Dr. Ponemon's blog
Second Annual Patient Privacy Study Released
December 1, 2011
Widespread use of mobile devices is putting patient data at risk, according to the latest Ponemon Institute research on healthcare providers' patient privacy practices.While 81 percent of respondents say employees in their healthcare organizations are using mobile devices to collect, store and/or transmit some form of PHI, 49 percent admit their organizations are not doing anything to protect these devices. To download a copy of the report click here: http://www2.idexpertscorp.com/ponemon-study-2011/.
Permalink
Add Comment
(
0 Comments)
Best Practices in Data Protection Study Released
November 4, 2011
Sponsored by McAfee, the Best Practices in Data Protection survey is our latest effort to find out what separates the best organizations from the rest. We believe this study is important because it provides insights on how organizations can be more successful when investing in and building a data protection program. The study's findings reveal five success factors in a data protection program:
- A formal data protection strategy for the organization and metrics to determine if the strategy is effective.
- Key metrics from a management console and observation and regular testing of data protection solutions.
- Data protection technology features that focus on privileged users, restriction of access and outbound communications are considered critical
- Centralized management of the data protection program with such features as actionable information, policy administration, reporting, automatic securing of endpoints and monitoring.
- Automated policies for detection and prevention of end-user misuse of information assets.
To download the complete report click here: <https://prod.secureforms.mcafee.com/content/verify?docID=3E46E43C-2252-487A-885B-4C5F125DFB60&cid=WB290&aName=DP&src=web&aType=report®ion=us>
Posted by Dr. Larry Ponemon at 7:09 pm
Permalink
Add Comment
(
0 Comments)
Second annual cost of cyber crime study is released
August 2, 2011
Today we released our Second Annual Cost of Cyber Crime Study. Our findings support other research studies suggesting increases in the frequency, severity and overall cost of cyber attacks on private and public sector organizations. Our study is sponsored by HP ArcSight. I would be very pleased to discuss this year's findings, framework and research methods. Please feel free to call us directly or send an email to research@ponemon.org to schedule a one-to-one meeting.
Permalink
Add Comment
(
0 Comments)
Most trusted companies for privacy
July 31, 2011
Ponemon Institute is releasing our annual Most Trusted Companies for Privacy study this coming week. This is the eighth year that we conducted a U.S. national consumer study that determines the organizations believed to be most committed to protecting and securing personal information. Our research also determines the underlying factors that consumers perceive as most important or influential to their trust ratings. For more information, please contact research@ponemon.org.
Permalink
Add Comment
(
0 Comments)
Ponemon Releases Cloud Service Provider Study
May 2, 2011
Last week with CA Technologies we issued the results of a study of cloud service providers and their views on cloud security. There has been a lot of interest in this study. Readers have reviewed the results and responded with some very good questions and comments. In a nutshell, people – including us – were surprised by the results, which showed that cloud providers didn’t put security as the No. 1 concern in providing their services.
As a result, we have had some questions about “who” we polled for this study beyond the information provided in the study. People were curious as to whether or not we had some of the large public cloud providers in our study, and I will try to clear things up here.
Our unit of analysis is the IT practitioner who self-reported that he or she is employed by organizations that provide cloud services. As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards. Therefore, we do not collect any personally identifiable information or company identifiable information in our research. However, as shown below , we do ask respondents to report such demographics as the approximate size of their organizations using employee headcount and their organizational level.
Table 6 , taken from our report, shows that 58 percent of respondents from the U.S. work in organizations with more than 1,000 employees, and 50 percent of respondents work in companies of that size for the Europe sample. The respondents represented both large and small service providers. While we do not collect company identifiable information about the cloud providers and cannot tell you their names, based on responses we had representation from very large organizations.
|
Table 6: Worldwide headcount of respondents’ organization?
|
US
|
Europe
|
|
Less than 500 people
|
23%
|
29%
|
|
500 to 1,000 people
|
19%
|
21%
|
|
1,001 to 5,000 people
|
28%
|
16%
|
|
5,001 to 10,000 people
|
20%
|
27%
|
|
10,001 to 25,000 people
|
4%
|
0%
|
|
25,001 to 75,000 people
|
4%
|
0%
|
|
More than 75,000 people
|
2%
|
7%
|
|
Total
|
100%
|
100%
|
As you can see from Table 3 below, also from our report, we started with a broad pool to get a statistically significant response rate that is representative of the population of IT practitioners working in organizations providing cloud computing services. Most of our respondents were directors, managers, supervisors or technicians – so folks in the trenches, watching how things operate day-to-day, on up to management (see Table 4 below).
