While advances in technology today provide a stronger opportunity than ever to disrupt attacks, that requires having the right systems in place. Siloed systems, and limited use of the new technologies hurt here. So does the failure of many companies to have a proper incident response plan, which can cut breach costs significantly.
A new study done by the Ponemon Institute for IBM has more bad news, showing that security breach costs continue to rise, to the cost of $4 million per incident – a 29 per cent increase since 2013. Canadian data was approximately similar to global, although detection and escalation costs were the highest in Canada out of the twelve countries in the report. The positive takeaway from this is that IBM says there is now more of an opportunity today to disrupt attacks – if you have the right systems in place.
“We’ve been working with the Ponemon Institute for 11 years and we have seen the costs of a breach continue to escalate over that time,” said Patrick Vandenberg, Program Director, IBM Security Segment Marketing, at IBM.
The Cost of Data Breach Study: Global Analysis, June 2016 report noted that aside from the $4 million total cost per incident, the average loss per single compromised record is now $158. Not surprisingly, breaches in regulated industries had an even higher cost. In healthcare, the cost hit $355 per compromised record, up $100 from 2013.
“In the early days in IT security, the focus was on prevention technologies, protecting the perimeter with firewall and AV,” Vandenberg said. “In the last half decade, the focus has shifted to detection, realizing that the key is the ability to detect risky behavior. We are now focusing on the response, and we need to beef up our game to more efficiently react to that situation.”
The study found that the average time to identify a breach is now 201 days, and the average time to contain a breach was 70 days. Unsurprisingly, the longer it takes to detect and contain a data breach, the more costly the breach becomes. Breaches identified in less than 100 days cost companies an average of $3.23 million. Breaches found after 100 days cost considerably more, an average of $4.38 million.
“Determining where the breach occurred and how is critical,” Vandenberg said. “We have been using the analogy of the immune system more and more. How strong is our immune system to identity that activity? Do we have antibodies to cut off that virus, especially before data is exfiltrated? It takes a long time to uncover a breach, but if you have the right systems in place there is more of an opportunity to disrupt the attack early on. That’s the one positive in this report. It shines a light on the need to focus on incident response. That’s what organizations need to do going forward.”
The study found that leveraging an incident response team was the single biggest factor in reducing the cost of a data breach – saving companies nearly $400,000 on average (or $16 per record).
“It has to start with planning, and involves a myriad of different activities,” Vandenberg said. “This includes working with the security team, and disrupting the attack if you catch it early enough. It also involves communicating with legal, and a communications plan for providing information to customers and other stakeholders.”
The study also found, however, that in the U.S., 70 per cent of security executives indicated they have no incident response plans in place.
Vandenberg said that many organizations that don’t have a plan can get one from an outside consulting firm.
“For years, IBM has had a cyberincident response team to engage in consultative services, which do an assessment, map out a plan, and then give the customer a playbook on what to do,” he said. “We strengthened that with our recent acquisition of Resilient Systems.” Resilient’s Incident Response Platform, the most recent version of which IBM is announcing concurrent with the Cost of Data Breach study, lets security teams analyze, respond, and mitigate incidents faster and more efficiently.
“We work with a number of VAR partners on these,” Vandenberg said. “VARs are critically important in the security space because they have specific knowhow of clients and customers. That’s how you get specialization in industries, from the partners.”
Vandenberg also addressed the issue of how breach costs continue to rise, even as security vendors deploy more and more cutting edge technologies, some of them machine learning based, which should, in theory, cut down time to detection.
“Lot of organizations have technology sprawl, with dozens and dozens of solutions deployed,” he said. “It’s a complex mess, because many are now talking to each other. We’ve been investing heavily in integration, not just with our own solutions, but with partners and competitors. You need to de-silo the control points.
In addition to the siloing effect, Vandenberg pointed out that the new technologies aren’t having much impact because they aren’t being used enough.
“A large portion of the market, even the enterprise, is not deploying them or is short on the skills to apply them,” he said. “Today’s analytics can turn millions of data into about two dozen threats that a human being needs to investigate. We find organizations who use those are being successful in detecting breaches within weeks of when they happen.”
Vandenberg, who is based in Ottawa, noted that the Canada-specific data is pretty much in line with the data from the globally aggregated data. The average per capita cost of data breach increased from $250 to $278, less than the global average of $355. On the other hand, on a per record basis, companies in Canada spent $230 per record to resolve a malicious or criminal attack, second only to the U.S. at $236. Detection and escalation costs were the highest in Canada out of the twelve countries in the report.
“There are some differences around compliance regulations, so that will have some variance, but there is consistency in what’s targeted,” Vandenberg said. “One difference is in health care data. Because of our public health care system, it’s not quite as valuable as in the U.S., because in the U.S. the data is sold so people can get expensive medical care.”