A press release from Experian Data Breach Resolution and the Ponemon Institute:
Nearly everyday consumers willingly provide their personal information to organizations online with no hesitation, neglecting to realize how that information can be exposed due to employee negligence, insider maliciousness, system glitches or attacks by cyber criminals. With Data Privacy Day (Saturday, January 28) right around the corner, Experian Data Breach Resolution and the Ponemon Institute released today compelling survey findings from more than 500 IT professionals who have experienced a data breach at their company.
“The responsibility of keeping customers’ information secure cannot lie solely on the shoulders of IT; rather every executive in the organization should be aware since the reverberation of a breach will be felt by everyone,” said Ozzie Fonseca, senior director at Experian Data Breach Resolution. “Survey results show us that a data breach is often the result of human error or a crime– neither of which can be 100 percent prevented. As such, companies must put measures in place – training, preparedness plans, guidelines, etc. — to help protect their customers’ information.”
Survey respondents had 10.5 years or more of IT experience, with 73 percent reporting directly or indirectly to the chief information officer (CIO) or the chief information security officer (CISO). Also, to ensure that the answers were based on the same breach throughout the entire survey, respondents were asked to focus only on one data breach they believed had the greatest financial and reputational impact to their organizations.
“Data breaches are frequent and as a result millions of consumers are vulnerable to having their identity stolen,” said Dr. Larry Ponemon, chairman and founder of Ponemon Institute. “IT professionals in this study are correct when they say that following the loss or theft of consumer data it is critical for companies to take steps to understand the root cause in order to prevent another breach and protect consumers from future harm.”
The study yielded compelling insights, found below, into how a company assesses the cause, reacts to the breach and evaluates next steps.
- Circumstances of a data breach – After the breach has occurred, there is an obvious immediate question – How did this happen?
- Sixty percent of respondents say the customer data that was lost or stolen was not encrypted.
- Examples of the types of data that companies lost included, but not limited to, email (70 percent), credit card or bank payment information (45 percent), and social security numbers (33 percent).
- If the organization was able to determine the cause of the breach, most often it was the negligent insider (34 percent); 19 percent say it was the outsourcing of data to a third party and 16 percent say a malicious insider was the main cause.
- Responses to the data breach – After the breach occurred, as with any crisis, response time to all stakeholders is imperative.
- Startlingly, only half (50 percent) of respondents felt that their organization made the best possible effort to protect customer and consumer information.
- When it came to reducing the negative consequences of the data breach, retaining outside legal counsel (56 percent) and carefully assessing the harm to victims (50 percent) ranked the highest.
- Despite the fact that many organizations lose the loyalty of their customers following a data breach, 64 percent of respondents say their company neglected to offer credit monitoring services and 73 percent say they don’t offer identity protection products or services such as credit monitoring and other identity theft protection measures, including fraud resolution, scans and alerts.
- Impact of the breach on privacy and data protection practices – As with any activity that makes a company vulnerable, the key is to figure out how to protect it from happening again.
- The majority of respondents (66 percent) say that the experience of investigating the causes of the breach will help them in determining the root causes of future breaches.
- Negligent insiders and third parties are the main (66 percent) reason organizations are vulnerable to future breaches.
- Following the data breach, 61 percent of respondents say their organizations increased the security budget and 28 percent hired additional IT security staff.
While respondents were candid with their feedback, they also offered suggestions as to how many of these issues could be addressed in an effort to mitigate future threats. These resolution points include the following:
- EDUCATE: By far, negligent employees, temporary employees or contractors make organizations vulnerable to future breaches, so conducting training and awareness programs and enforcing security policies should be a priority for organizations.
- SUPPORT: Privacy and data protection became a greater priority for senior leadership following the breach, and as a result security budgets for most organizations in this study also increased. It doesn’t just take time; it takes monetary support as well.
- HIRE: The top three actions believed to reduce the negative consequences of the data breach are hiring legal counsel, assessing the harm to victims and employing forensic experts.
- LEARN: Lessons learned from the data breach are to limit the amount of personal data collected, limit sharing with third parties and limit the amount of personal data stored.
To access the full “Aftermath of a Data Breach” Report, visit www.Experian.com/PonemonAftermathStudy.
There isn’t anything new to this report that doesn’t happen in a typical breach. I personally think the “insider threat” may be a little low, but its the knowledge level of the IT staff, and “need to know” of what went on during the investigation. Most are left in the dark unless some one is carried out in chains.
I have to remind myself as I read this article that the company that wrote this report works in the area that supplies a service directly related to the issues.
The methods in which to thwart individuals isn’t enough; they may come in with a bad intent to begin with. If they do, no matter what “paper guidelines” are in place, some one that has intent now knows, or has a clue of the extent the comapny is willing to go to look for infractions.
The way to correct all of this starts with the IT staff, and then the infrastructure that they manage. No matter how strict or lax a security policy or training session is, the IT staff will be limited by the capabilities of the infrastructure. Less manning means more work, which equates to job prioritization, and many repetitive functions that promote eyes to bleed will be the last, if ever accomplished.
Its nice to see what happens AFTER a breach occurs, but that means these people are willing to throw the towel in and accept the fact that failure IS an option. With that thought process, it may mean that effective communication may lack after some one signs the user agreement or non disclosure agreement.
Personnel can only accomplish what they are told by the direct supervisors or uppermanagement. A Few unsung heroes may try to shove suggestions up the food chain, but I am sure it falls upon deaf ears when dollar signs are included. With the economy the way it is, most successful IT upgrade or enhancements are probably put on hold while the company or organization tries to ride the storm out.
Its not an easy task sitting at a desk and trying to perform (a) function(s) which may be a small part of a business. Most people do not want to, or are allowed to branch out and gain a overall knowledge of what the company is doing, and how the heartbeat of the business operates. Playing a small part typically means some of the IT staff may be “blind” of actions that may happen around them. The general fix for this is to have plasma or LCD screens on walls that show trends thata re related to network activity. The more people that eye a critical function may catch something in the early stages, and may thwart an incident. Purchasing a log aggregation product which shows bar and/or pie charts on screens with the level of severity can show individuals that something is occurring and can act upon it, or alert the person in charge of that task that something is amuck.
There are many ways out there to thwart incidences. The IT folks need to understand they were brought on to act as a team and work together; brainstorm and come up with effective solutions to make the business work like a well oiled machine. Unfortunately, there are many points of friction along the way to get to that goal.