Further respondent data includes:
|
Table 3: Sample response
|
US
|
Europe
|
|
Organizations
|
1,180
|
263
|
|
Contacts made (by phone)
|
879
|
240
|
|
Returned surveys
|
130
|
32
|
|
Rejections for reliability
|
27
|
8
|
|
Final sample
|
103
|
24
|
And
|
Table 4: Respondents’ organizational level
|
US
|
Europe
|
|
Senior Executive
|
2%
|
5%
|
|
Vice President
|
2%
|
5%
|
|
Director
|
28%
|
30%
|
|
Manager
|
16%
|
22%
|
|
Supervisor
|
10%
|
0%
|
|
Staff or technician
|
39%
|
26%
|
|
Contractor or other
|
3%
|
12%
|
|
Total
|
100%
|
100%
|
This isn’t our first look at cloud security and I’m sure it won’t be the last as we move forward into the shifting computing paradigm. And as we continue our work, the Ponemon Institute will operate with the utmost integrity and transparency as we help industry uncover the emerging trends affecting the security and privacy sector.
Posted by Larry Ponemon at 4:51 pm
Permalink
Add Comment
(
0 Comments)
Are we taking adequate steps to protect the critical infrastructure?
April 3, 2011
Last week I presented the results of our latest study entitled, "The State of IT Security: A Study of Utilities and Energy Companies." Sponsored by Q1 Labs, this research revealed that utilities and energy companies in our study are more concerned about preventing downtime that stopping a cyber attack. In addition, a majority of respondents said that compliance with standards such as NERC CIP is not a top priority. Most surprisingly, only 16 percent of respondents believe that their organization's existing controls are designed to protect against exploits and attacks through the smart grid. For more information about this study, please contact research@ponemon.org.
Permalink
Add Comment
(
0 Comments)
Cost of a data breach climbs higher
March 8, 2011
Most privacy advocates and people in the data protection community believe that data breach costs will start coming down eventually because consumers will become somewhat immune to data breach news. The idea is that data breach notifications will become so commonplace that customers just won’t care anymore.
But, that hasn’t happened yet. The latest U.S. Cost of a Data Breach report, which was just released today, shows that costs continue to rise. This year, they reached $214 per compromised record and averaged $7.2 million per data breach event. The fact is that individuals still care deeply about their personal information and they lose trust in companies that fail to protect it.
It’s not only direct costs of a data breach, such as notification and legal defense costs that impact the bottom line for companies, but also indirect costs like lost customer business due to abnormal churn. This year’s study showed some very interesting results. In my view, there are a few standout trends.
Rapid response to data breach costs more. For the second year, we’ve seen companies that quickly respond to data breaches pay more than companies that take longer. This year, they paid 54 percent more.
Fueling this rush to notify is compliance with regulations like HIPAA and the HITECH Act and the numerous state data breach notification laws. It seems that U.S. companies have this urgency to just get the notification process over with. Unfortunately, these companies are in such a hurry to do the right thing and notify victims that they end up over-notifying. This causes customers who are not actually at risk to lose trust in the company and abnormal customer churn increases. Companies that take a more surgical approach and spend the time on forensics to detect which customers are actually at risk and require notification, ultimately spend less on data breaches.
Malicious or criminal attacks are causing more breaches. This year malicious attacks were the root cause of 31 percent of the data breaches studied. This is up from 24 percent in 2009 and 12 percent in 2008. The significant jump in malicious attacks over the past two years is certainly indicative of the worsening threat environment. Malicious attacks come from both outside and inside the organization, ranging from data-stealing malware to social engineering.
What’s more, these data breaches are the most expensive. Malicious attacks create more costs because they are harder to detect, the investigation is more involved and they are more difficult to contain and remediate. Another reason malicious attacks are so expensive is the criminal is out to monetize their work; they’re trying to profit off the breach.
However, it’s not always the bad guys doing bad things that cause data breaches. It’s often your best employees making silly mistakes. Negligence is still the leading cause of data breaches at 41 percent.
There is good news. Companies are more proactively protecting themselves from malicious threats. Three response characteristics increased in frequency: the number of organizations responding quickly (within 30 days), those putting CISOs in charge of data breach response, and those with an above-average IT security posture. Moreover, breaches due to systems failures, lost or stolen devices and third-party mistakes all fell. And, average detection and escalation costs went up by 72 percent, suggesting that companies are investing more resources in prevention and detection. Taken together, these figures may indicate organizations are taking more active steps to thwart hostile attacks.
So, what’s a company to do with all of this data breach cost information? Calculate your potential cost of a data breach. This year, in conjunction with the report, Symantec and the Ponemon Institute have launched the Data Breach Risk Calculator. This free online tool let’s companies connect the dots between all of this research and what it really means to them. The Data Breach Risk Calculator lets you estimate how a data breach could impact your company. You can check it out at www.databreachcalculator.com.
