I started writing this blog after a data breach at a former employer exposed my sensitive personal information. The consequence was that I had to take action due to a former employer's sloppiness.
Given that history, a new report by the Ponemon Institute, and sponosred by Solera Networks, caught my attention. The report included results from a study of data breaches in organizations to understand the differences between malicious and non-malicious data breaches, plus any lessons learned from the post-breach and forensic investigations.
Typically, after a data breach organizations' IT departments investigate independently or with the assistance of an outsourced technology consultant, the data breach. That investigation includes the cause of the breach, the specific computer systems and/or networks compromised, the number and types of records accessed (e.g., current employees, prior employees, contractors, students, etc.), and the specific data elements (e.g., names, street addresses, bank account numbers, Social Security numbers, e-mail passwords, etc.) accessed and/or stolen. By understanding what happened, organizations, in theory, can better secure their computers and networks from future data breaches.
The Ponemon study used the following definitions for data breach types:
I found the results fascinating for several reasons. In my personal experience, my former employer's breach included data tapes shipped via a third-party vendor which never arrived at the off-site storage facility. This affected my privacy along with that of both current and other former employees.
"... we define a non-malicious breach as a system error, employee negligence or third-party snafu and a malicious breach is defined as one involving the theft of information assets by a criminal insider or [external hacker]..."
First, the global results from the Ponemon report:
- 54% of IT professional respondents said (e.g., Strongly Agree or Agree) that the severity of data breaches has increased during the past 24 months
- 52% of respondents said (e.g., Strongly Agree or Agree) that the frequency of data breaches has increased during the past 24 months
- Only 44% of respondents said that their organization has the tools, personnel, and funding to quickly detect data breaches
- Only 43% of respondents said that their organization has the tools, personnel, and funding to prevent data breaches
- While 63% of respondents said that understanding the root causes of data breaches has increased data security in their organization, but only 40% said they have the tools, personnel, and funding to determine the root causes of data breaches
- On average, it took organizations 49 days to detect non-malicious data breaches, and 80 days -- almost 3 months -- to detect malicious breaches. For resolution, it took 83 and 123 days, respectively.
- Only 39% of respondents that experienced a malicious breach said that they were confident (e.g., Very Confident and Confident) that their organization determined the root cause of the breach
This is not good. It takes a long time to detect breaches, if at all, and a long time to fix them. The most frequent types of data breaches experienced during the past 24 months:
- 47% - Employee or contractor negligence
- 32% - System error or malfunctions
- 24% - External attacks
- 23% - Third party mistakes or negligence
- 14% - Malicious insiders
Where the data breach occurred within the organization varies:
|Breach Location||Malicious Breaches||Non-Malicious Breaches|
|Within business unit||15%||27%|
|During transit or transmission to a third-party location||6%||22%|
|Off-site data center||12%||12%|
|On-site data center||9%||9%|
|Unable to determine||28%||9%|
When the breach was discovered:
|When Discovered||Malicious Breaches||Non-Malicious Breaches|
|Within one week||19%||19%|
|Within one month||29%||28%|
|Within 3 months||24%||16%|
|Within 6 months||6%||4%|
|Within 1 year||4%||2%|
|Within 2 years||2%||1%|
|Unable to determine||15%||10%|
So, an astounding 15% of the time organizations were never able to determine when malicious data breaches were detected. That's about one out of every six breaches. How malcious breaches were discovered:
- 28% - Forensic tools and methods
- 19% - Loss preventiona tool such as DLP
- 15% - Notification by law enforcement
- 10% - Automated monitoring
- 9% - Accidental discovery
- 6% - Audit or assessment
- 3% - Legal filing or complaint
- 3% - Manual monitoring
- 3% - Notification by partner or third-party
- 3% - Consumer or customer complaint
- 3% - Unsure
- 1% - Other
Second, some country-specific results:
- 41% of survey respondents from the USA said (e.g., Strongly Agree and Agree) that their organization were ready with the tools, personnel, and funding to prevent data breaches. The average across all countries was about 44%. Organizations in Japan (56%) and Singapore (58%) led the way with prevention readiness.
- 42% of survey respondents from the USA said that their organization were ready with the tools, personnel, and funding to quickly detect data breaches. The average across all countries was about 44%. Again, organizations in Japan (55%) and Singapore (57%) led the way with detection readiness.
- 33% of survey respondents from the USA said that their organization's leaders view data security as a top priority. The average across all countries was about 37%. Again, organizations in Japan (51%) and Singapore (50%) led the way with senior management leadership.
The study included a survey of 3,529 Information Technology professionals in eight countries. 54% of survey participants report directly to the chief information officer (CIO) in their organization. Participants were selected from organizations that had at least one data breach during the past 24 months. The survey included organizations from both the public and private sectors.
Survey respondents by country:
- 659 - USA
- 566 - Japan
- 445 - Brazil
- 431 - United Kingdom
- 423 - Canada
- 395 - Australia
- 309 - Singapore
- 301 - United Arab Emirates
- 3,529 - Total
Third, survey respondents by industry:
- 18% - Financial Services
- 11% - Federal and central government
- 7% - Services
- 7% - Retail, Internet
- 6% - Professional services
- 5% - Industrial products and chemicals
- 4% - State, province and local government
- 4% - Communications
- 4% - Consumer products
- 4% - Entertainment and media
- 4% - Hospitality
- 3% - Defense contractor
- 3% - Retail, conventional
- 3% - Technology and software
- 2% - Energy and utilities
- 2% - Education and research
- 2% - Healthcare and medical devices
- 2% - Pharmaceuticals and biotech
- 1% Transportation
- 1% - Other
- 100% - Total
What is a consumer to take from the results in this report? As I see it:
- Data breaches will continue to happen. The bad guys also read reports like this, and determine where the soft or easy targets are.
- There is an opportunity for companies and senior executives in the USA to do much better and take a leadership role. Will they?
- Outsourcing matters, since about 48% of malicious breaches happened off-site or during transit/transmission with a third party contractor or partner
- Despite what senior-level executives say in speeches and press releases about valuing data security, the survey suggests otherwise. Many organizations don't have the necessary tools, personnel, and funding.
- Despite what senior-level executives say in breach notification letters after a data breach, they often don't know what happened and won't for a long while, if they ever do. Too many never determine when and what happened.
- Informed consumers realize the reality is that you have to protect your sensitive personal data. Don't rely on a employer or former employer to do it.
- All of this applies to mobile app developers, app stores, online retailers, and related Internet companies since the study included those industries, too.
Access the complete "Post Breach Boom" Ponemon report here.