Tag Archives: ponemon

How Safe Is Your Data?


Your data might not be as safe as you think it is — and it could cost you dearly.

Part of the threat comes, unwittingly, from your employees — and, possibly, even yourself. A significant proportion of cyber breaches (as many as 30%)­ are caused by “negligence or mistakes,” caused by individuals failing to act responsibly or follow procedure.

Two decades after the launch of the web, digital has become so ingrained in our lives that it’s easy to assume you know the best security practices to keep you and your organization safe from a data breach. But as technology continues to drive changes in the way we live and work and as the Internet of Things becomes more omnipresent, the digital risks we all face are only going to increase as more and more devices share data around the world.

Read on for some simple steps you can take to help keep your data more secure.


A growing threat, but an inadequate response

The number and potential severity of cyber breaches is increasing. A recent PwC survey found that nearly 90% of large organizations suffered a cyber security breach in 2015, up from 81% in 2014; the average cost of these breaches more than doubled year-on-year. With more connected devices than ever before — and the total expected to reach 50 billion by 2020 — there are more potential targets for attackers, as well as more potential for accidental breaches.

What’s more, as of late 2015, companies are, for the first time, listing their information assets as nearly as valuable as their physical assets, according to the2015 Ponemon Global Cyber Impact Report survey, sponsored by Aon.

So how do you keep your organization’s data — and that of your clients and customers — safe?

According to Aon cyber insurance expert Stephanie Snyder Tomlinson, it’s not just a matter of investing in better technology and more robust systems.

“A lot of companies find that the weakest link is their employees,” Snyder Tomlinson says. “You need to train employees to make sure that if they get a phishing email, they’re not going to click on the link; that they don’t have a Post-it note right next to their monitor with all of their passwords on it. It’s the human error factor that companies really need to take a good hard look at.”

From intern to CEO: Simple steps everyone can take

It’s easy for individuals to become complacent about data security, says Brad Bryant, Aon’s global chief privacy officer. But with cyber threats increasing, it’s more important than ever to be aware of the seemingly innocent individual actions that can potentially lead to serious cost and reputational consequences for your organization.

According to Bryant, there are four key things everyone can do to help protect themselves and their organizations from the rising cyber threat:

  • Be alert to impersonators— Hackers are becoming increasingly sophisticated at tricking people into giving away sensitive information, from phishing to social engineering fraud. You need to be more vigilant than ever when transmitting information. Are you certain they are who they say they are?
  • Don’t overshare— If you give out details about your personal life, hackers may be able to use the data to build a profile to access your or your company’s information. From birthdays to addresses, small details build up.
  • Safely dispose of personal information— A surprising amount of information can be retained by devices even after wiping hard drives or performing factory resets. To be certain your information is destroyed, you may need to seek expert advice or device-specific instructions.
  • Encrypt your data— Keeping your software up-to-date and password protecting your devices may not be enough to stop hackers should those devices fall into the wrong hands. The more security the better, and, with the growing threat, encryption should be regarded as essential.

Key approaches for organizations to better protect data

To protect your and your customers’ and clients’ information, investing in better cyber security is only one element. But data breaches don’t just happen through hacks, or even employee errors. At least 35% of cyber breaches happen because of system or business process failures, so it’s vital to get the basics right.

Prevention is key, says Tom Fitzgerald, CEO of Aon Risk Solutions’ U.S. retail operations. There are four key strategies he recommends all organizations should pursue to limit the risk and make sure they’re getting the basics right:

  • Build awareness— Educate employees on what social engineering fraud is, especially in your financial department. Remind employees to be careful about what they post on social media and to be discreet at all times with respect to business-related information.
  • Be cautious— Always verify the authenticity of requests for changes in money-related instructions and double-check with the client or customer. Do not click on random hyperlinks without confirming their origin or destination.
  • Be organized— Develop a list of pre-approved vendors, and ensure employees are aware. Review and customize crime insurance. When it comes to coverage or denial, the devil is in the details.
  • Develop a system— Institute a password procedure to verify the authenticity of any wire transfer requests and always verify the validity of an incoming email/phone call from a purported senior officer. Consider sending sample phishing emails to employees to test their awareness and measure improvements over time.

Much of this advice is not new — but the scale of the threat is increasing, making following it more important than ever.

“Social engineering fraud is one of the greatest security threats companies can encounter today,” Fitzgerald warns. “This is when hackers trick an employee into breaking an organization’s normal digital and physical security procedures to access money or sensitive information. It can take many forms, from phishing for passwords with deceptive emails or websites to impersonating an IT engineer, to baiting with a USB drive.”

How governments are driving data protection

The potential consequences of inadequate data security are becoming more serious as courts and regulators are focusing on this issue globally.

The EU is considering a data protection directive to replace previous regulations implemented in 1995. The expected result will be a measure that focuses on protection of customer data. Similarly, an October 2015 ruling by the European Court of Justice highlighted the transfer of customer data between the E.U. and the U.S.

