Tag Archives: IDT911

How to Measure Data Breach Costs?

Businesses typically have a hard time quantifying potential losses from a data breach because of the myriad factors that need to be considered.

A recent disagreement between Verizon and the Ponemon Institute about the best approach to take for estimating breach losses could make that job a little harder.

For some time, Ponemon has used a cost-per-record measure to help companies and insurers get an idea of how much a breach could cost them. Its estimates are widely used.

The institute recently released its latest numbers showing that the average cost of a data breach has risen from $3.5 million in 2014 to $3.8 million this year, with the average cost per lost or stolen record going from $145 to $154.

Infographic: Data breaches drain profits

The report, sponsored by IBM, showed that per-record costs have jumped dramatically in the retail industry, from $105 last year to $165 this year. The cost was highest in the healthcare industry, at $363 per compromised record. Ponemon has released similar estimates for the past 10 years.

But, according to Verizon, organizations trying to estimate the potential cost of a data breach should avoid using a pure cost-per-record measure.

Free IDT911 white paper: Breach, Privacy, And Cyber Coverages: Fact And Fiction

ThirdCertainty spoke with representatives of both Verizon and Ponemon to hear why they think their methods are best.

Verizon’s Jay Jacobs

Ponemon’s measure does not work very well with data breaches involving tens of millions of records, said Jay Jacobs, Verizon data scientist and an author of the company’s latest Data Breach Investigations Report (DBIR).

Jacobs says that, when Verizon applied the cost-per-record model to breach-loss data obtained from 191 insurance claims, the numbers it got were very different from those released by Ponemon. Instead of hundreds of dollars per compromised record, Jacobs said, his math turned up an average of 58 cents per record.

Why the difference? With a cost-per-record measure, the method is to divide the sum of all losses stemming from a breach by the total number of records lost. The issue with this approach, Jacobs said, is that cost per record typically tends to be higher with small breaches and drops as the size of the breach increases.

Generally, the more records a company loses, the more it’s likely to pay in associated mitigation costs. But the cost per record itself tends to come down as the breach size increases, because of economies of scale, he said.

Many per-record costs associated with a breach, such as notification and credit monitoring, drop sharply as the volume of records increase. When costs are averaged across millions of records, per-record costs fall dramatically, Jacobs said. For massive breaches in the range of 100 million records, the cost can drop to pennies per record, compared with the hundreds and even thousands of dollars that companies can end up paying per record for small breaches.

“That’s simply how averages work,” Jacobs said. “With the megabreaches, you get efficiencies of scale, where the victim is getting much better prices on mass-mailing notifications,” and most other contributing.

Ponemon’s report does not reflect this because its estimates are only for breaches involving 100,000 records or fewer, Jacobs said. The estimates also include hard-to-measure costs, such as those of downtime and brand damage, that don’t show up in insurance claims data, he said.

An alternate method is to apply more of a statistical approach to available data to develop estimated average loss ranges for different-size breaches, Jacobs said

While breach costs increase with the number of records lost, not all increases are the same. Several factors can cause costs to vary, such as how robust incident response plans, pre-negotiated contracts for customer notification and credit monitoring are, Jacobs said. Companies might want to develop a model that captures these variances in costs in the most complete picture possible and to express potential losses as an expected range rather than use per-record numbers.

Using this approach on the insurance data, Verizon has developed a model that, for example, lets it say with 95% confidence that the average loss for a breach of 1,000 records is forecast to come in at between $52,000 and $87,000, with an expected cost of $67,480. Similarly, the expected cost for a breach involving 100 records is $25,450, but average costs could range from $18,120 to $35,730.

Jacobs said this model is not perfectly accurate because of the many factors that affect breach costs. As the number of records breached increases, the overall accuracy of the predictions begins to decrease, he said. Even so, the approach is more scientific than averaging costs and arriving at per-record estimates, he said.

Ponemon’s Larry Ponemon

Larry Ponemon, chairman and founder of the Ponemon Institute, stood by his methodology and said the estimates are a fair representation of the economic impact of a breach.

Ponemon’s estimates are based on actual data collected from individual companies that have suffered data breaches, he said. It considers all costs that companies can incur when they suffer a data breach and includes estimates from more than 180 cost categories in total.

