Data-Breach Costs Rising, Study Finds

BobB-nw writes to tell us that a recent study of 43 companies that suffered from data breaches last year showed the total cost of dealing with the breach to have risen to $6.6 million per incident. The cost is about $202 per record compromised for first timers, while the repeat offenders seem to have their mojo down and only suffer about $192 per record. With 88% of all data loss cases for 2008 being traced back to insider negligence it's a wonder that a little upfront money isn't being directed at prevention; guess as soon as they idiot-proof it someone will build a better idiot.

"idiot proof"

[mcfatboy93]

If they need to try to Idiot-proof a system take out the "Idiot". If these companies hire more technology inclined workers (people who read /.) they they won't have this problem as often.

As a network admin...

[sempiterna]

As a network admin for a mid-sized company, we spend quite a lot of money every year with PCI Compliance, and outside intrusion detection, and our customers want even more every year. It's expensive and quite often a hassle to maintain good security. Many vendors have told us to 'just open it up' or 'Naw,that issue wont cause a problem' We schedule days when our operational servers will be down for windows updates, and our clients yell and scream because they are down. I've not yet found a way to install windows security patches, firewall security patches, and overall general security upgrades without interruption. I sincerely wish our clients would understand that we want to make money also, and keeping the clients happy AND SECURE, makes us money. So we have a reason for rebooting that terminal server once a month.

Not suprising at all...

[jhfry]

it's a wonder that a little upfront money isn't being directed at prevention

No it's not... Only in the last few years have management began to look at IT as something more than a "support" department. I have worked in companies where the IT department head reported to the Facilities Management Director (think landscaping and custodial services), who reported to the VP of Finance. Essentially, IT had no influence or budget to speak of, even when we pointed out that we were ripe for the picking when it concerned customer data and trade secrets.

Jump forward a few years, and now that same company has an VP of Information Technology and an annual IT budget of 4X the Finance department's total budget.

It's no surprise that it's still taking time to get pro-active expenditures approved. What I'm actually surprised about is that most Presidents/CEO's are actually aware of the risks now. If not for a few recent high profile leaks, most IT departments couldn't get any money for such projects.

Finally, there is no evidence that upfront money wasn't spent. Most companies just haven't figured out how to adequately secure their data, not for lack of resources or trying, but because there isn't a formula for guaranteed success.

Re:"idiot proof"

[olddotter]

I had an old manager who was both lauded and vilified for once saying "The company needs to hire smarter employees." I think this is part of the price to pay for trying to save on labor costs by hiring people who are almost but not quiet qualified to do their jobs.

Re:Not suprising at all...

[tsstahl]

I would probably start a unit in charge of security -- ALL Security, and have them monitor and interact with IT and janitorial and anyone else to manage security.

Great, so to work for you, in addition to Linux/Windows certs, I now need a Johnson Controls cert, journeyman electricians papers, and an endorsement for use of lethal force?

Do you really want your net admin to carry a gun and/or taser backed up with a hammer? Just sayin...

Cracker vs IT staff

[Anonymous Coward]

OK, here's the deal. You have options:

1. You can be the cracker, were you merely need to find one hole in the OS of one server out of 100 at the site, the 100 pieces of software installed on the servers, the firewall, or any other device or piece of software on the network to get a foot in the door. Or more likely, you just need to social engineer to get the 20% of users who don't have a clue to do your work for you. In other words 3 months of casing the joint, infinite payoffs.

2. Or you can be the IT staff who need to work about 200 hours a week to keep up with new security holes, zero day exploits, patches for the OS, patches for all the software, testing all the 1000 patches a week before deploying to the working environment, installing software for users who aren't admins (which means constant interruptions during the day, then refusals of installs when you actually have time to do it), training of users, logging every visit to the server room, checking event logs on 100 servers and the firewall, getting through the events to actually find valid information, going through event logs on 10 IDS systems which are placed at all the switches, going through the firewall at the remote 7 offices, visiting your users homes who remote in from there, sleeping over at the 10 bosses houses because they all have to VPN from their home with no anti-virus installed, etc. So after you get divorced and die of a heart attack, you can expect to be spat on by upper management when it's time to ask for some money to hire some help. Yeah, give it to meeeeeee!

3. You can do the most important aspects of your job in the IT dept, and hope that you aren't a target of a serious cracker.