“Regardless of where a company is located, the provision of services to E.U. customers and the collection or mere receipt of personal data from European citizens may potentially subject companies to E.U. jurisdiction,” Bryant warns. “Failure to comply could present unprecedented risk for companies, including fines of up to 4% of a company’s total global income.”

It’s not just changing E.U. rules that could affect your business. Internet jurisdictions and organizational operations are increasingly becoming cross-border. This global patchwork of internet rules and regulations is why only 24% of cyber and enterprise risk professionals are fully aware of the possible consequences of a data breach or security exploit in countries outside their home base of operations.

Why getting the basics right is critical

As the Internet of Things continues to grow, the number and range of potential targets for cyber attack is only going to increase. While eliminating all cyber risk may be impossible, getting the basics right is becoming more important than ever.

“Given the large scope and impact of the various changes in data protection law, coupled with the drastic increase in fines, becoming educated on how to protect our data is more business-critical now than ever before,” Bryant says.

Talking Points

“The average cost per user of a data breach is now $240… The costs are costly, but the current model of privacy will not make sense going forward.… The Snowden revelations advanced hope that there would be this really excited response that would get government to impose really strict regulations. There was some posturing made, and it seemed like we were heading in that direction, but I don’t think we are going there.” – Lawrence Lessig, Roy L. Furman Professor of Law, Harvard Law School

“A step change in sanctions will make privacy a board-level issue. Some businesses will need to start taking these issues a lot more seriously.” – Tanguy Van Overstraeten, Linklaters

“The digital future of Europe can only be built on trust. With solid common standards for data protection, people can be sure they are in control of their personal information.” – Andrus Ansip, Vice President for the E.U. Digital Single Market

Further Reading

How to Measure Data Breach Costs?

Businesses typically have a hard time quantifying potential losses from a data breach because of the myriad factors that need to be considered.

A recent disagreement between Verizon and the Ponemon Institute about the best approach to take for estimating breach losses could make that job a little harder.

For some time, Ponemon has used a cost-per-record measure to help companies and insurers get an idea of how much a breach could cost them. Its estimates are widely used.

The institute recently released its latest numbers showing that the average cost of a data breach has risen from $3.5 million in 2014 to $3.8 million this year, with the average cost per lost or stolen record going from $145 to $154.

Infographic: Data breaches drain profits

The report, sponsored by IBM, showed that per-record costs have jumped dramatically in the retail industry, from $105 last year to $165 this year. The cost was highest in the healthcare industry, at $363 per compromised record. Ponemon has released similar estimates for the past 10 years.

But, according to Verizon, organizations trying to estimate the potential cost of a data breach should avoid using a pure cost-per-record measure.

Free IDT911 white paper: Breach, Privacy, And Cyber Coverages: Fact And Fiction

ThirdCertainty spoke with representatives of both Verizon and Ponemon to hear why they think their methods are best.

Verizon’s Jay Jacobs

Ponemon’s measure does not work very well with data breaches involving tens of millions of records, said Jay Jacobs, Verizon data scientist and an author of the company’s latest Data Breach Investigations Report (DBIR).

Jacobs says that, when Verizon applied the cost-per-record model to breach-loss data obtained from 191 insurance claims, the numbers it got were very different from those released by Ponemon. Instead of hundreds of dollars per compromised record, Jacobs said, his math turned up an average of 58 cents per record.

Why the difference? With a cost-per-record measure, the method is to divide the sum of all losses stemming from a breach by the total number of records lost. The issue with this approach, Jacobs said, is that cost per record typically tends to be higher with small breaches and drops as the size of the breach increases.

Generally, the more records a company loses, the more it’s likely to pay in associated mitigation costs. But the cost per record itself tends to come down as the breach size increases, because of economies of scale, he said.

Many per-record costs associated with a breach, such as notification and credit monitoring, drop sharply as the volume of records increase. When costs are averaged across millions of records, per-record costs fall dramatically, Jacobs said. For massive breaches in the range of 100 million records, the cost can drop to pennies per record, compared with the hundreds and even thousands of dollars that companies can end up paying per record for small breaches.

“That’s simply how averages work,” Jacobs said. “With the megabreaches, you get efficiencies of scale, where the victim is getting much better prices on mass-mailing notifications,” and most other contributing.

Ponemon’s report does not reflect this because its estimates are only for breaches involving 100,000 records or fewer, Jacobs said. The estimates also include hard-to-measure costs, such as those of downtime and brand damage, that don’t show up in insurance claims data, he said.

An alternate method is to apply more of a statistical approach to available data to develop estimated average loss ranges for different-size breaches, Jacobs said

While breach costs increase with the number of records lost, not all increases are the same. Several factors can cause costs to vary, such as how robust incident response plans, pre-negotiated contracts for customer notification and credit monitoring are, Jacobs said. Companies might want to develop a model that captures these variances in costs in the most complete picture possible and to express potential losses as an expected range rather than use per-record numbers.