By contrast, the Verizon model looks only at the direct costs of a data breach collected from a relatively small sample of 191 insurance claims, Ponemon said. Such claims often provide an incomplete picture of the true costs incurred by a company in a data breach. Often, the claim limits also are smaller than the actual damages suffered by an organization, he said.

“In general, the use of claims data as surrogate for breach costs is a huge problem, because it underestimates the true costs” significantly, Ponemon said.

Verizon’s use of logarithmic regression to arrive at the estimates also is problematic because of the small data size and the fact the data was not derived from a scientific sample, he said.

Ponemon said the costs of a data breach are linearly related to the size of the breach. Per-record costs come down as the number of records increases, but not to the extent portrayed by Verizon’s estimates, he said.

“I have met several insurance companies that are using our data to underwrite risk,” he said.

Unstructured Data: New Cyber Worry

Companies are generating mountains of unstructured data and, in doing so, unwittingly adding to their security exposure.

Unstructured data is any piece of information that doesn’t get stored in a database or some other formal data management system. Some 80% of business data is said to be unstructured, and that percentage has to be rising. Think of it as employee-generated business information—the sum total of human ingenuity that we display in the workplace, typing away on productivity and collaboration software and dispersing our pearls of wisdom in digital communications.

Free IDT911 white paper: Breach, Privacy, And Cyber Coverages: Fact And Fiction

Unstructured data is all of the data that we are generating on our laptops and mobile devices, storing in cloud services, transferring in email and text messages and pitching into social media sites.

Many companies are just starting to come to grips with the complex challenge of figuring out how to categorize and manage this deluge of unstructured data.

Sensitive data at risk

But what’s more concerning is the gaping security exposure.

It was unstructured data—in the form of a text message transcript of employees conversing about deflating footballs—that blindsided the New England Patriots NFL team and its star quarterback, Tom Brady.

Yet the full scope of risk created by unstructured data is much more profound.

“The risk that unstructured data poses dwarfs that of any other type of data,” says Adam Laub, product management vice president at STEALTHbits Technologies. “It is the least understood form of data in terms of access, activity, ownership and content.”

STEALTHbits helps companies that use Windows Active Directory identify and keep more detailed track of shared files that hold unstructured data. That may sound basic. Yet the fact that STEALTHbits is part of a thriving cottage industry of technology vendors helping organizations get a grip on unstructured data is truly a sign of the times. I met with Laub as he was pitching STEALTHbits’ technology at the recent RSA Conference in San Francisco. “Any single file can contain the data that puts an organization in the headlines, and turning a blind eye to the problem or claiming it’s too big to handle is not a valid excuse for why unstructured data hasn’t been secured properly,” Laub says.

A decade and a half has elapsed since the Y2K scare. During that period, business networks have advanced and morphed and now tie extensively into the Internet cloud and mobile devices.

Time to close loophole

Along the way, no one had the foresight to champion a standard architecture to keep track of—much less manage and secure—unstructured data, which continues to grow by leaps and bounds.

Criminals certainly recognize the opportunity for mischief that has resulted. It’s difficult to guard the cream when the cream can be accessed from endless digital paths.

Just ask Morgan Stanley. Earlier this year, a low-ranking Morgan Stanley financial adviser pilfered, then posted for sale, account records, including passwords, for 6 million clients. The employee was fired and is being investigated by the FBI. But Morgan Stanley has to deal with the hit to its reputation.

“The urgency is that your information is under attack today,” says Ronald Arden, vice president at Fasoo USA, a data management technology vendor. “Somebody is trying to steal your most important information, and it doesn’t matter if you’re a small company that makes widgets for the oil and gas industry or you’re Bank of America.”

Fasoo’s technology encrypts any newly generated data that could be sensitive and fosters a process for classifying which types of unstructured data should routinely be locked down, Arden told me.

Technology solutions, of course, are only as effective as the people and processes in place behind them. It is incumbent upon executives, managers and employees to help make security part and parcel of the core business mission. Those that don’t do this will continue to be easy targets.

Steps forward

Simple first steps include identifying where sensitive data exists. This should lead to clarity about data ownership and better choices about granting access to sensitive data, says STEALTHbits’ Laub.