Posted by Dr. Larry Ponemon at 10:00 am
Permalink
Add Comment
(
0 Comments)
Listen to a new podcast on the True Cost of Compliance study
March 7, 2011
Dear friends and colleagues,
Please listen to a recent podcast on the True Cost of Compliance study completed last month. Martin KcMeay at Network Security Blog did a great job conducting this 30 minute interview.
www.mckeay.net/2011/03/02/network-security-podcast-23/
If you would like a copy of the full report, please visit Tripwire's website as follows:
www.tripwire.com/ponemon-cost-of-compliance/
Permalink
Add Comment
(
0 Comments)
Compliance Like a Club
January 31, 2011
Have you ever noticed how some organizations wield compliance like a club when marketing their products or services? They remind you of the latest in information security regulations, such as the HITECH Act or Mass 201 CMR 17, and then menacingly predict doom for those who transgress. If you fail to comply, their messages warn like a cross schoolmarm, the boogey man will flash his regulator badge and lower the boom (unless, of course, you buy the appropriate product or service).
The problem isn’t that the products or services offered by many companies are not able to help companies to become compliant with a variety of regulations. To the contrary, the need for information security and data protection has been catalysts for a great deal of innovation both in technology and services. But rather than being received by a market that recognizes its need to do a better job of protecting and managing sensitive information, the message has become resonant dissonance.
Yet we know organizations that with good data security strategies and practices can reduce their financial risk by avoiding costly data breaches and minimizing their impact when breaches do occur, so why isn’t the message more effective? The reason is because fear has been compliance’s primary motivator and in business, fear is a lousy motivator.
So the Ponemon Institute set out to determine the financial benefit to organizations that adopt and implement compliance-related activities, including processes, policies, people and technologies. Non compliance costs included things like fines, legal fees, and lost opportunity costs. We examined these activities for 46 multinational corporations in a benchmark study underwritten by
Tripwire Inc., and we believe the findings are revealing. We also hope they will provide much needed support for information security and compliance professionals advocating for the resources to do their jobs. Among the findings:
Non-compliance costs are 2.65 times higher for organizations than compliance costs. That means that companies with ongoing investments in compliance related activities actual save money compared with those organizations that fail to comply with various domestic and international security regulations. Of the companies we studied, compliance costs averaged $3.5 million, while non-compliance costs averaged $9.3 million, meaning those organizations that invested $3.5 million in compliance saved $5.8 million.
The
full report offers a detailed description of our methodologies, industry cost comparisons, and other detailed descriptions of our findings that we hope will prove to be illuminating.
We hold firmly to the belief that compliance is a foundation, not a ceiling, and that no organization should be satisfied with maintaining only minimum standards for protecting the data they and their customers value. Instead, a holistic information security strategy that fosters a culture of vigilance, and is designed to anticipate and change as needed to respond to an ever-changing threat environment, is needed.
If we can help you to achieve that ideal, please let us know.
Posted by Dr. Larry Ponemon at 10:14 am
Permalink
Add Comment
(
0 Comments)
Poor Privacy Practice is Ailing Healthcare Industry
November 9, 2010
It has been more than six years since the ChoicePoint data breach thrust the issue of privacy protection into the headlines. Since then hundreds of information security failures have been disclosed and the tools and techniques used to keep sensitive information safe have advanced at a healthy pace. Recent incidents in the healthcare industry, however, strongly suggest that best practices have not been universally adopted.
Looking deeper into this issue with our recent
Benchmark Study on Patient Privacy and Data Security, sponsored by ID Experts, we learned something about the extent to which poor security practices are costing healthcare organizations. Here are some of our findings:
· Data breaches cost the healthcare industry $6 billion per year;
· Data breaches cost healthcare organizations an average of $1 million per year;
· Lack of staff and preparation (policies and processes) are blamed for most data breaches; and,
· The HITECH Act has not resulted in significant change to the industry’s approach to data protection.
Looking over some recent data breach incidents in healthcare I see breakdowns in access governance, failure to encrypt, loss or theft of devices, and disposal of unshredded documents. These causes are not unique to the industry, but the magnitude of some events stands out and suggests to me that the industry is struggling with the challenges of migrating from a largely paper-based model to one that is being asked to migrate quickly to a networked, digital format.
As I told Andy Greenberg at
Forbes,
hospitals have had a tradition of lousy IT that relies on paper billing records and filing without serious privacy controls. Migrating to electronic health records can help to address information protection, but attempting to manage security and protect privacy in a digital world using paper processes is a nightmare.ID Experts president Rick Kam believes patient trust is being sacrificed at the altar of profit margins. “It is clear that in healthcare organizations today, patient revenue trumps risk management,” Rick told me. “Everyone is chasing electronic health record stimulus dollars and there is no allocation or consideration for protecting patient data."
The good news is that the healthcare industry doesn’t have to start from scratch, but can learn from the experience of the financial services and other consumer-facing industries. The sooner this happens, the better for everyone who is a consumer of healthcare services – and that is everyone.
Posted by Dr. Larry Ponemon at 6:05 am
Permalink
Add Comment
(
0 Comments)
Entries 1 - 10 of 29 —
Jump to page
First
1
2
3
Last
RSS Feed
