Breached? Who Even Knows
A recent report from the Ponemon Institute on 2014: A Year of Mega Breaches reveals interesting information about companies following a data breach, and attitudes after ‘mega’ breaches such as Target. There’s no doubt that major breaches in the past year hitting nearly every industry, from healthcare to retail to universities and major financial organizations.
The breakdown of the types of companies they interviewed included financial companies (18 percent), federal government (9 percent) and tech and software companies (8 percent). Another 7 percent were from the retail industry.
The Ponemon survey queried respondents about company actions after these mega breaches hit the news - finding that most organizations provided tools and personnel to contain and minimize breaches (72 percent), while another 69 percent invested in the ability to quickly detect breaches. And 67 percent of companies invested in the budget necessary to defend it from data breaches.
These responses follow their top tech investments made in response to these breaches, including security incident and event management (SIEM) solutions (50 percent), endpoint security (48 percent), and intrusion detection and prevention (44 percent). But only 29 percent had reported investing in identity & access management tools, showing a stronger focus on containing and monitoring breaches and securing devices.
Customer account and consumer data are some of the most compromised types of sensitive/confidential information, at 68 and 65 percent, respectively. Intellectual property is the third most compromised type of information, which is often essential to a company’s livelihood.
How Can You Notify If You Don't Even Know?
One of the major problems is that organizations aren’t able to detect data breaches in a timely manner, or sometimes at all, which may become an issue especially with the federal initiatives that propose to mandate a 30-day breach notification law to all organizations, regardless of industry or state.
According to the National Conference of State Legislature, 47 states have breach notification laws, but three do not. Healthcare has its own set of specialty breach notification laws, including the loophole that encrypted data that is stolen or lost doesn't need to be reported. Learn more in California Breaches Increase 30 Percent in 2014; 84 Percent Retail and A Medley of State Healthcare Data Laws: Insurance Encryption & 2FA for E-Prescriptions.
As the Ponemon Institute’s report found, most respondents were not even able to determine when the breach was discovered (20 percent), while another 15 percent didn’t detect the breach until more than two years after the fact. Twenty-one percent discovered the breach within one year after.
Even more difficult for organizations was the location of the breach - 55 percent were unable to determine where exactly they were breached, which becomes an issue especially if they’re unable to determine what type of defense to invest in or strengthen.
Turning to Two-Factor Authentication After a Breach
After they found the root cause, Ponemon reports that 57 percent implemented security training, while another 54 enhanced security monitoring. And 38 percent actually deployed additional security tools.
Quite a few breached organizations in the past have turned to two-factor authentication, sometimes immediately, after the fact. Some of those include Bitly, Hootsuite, Buffer, Twitter, Tumblr and many more; some adding it just for internal users and others adding two factor for all of their users.
Twitter's 'login verification' is also known as one-time password two-factor authentication via SMS, available to all Twitter users under Settings > Security and Privacy:
Almost half of respondents reported that their company experienced one or more data breaches in the past two years, ranking lost reputation, brand value and marketplace image as the top hit to their company. But they also lost time and productivity (42 percent), as well as revenue and customers (42 percent). The cost of newly purchased technology also added up, at 38 percent.
The cost of notifying affected individuals also affected breached companies (27 percent), which may become more of an issue for small or medium-sized businesses, if the 30-day breach notification legislation passes.
Other expenses included hiring external consultants and attorneys (23 percent). In most mega breaches such as JPMorgan Chase and Sony, information security incident investigators (also referred to as the field of cyber forensics) are often hired soon after a breach discovery in order to do a deep-dive of what happened in order to report to auditors, or sometimes the federal government. Usually the FBI jumps in to do some digging too.
And attorneys are another major expense - breached companies need to prepare for the inevitable backlash that greets them after millions of individuals lose their data privacy, in addition to lawsuits from banks that often must foot the bill to reissue payment cards, as well as deal with fraud.
According to KrebsonSecurity.com, the Target breach cost credit unions and community banks $200 million to reissue 21.8 stolen cards. A recent court ruling allowed consumer and bank class action lawsuits to move forward against the retailer, on grounds of potential security negligence. Find out more in After a Data Breach: Who’s Liable? and Protecting Payment Cards: A Modern Guide to Retail Data Risks.
When it comes to resources, the percentage of the organizations’ IT security budgets dedicated to the detection and containment of data breaches is mostly 21-40 percent (38 percent responded). But another 25 percent report 11 to 20 percent of their budget is dedicated to detecting and containing data breaches.
A Modern Guide to Retail Data Risks
To help inform organizations about new threats to data, we’ve created a 115-page guide complete with infographics, technical solutions, and case studies.
Check out a video below to learn more about the eBook:
Ideal for CISOs, security, compliance and risk management officers, as well as IT admins and professionals, our free eBook: A Modern Guide to Retail Data Risks provides guidance on:
- New risks to the retail industry presented by cloud, mobile and Bring Your Own Device (BYOD)
- Business and compliance drivers for strengthening authentication security
- How outdated security solutions can no longer effectively protect retailers and consumers alike
- How implementing a modern two-factor authentication solution can work to protect the new IT model