This can pave the way to more formal “Data Access Governance” programs, in which data access activities are monitored and user behaviors are baselined. “This will go a long way towards enabling security personnel to focus on the events and activities that matter most,” says Laub.

Smaller organizations may have to move much more quickly and efficiently. Taking stock of the most sensitive information in a small or mid sized organization is doable, says Fasoo’s Arden.

“If you are a manufacturing company, the intellectual property around your designs and processes are the most critical pieces of information in your business, if you are a financial company it’s your customer records,” Arden says. “Think about securing that information with layers of encryption and security policies to guarantee that that information cannot leave your company.”

Some unstructured business data is benign and may not need to be locked down. “If I write you a memo that says, ‘We’re having a party tonight,’ that’s not a critical piece of information,” says Arden. “But a financial report or intellectual property or something related to healthcare or privacy, that’s probably something that you need to start thinking about locking down.”

2015 Is Watershed for Healthcare Hacking

Predictions that 2015 would be a watershed year for stolen healthcare records are bearing out.

Health insurer Premera Blue Cross has disclosed that a cyber attack that commenced in May 2014 resulted in exposure of medical data and financial information of 11 million customers. Stolen records included claims data and clinical information, as well as financial account numbers, Social Security numbers, birth dates and other personal data. The Premera breach appears to involve a record number of victims.

Records for some 80 million people were stolen from the nation’s No. 2 insurer Anthem, and records for 4.5 million people were hacked from Community Health Systems, parent of 206 hospitals in 29 states, disclosed last summer. But the Anthem and CHS breaches involved the theft of personal data only, not medical records.

More: 7 steps to take if your healthcare records are in the wild

Personal and medical records are the building blocks for the worst forms of identity theft. With Premera, “hackers not only got the skeleton keys to lives, they got the key ring and the key chain,” says Adam Levin, chairman and co-founder of identity and data risk management consultancy, IDT911, which sponsors ThirdCertainty. “Members and employees whose data was exposed – especially their SSNs – will be forced to look over their shoulders for the rest of their lives.”

Seattleites hit hard

More than half of the victims — about 6 million Premera patrons – reside in Washington state, including employees of Amazon, Microsoft and Starbucks. These companies now are prime targets for spear phishing attacks. It doesn’t take much imagination for a criminal to use stolen data to create spoofed accounts to come across as a trusted colleague to send viral email and social media posts to fellow employees as a way to breach any of these corporate networks.

On a lower rung of criminal activity, a whole generation of scammers who’ve mastered fraudulent online transaction using stolen credit card account numbers are ready to move to the next level, observes Lisa Berry-Tayman, senior privacy and governance advisor at IDT911 Consulting.

“Criminals learn,” Berry-Tayman says. “The credit card thief steals the data, charges until the account is closed and the money is gone. To steal more money over a longer period of time, he or she must think bigger, and bigger is identity theft. Why just spend their money for a finite period of time when you can become them and spend their money for years and years?”

The healthcare industry has arisen as a target because it has moved aggressively to get rid of paper records and to collect, store and make use healthcare data in digital form. The goal: to boost productivity. Trouble is the healthcare industry, like many other industries, continues to make the digital push, including intensive use of the Internet cloud, without adequately accounting for security basics, security experts argue.

Healthcare data at riska three-part series: Why medical records are easy to hack, lucrative to sell

“Today’s Premera breach news once again demonstrates the failure of flawed, outdated assumptions, an over-reliance on guard-the-entry-point security and simplistic single-key encryption schemes,” says Richard Blech, CEO of encryption technology company Secure Channels. “This is a quaint and dangerous approach to a 21st century problem.”

Trent Telford, CEO of data security company Covata, agrees. “For many of these companies, data security has been an afterthought or something they did not deem necessary,” Telford says. “However, this breach again highlights how vulnerable the health care and insurance industries are to attacks. People are entrusting these organizations with their personal information, and it is the responsibility of corporations to take appropriate steps to ensure it is protected – this must include data encryption.”

Common culprits?

Premera is keeping details of how the breach was carried out close to the vest. The FBI and IT forensics specialist Mandiant, a division of FireEye, are investigating. A good guess is that Premera was the focus of a targeted attack, says Josh Cannell, malware intelligence analyst at Malwarebytes Labs.

