they will be starting all over again. And that is their upside; their downside is getting hit by crackers and losing their customers trust.

    Actions speak louder than words.

    So many companies will pay lip service to so many things that they claim are important, yet when it comes time to do the right thing, they

Be careful when a loop exits to the same place from side and bottom.

Working...