We recently completed some new research with Accenture in which we were surprised to find that, in spite of all the attention being paid to data protection, and in spite of new and updated data protection regulations, complacency is beginning to settle in among many companies.
Yes, I said complacency.
Oh, don’t get me wrong: most organizations have good intentions with regard to data protection, but we all know where the road paved with good intentions leads.
Here are two key findings we learned through the new study:
Although 70 percent of both organizations and individual respondents agreed that organizations should secure individuals’ personal information, disclose how they use it and deal with the ramifications of losing it, nearly half were ambivalent about granting individuals control over their personal information, did not place a high priority on several critical aspects of consumer privacy and did not believe typical privacy practices were important.
While 58 percent of organizations experienced at least one security breach in the past two years, 31 percent did not. The group that had no breaches displayed some substantial differences in attitudes and policies regarding data privacy and protection. In particular, they demonstrated the belief that individuals have substantial rights to manage, correct and control their personal information and to understand how such information is being used. They also were more likely to feel a stronger obligation to uphold data privacy and protection, and to have policies that make the protection of sensitive data a high priority. Furthermore, organizations with no breaches tend to take a stricter view of appropriate uses of personal information—for instance, being far less likely to believe it is appropriate to sell personal data for profit.
This suggests a strong correlation between an organization’s level of respect for an individual’s personal data and the likelihood that the organization will suffer a data breach.
By establishing an environment within an organization that encourages employees to see data as an extension of the customer and not merely something owned by the company, thereby fostering the development of a “culture of caring,” data privacy and information security programs become more effective.
Does it surprise you to learn that, according to our recent study, Trends in Insider Compliance with Data Security Policies: Employees Evade and Ignore Security, employee compliance with corporate data security policies is on the wane?
Why do you think this is? I’m seeing a confluence of conditions that appear to be contributing to this challenge to data integrity: the development of new, mobile technologies that empower employees to do more while away from the office; a failure of organizations to keep pace with the ways technology is changing the dynamics of data security; and current economic conditions that are putting increased pressure on individuals to be more productive with fewer resources.
Most privacy advocates and people in the data protection community believe that data breach costs will start coming down eventually because consumers will become somewhat immune to data breach news. The idea is that data breach notifications will become so commonplace that customers just won’t care anymore.
(click to download study) It should come as no surprise that trust is increasingly important in customers’ loyalty to their bank. While overall trust in the industry is down, banks that experienced a significant data breach also experienced a significant decline in their trust scores. This study also reveals there is a correlation between customers’ trust and how long they remain with the same bank. Customers expect their bank to have protective measures in place to guard their data. If that expectation is not met, they will change banks.
(click to download study) Symantec Corporation and the Ponemon Institute are pleased to present 2011 Cost of Data Breach: India, our first annual benchmark study concerning the cost of data breach incidents for Indian-based companies. For organizations in India, the cost of data breach is 2,105 INR (India Rupee) for one compromised record.
(click to download study) Symantec Corporation and the Ponemon Institute are pleased to present 2011 Cost of Data Breach: France, our third annual benchmark study concerning the cost of data breach incidents for French-based companies. For organizations in France, the cost of a data breach continues to rise. In 2011 the cost of one compromised record increased from €98 to €122.
(click to download study) Symantec Corporation and the Ponemon Institute are pleased to present 2011 Cost of Data Breach: Australia, our third annual benchmark study concerning the cost of data breach incidents for Australian-based companies. For organisations in Australia, the cost of a data breach continues to rise. In 2011 the cost of one compromised record increased from AUD $128 to $138.
(click to download study) Symantec Corporation and the Ponemon Institute are pleased to present 2011 Cost of Data Breach Study: Germany, our fourth annual benchmark study concerning the cost of data breach incidents for German-based companies. For German organizations the cost of a data breach continues to rise. In 2011 the cost increased from €138 to €146 on a per capita basis.
(Click to download study) We are pleased to present the findings of the Aftermath of a Data Breach conducted by Ponemon Institute and sponsored by Experian® Data Breach Resolution. The study was conducted to learn what organizations did to recover from the financial and reputational damage of a data breach involving customer and consumer records.
(click to download study) Symantec Corporation and the Ponemon Institute are pleased to present 2011 Cost of Data Breach: Japan, our first benchmark study concerning the cost of data breach incidents for Japanese-based companies. For organizations in Japan, the cost of data breach is ¥11,011 for one compromised record.
(Click to download study) What Senior Executives Think about Data Protection, conducted by Ponemon Institute
and sponsored by IBM, was conducted to determine what corporate executives believe are the
most important factors and activities to consider when safeguarding sensitive information and
complying with increasing regulation, including the data breach notification laws that now exist in
more than 45 states.
(Click to download study) We are pleased to present the findings of the 2012 Payment Security Practices Survey: United States, sponsored by CyberSource and Trustwave. The study also was conducted in the United Kingdom and the findings from that research are available in a separate report.
(click to download study) Symantec Corporation and Ponemon Institute are pleased to present 2011 Cost of Data Breach Study: United States, our seventh annual benchmark study concerning the cost of data breach incidents for U.S.- based companies. While Ponemon Institute research indicates that data breaches continue to have serious financial consequences for organizations, there is evidence that organizations are becoming better at managing the costs incurred to respond and resolve a data breach incident. In this year’s study, the average per capita cost of data breach has declined from $214 to $194.
We are pleased to present the 2013 Cost of Data Breach: Global Analysis, our eighth annual benchmark study concerning the cost of data breach incidents for companies located in nine countries. (Click to download study)
Throughout the world, companies are finding that data breaches have become as common as a cold but far more expensive to treat. With the exception of Germany, companies had to spend more on their investigations, notification and response when their sensitive and confidential information was lost or stolen. As revealed in the 2014 Cost of Data Breach Study: Global Analysis, sponsored by IBM, the average cost to a company was $3.5 million in US dollars and 15 percent more than what it cost last year.