“A vast majority of cyberattacks targeting enterprise networks originate by attackers gaining access to internal networks through social engineering techniques like phishing/spear phishing e-mails that closely resemble something employees are familiar with,” Cannell says. “Once attackers have an access point inside an enterprise network, they can then use privilege escalation techniques and install malware to maintain a presence on the network.”

Cannell says it’s plausible the same hacking collective hit Anthem and Premera. “Since the attack happened around the same time as the Anthem breach, and was targeting a similar organization, it seems reasonable to say the threat likely originated from the same actors,” Cannell says.

How HR Can Stop Insider Data Theft

After Edward Snowden’s escapades, how could any company fail to take simple measures to reduce its exposure to insider data theft?

Yet large enterprises remain all too vulnerable to insider threats, as evidenced by the Morgan Stanley breach. And many small and medium-sized businesses continue to view insider data theft as just another nuisance piled on to a long list of operational challenges.

“I suspect too many companies are fixated on outsider threats, like malware infections and external hacking, to the extent that insider threats get overlooked,” says Stephen Cobb, senior security researcher at anti-malware vendor ESET.

More: 3 steps for figuring out if your business is secure

A low-level Morgan Stanley financial adviser with sticky fingers allegedly tapped into account records, including passwords, for six million of the Wall Street giant’s clients. He got caught allegedly attempting to peddle the stolen records on Pastebin, a popular website for storing and sharing text files.

The financial services sector has long been very proactive defending against all forms of data breaches for obvious reasons, and Morgan Stanley was able to nip this particular caper early on. Big banks and investment houses typically have highly trained teams, using a variety of detection tools and monitoring regimes designed to flush out any indication of a breach.

“Often you have analysts in a security operations center hunting for abnormal activity,” says Scott Hazdra, principal security consultant at risk management firm Neohapsis. “They can often spot suspicious data movement based on quantity, destination or classification level and react in hours versus discovering data out in the wild when it’s much harder to limit exposure.”

Organizations outside of the financial services industry, however, are still on the lower end of the curve understanding this exposure, much less taking even basic steps to reduce it.

Given the nature of the exposure, security and privacy experts say human resource officials need to be on the front lines of mitigating insider data theft. In particular, HR department heads should be integrally involved in working with a company’s tech and security teams to define and deploy access rights to sensitive company data.

“With this collaboration and the right tool sets, companies can apply access controls that restrict employees to just the information they need to perform their jobs,” says Deena Coffman, CEO of IDT911 Consulting, which is part of identity and data risk consultancy IDT911. (Full disclosure: IDT911 sponsors ThirdCertainty.)

It’s a balancing act, of course. Quick and flexible access to company records drives productivity gains. At the same time, it creates fresh opportunities for granting unnecessary access privileges — and for theft.

“Building data and network security policies to thwart the likely approaches to steal information is a foundation for limiting possible damage,” says Steve Hultquist, chief evangelist at security analytics firm RedSeal. “Using automation to analyze and ensure compliance with a security policy is essential for protecting customer and corporate data assets.”

There should also be a structured process for communicating changes quickly to ensure that a terminated employee or departed contractor does not retain access privileges, Coffman says.

“Many of the inside attacks are IT employees with elevated privileges and little oversight on how and when those privileges are used,” Coffman says. “The use of privileged accounts should be monitored and logged. Separation of duties should be required on certain functions, and an annual outside review is a good idea.”

Cutting off terminated employees and partners should be swift and sure. Better safe than sorry.

“Too often, organizations don’t have a complete picture of what access each employee has, particularly if they have been there a while,” ESET’s Cobb says. “Getting employee departures right involves a coordinated effort from HR, IT and legal.”

A disgruntled employee, who’s not planning on going anywhere, is another type of exposure that should be addressed. American Banker is now reporting that the alleged perpetrator of the Morgan Stanley breach was promoted to financial adviser from sales assistant about a year ago and gained access to records by manipulating the bank’s wealth management software. The lawyer representing the accused adviser insists in the American Banker report that his client did not post any of Morgan Stanley’s data on Pastebin.

“All managers need to be aware of morale among reports, and there needs to be a process for taking concerns to HR in a discreet way while increasing monitoring of use of IT resources,” Cobb says.