Slashdot Asks: Does Your Company Have A Breach Response Team? (helpnetsecurity.com) 47
This week HelpNetSecurity reported on a study that found that "the average data breach cost has grown to $4 million, representing a 29 percent increase since 2013.. 'The amount of time, effort and costs that companies face in the wake of a data breach can be devastating, and unfortunately most companies still don't have a plan in place to deal with this process efficiently," said Caleb Barlow, Vice President, of IBM Security."
But the most stunning part of the study was that each compromised record costs a company $158 (on average), and up to $355 per record in more highly-regulated industries like healthcare, according to the study -- $100 more than in 2013. And yet it also found that having an "incident response team" greatly reduces the cost of a data breach. So I'd be curious how many Slashdot readers work for a company that actually has a team in place to handle data breaches. Leave your answers in the comments. Does your company have an incident response team ?
But the most stunning part of the study was that each compromised record costs a company $158 (on average), and up to $355 per record in more highly-regulated industries like healthcare, according to the study -- $100 more than in 2013. And yet it also found that having an "incident response team" greatly reduces the cost of a data breach. So I'd be curious how many Slashdot readers work for a company that actually has a team in place to handle data breaches. Leave your answers in the comments. Does your company have an incident response team ?
Naw (Score:5, Funny)
Fortune 500 (Score:2)
In words of Alex Stamos (Facebook CISO, back then Yahoo CISO): Fortune 500 consists of "SECURE 100" and "TOASTED 400".
I'd say it's about right.
Source:
http://image.slidesharecdn.com... [slidesharecdn.com]
By the way, I highly recommend that talk:
https://www.youtube.com/watch?... [youtube.com]
Re: (Score:2)
Re: (Score:1)
Two questions in return (Score:2)
a) due to the lack of a base ball bat, do "Bokken" (jap. wooden swords) count? I have plenty of them :D
b) does a single man count? Or do I need to be a dwarf for that?
Oh? You ment a completely different kind of breech? I just pull the DSL connector from the wall!
No, we have breach prevention (Score:1)
We turn our computers off at night...
Re: (Score:3, Funny)
Nah (Score:5, Funny)
Re: (Score:2, Funny)
I worked at a place that got hacked, and the only reason anyone noticed is because of the work the hacker did to close the door behind them. A year after they patched the system, there was work on a project and it was returning an error because they were checking for the particular database for both the server type and version. Only after more investigation did someone realize the server was updated and even more that the update was done by none of the IT staff. I don't believe that they ever figured out
Re: (Score:2)
Indeed. The college I work for just a few weeks got around to trying to hire a CISO
Re: (Score:2)
"They've come up with a much better solution. Their security is just so bad that they never notice that they've been hacked"
And the company is still in business? Then they most probably just followed the strategy that brought them the best bang for the buck. Why they should do anything different? Heck, why anybody should expect anything different?
For the most part all this security this, security that is just money thrown to theater for no benefit and a lot of money wasted in the way, both for the securit
Re: (Score:2)
Lemon. Party of 3.
Major retailer (Score:1)
Yes. I worked for a major retailer who was burned badly in the recent past. They've spent an astronomical amount of money creating a breach-response monitoring center and other safeguards to prevent such a thing from happening again.
Re: (Score:2)
It's too bad this usually happens only after there's been a breach. If security is done well from day 1, there are usually no significant breaches. The downside of "costly" information security is that if it works well, it seems useless to the execs. Seen too many times how they gradually cut the budget to oblivion because they don't get nice little reports detailing how many attacks were blocked and what would've been the associated costs. There's really no solid way of proving the need for strong security
Re: (Score:2)
"I worked for a major retailer who was burned badly in the recent past"
Like... 4$ million? If it is less, that's not even average, according to the (hard to believe) article's summary.
"They've spent an astronomical amount of money creating a breach-response monitoring center and other safeguards to prevent such a thing from happening again."
Given that there will be big recurring costs coming along, there's any relationship between the damage from the event and the cost of the response? Or is it that a hig
Re: (Score:2)
"I made this original post and no... my group alone (one of many in the corp involved in security) has a $5 mil yearly budget for roughly 20 people"
So just your team (one in many, as you say) could be "exchanged" by an "average security incident" yearly and your company still would be a 20% ahead. Hard to believe the way your company is targeting "security" is an effective one.
depends on IT criticality (Score:2)
Of the firms I've worked for, only the large ones (>$20B/yr) that depend heavily on IT had a dedicated in-house incident response team. Smaller shops ($5-20B) or those that rely less on IT would outsource it. Small enterprises with a 1-5 man security team probably have just a written plan that's never tested. Anything under $1B/yr in revenue probably doesn't have a security team at all unless they are an Internet-based company.
They are prepared all right (Score:1)
If anything like that happens, blame is instantly assigned to a sacrificial goat, the goat's name is passed on to HR, and a cardboard box is deployed.
Nothing else is changed.
Corporate breach response team (Score:2)
There's a small software company in Redmond that has a long standing well funded breach response team. It's called Marketing.
(This is only kinda a joke. The SSIRP process was largely developed, funded, and driven by Marketing, with follow-on engineering and remediation by security teams.)
Health care... nope (Score:2)
Not only do we not have a plan, we don't have a clue. Our Windows machines are still running an old version of Java, and everyone is local Administrator. There is no official policy against downloading or installing stuff, so the place is a Festival of Malware. We have three people on the Security team for 60,000+ computers.
HAHAHAHHAHA! Nope. (Score:2)
I have never experienced such an increase in intrusion threats that have coincided with denial that there is any problem at all.
Its so bad, I am starting to become one of those tin-foil hat IT guys who is starting to believe that management has been blackmailed by the "hackers" (not yet but that is the road I am on). I also, more seriously, believe that the increase in "Cybersecurity" firms and "Ethical Hackers" correlates to the increase in incidents. The old "Gotta hire a criminal to prevent a crime" is
Yes, we do (Score:2)
And I'm part of that team. We have plans and processes for pretty much anything that can happen, down to pre-written statements for the PR goons so they have something to feed to the press while we're finding out what went wrong and detailed instructions for everyone what to do, who to talk with and more importantly, who not to.
That breach a few months ago, where a company lost multiple million bucks, sure was a wake-up call. Right now, everything that deals with (serious amounts of) money has to go through
A quote from ... (Score:2)
"the average data breach cost has grown to $4 million, representing a 29 percent increase since 2013.. 'The amount of time, effort and costs that companies face in the wake of a data breach can be devastating, and unfortunately most companies still don't have a plan in place to deal with this process efficiently,"
said the guy who wants to sell you a service.