Will these costs continue to escalate? Are there preventive measures and controls that will make a company more resilient and effective in reducing the costs? Nine years of research about data breaches has made us smarter about solutions.
Critical to controlling costs is keeping customers from leaving. The research reveals that reputation and the loss of customer loyalty does the most damage to the bottom line. In the aftermath of a breach, companies find they must spend heavily to regain their brand image and acquire new customers. Our report also shows that certain industries, such as pharmaceutical companies, financial services and healthcare, experience a high customer turnover. In the aftermath of a data breach, these companies need to be especially focused on the concerns of their customers.
As a preventive measure, companies should consider having an incident response and crisis management plan in place. Efficient response to the breach and containment of the damage has been shown to reduce the cost of breach significantly. Other measures include having a CISO in charge and involving the company’s business continuity management team in dealing with the breach.
In most countries, the primary root cause of the data breach is a malicious insider or criminal attack. It is also the most costly. In this year’s study, we asked companies represented in this research what worries them most about security incidents, what investments they are making in security and the existence of a security strategy.
An interesting finding is the important role cyber insurance can play in not only managing the risk of a data breach but in improving the security posture of the company. While it has been suggested that having insurance encourages companies to slack off on security, our research suggests the opposite. Those companies with good security practices are more likely to purchase insurance.
Global companies also are worried about malicious code and sustained probes, which have increased more than other threats. Companies estimate that they will be dealing with an average of 17 malicious codes each month and 12 sustained probes each month. Unauthorized access incidents have mainly stayed the same and companies estimate they will be dealing with an average of 10 such incidents each month.
When asked about the level of investment in their organizations’ security strategy and mission, on average respondents would like to see it doubled from what they think will be spent—an average of $7 million to what they would like to spend—an average of $14 million. This may be a tough sell in many companies. However, our cost of data breach research can help IT security executives make the case that a strong security posture can result in a financially stronger company.
To download the complete report please use the following link:
Sponsored by Solera Networks, The Post Breach Boom study was conducted by Ponemon
Institute to understand the differences between non-malicious and malicious data breaches and
what lessons are to be learned from the investigation and forensic activities organizations
conduct following the loss or theft of sensitive and confidential information. The majority of
respondents in this study believe it is critical that a thorough post-breach analysis and forensic
investigation be conducted following either a non-malicious or malicious security breach. (Click to download study)
Can a data breach in the cloud result in a larger and more costly incident? Our latest study,
Data Breach: The Cloud Multiplier Effect sponsored by Netskope reveals how the risk of a data breach in the cloud is multiplying. According to the IT and IT security practitioners participating in this study, the proliferation of mobile and other devices with access to cloud resources and more dependency on cloud services without the support of a strengthened cloud security posture and visibility of end user practices is making it difficult to stop the loss or theft of sensitive data in the cloud. We hope you will download the complete report at: http://www.netskope.com/reports-infographics/ponemon-2014-data-breach-cloud-multiplier-effect/
2014 will long be remembered for a series of mega security breaches and attacks starting with the Target breach in late 2013 and ending with Sony Pictures Entertainment. In the 2014: A Year of Mega Breaches study sponsored by Identity Finder, the following findings reveal changes companies are making to their security strategies.
• More resources are allocated to preventing, detecting and resolving data breaches. According to 61 percent of respondents, the budget for security increased by an average of 34 percent. Most was used for SIEM, endpoint security and intrusion detection and prevention.
• Senior management gets a wake up call and realizes the need for a stronger cyber defense posture. Sixty-seven percent of respondents say their organization made sure the IT function has the budget necessary to defend it from data breaches.
• Operations and compliance processes are changing to prevent and detect breaches. Sixty percent of respondents say they made changes to operations and compliance processes to establish incident response teams, conduct training and awareness programs and use data security effectiveness measures.
Data breaches are in the headlines and on the minds of both businesses and consumers. While
much of the dialog has been driven by companies that experienced a data breach, this new study
sponsored by Experian® Data Breach Resolution explores consumers’ sentiments about data
breaches. Our goal is to learn the affect data breaches have on consumers’ privacy and data
With data breaches making headlines the world over, awareness about the importance of havingtechnologies and governance practices in place to respond to such incidents should be at an alltime high. In this study sponsored by Experian® Data Breach Resolution, we surveyed 567 executives in the United States about how prepared they think their companies are to respond to a data breach.
We are pleased to present the 2014 Global Report on the Cost of Cyber Crime. Sponsored by HP Enterprise Security, this year’s study is based upon a representative sample of 257 organizations in various industry sectors.
IBM and Ponemon Institute are pleased to present the 2014 Cost of Data Breach Study: United States, our ninth annual benchmark study on the cost of data breach incidents for companies located in the United States.
Ponemon Institute is pleased to present its ninth annual Cost of Data Breach Study: Global Analysis, sponsored by IBM. According to the benchmark study of 314 companies spanning 10 countries, the average consolidated total cost of a data breach increased 15 percent in the last year to $3.5 million . The study also found that the cost incurred for each lost or stolen record containing sensitive and confidential information increased more than nine percent to a consolidated average of $145.
According to the research, BCM programs can reduce the per capita cost of data breach, the mean time to identify and contain a data breach and the likelihood of experiencing such an incident over the next two years.
We are pleased to announce the release of a study focused on the cybersecurity threat to small and medium-sized companies (SMBs). Based on the findings, we conclude that no business is too small to evade a cyber attack or data breach. In fact, 55 percent of respondents say they experienced a cyber attack in the past 12 months and 50 percent of companies represented in this study had a data breach during the past year.