Using this approach on the insurance data, Verizon has developed a model that, for example, lets it say with 95% confidence that the average loss for a breach of 1,000 records is forecast to come in at between $52,000 and $87,000, with an expected cost of $67,480. Similarly, the expected cost for a breach involving 100 records is $25,450, but average costs could range from $18,120 to $35,730.

Jacobs said this model is not perfectly accurate because of the many factors that affect breach costs. As the number of records breached increases, the overall accuracy of the predictions begins to decrease, he said. Even so, the approach is more scientific than averaging costs and arriving at per-record estimates, he said.

Ponemon’s Larry Ponemon

Larry Ponemon, chairman and founder of the Ponemon Institute, stood by his methodology and said the estimates are a fair representation of the economic impact of a breach.

Ponemon’s estimates are based on actual data collected from individual companies that have suffered data breaches, he said. It considers all costs that companies can incur when they suffer a data breach and includes estimates from more than 180 cost categories in total.

By contrast, the Verizon model looks only at the direct costs of a data breach collected from a relatively small sample of 191 insurance claims, Ponemon said. Such claims often provide an incomplete picture of the true costs incurred by a company in a data breach. Often, the claim limits also are smaller than the actual damages suffered by an organization, he said.

“In general, the use of claims data as surrogate for breach costs is a huge problem, because it underestimates the true costs” significantly, Ponemon said.

Verizon’s use of logarithmic regression to arrive at the estimates also is problematic because of the small data size and the fact the data was not derived from a scientific sample, he said.

Ponemon said the costs of a data breach are linearly related to the size of the breach. Per-record costs come down as the number of records increases, but not to the extent portrayed by Verizon’s estimates, he said.

“I have met several insurance companies that are using our data to underwrite risk,” he said.

How to Lower Your Cyber Risk

As we approach the close of 2014, virtually no one needs to be reminded that cyber liability is real and here to stay. Data breaches and cyber security incidents are on the rise. New York’s attorney general reported that breaches tripled between 2006 and 2013, and, according to a recent study, 43% of companies experienced a breach last year.

What are some of the key issues accounting for this increase? First, information is the new oil, and it has value. Stolen financial and medical data can be purchased on the “dark web” and used for identity theft and fraudulent billing. Second, computer networks can be attacked relentlessly by hackers thousands of miles away, with little risk to the hackers. Third, entities are creating and storing more data than ever. It is estimated that the volume of data is doubling every two years, and too many entities have adopted a keep-everything approach to information management.

Given this reality, it’s no wonder that sales of cyber insurance are rising. Cyber insurance can fill gaps left by traditional policies and provide a lifeline to entities affected by a breach or security incident. But cyber insurers require prospective insureds to complete detailed applications that address various areas relevant to cyber liability. Among the areas of inquiry are:

  • Records and Information Management — including identification of the types and volume of sensitive information the company handles. For example, do you handle or store payment card information, intellectual property of others or medical records?
  • Management of Computer Networks — including security management, intrusion testing, auditing, firewalls, use of third party vendors and encryption.
  • Corporate Policies — for privacy, information security, use of social media and BYOD (bring your own device), among others. Insurers often ask if the policy was prepared by a qualified attorney and how often it is reviewed and updated. Some insurers require such policies to be attached to the completed application.
  • Employment Issues — including whether employees go through criminal background checks. Many insurers also ask if the company has a chief privacy officer, chief information officer and chief technology officer.

The following are some basic steps a company can take to better position itself to complete the cyber application and obtain optimal cyber coverage.

Locate Your Data

You can’t manage and secure information if you don’t know what you have or where it is. Creating a map or inventory of all enterprise information is an invaluable step toward getting your data house in order. Paper records and data stored on inactive media and on mobile devices should not be forgotten.

Delete What You Don’t Need

It is estimated that between 60% and 70% of stored information has no business value. Keeping all this useless information is not a sustainable business practice. Disposing of data can reduce storage, e-discovery costs and security risks, and improve employee efficiency. Legally defensible deletion of useless information and adoption of a sound record retention and deletion policy are important parts of a successful information management policy.

Control Access

Entities should permit access to information, particularly sensitive information, on a need-to-know basis. A large number of data breaches result from employee negligence and disgruntled or rogue employees. Restricting access to sensitive data is an important step to mitigating that risk.

Improve Policies and Training

Depending on business activities, entities should consider adoption of policies that relate to cyber liability, including privacy, record retention and deletion, use of passwords, email and use of social media. Policies should be reviewed by a qualified attorney, updated regularly and enforced. Employee training and re-training is an important component of successful policy implementation. Conducting data breach workshops, where the entity can rehearse its response to a breach incident, can pay big dividends in the event of a breach.

Because cyber applications require entities to take a close look at their information management and cyber vulnerabilities, it’s no wonder that a recent Ponemon study found that 62% of surveyed companies report that their ability to deal with security threats improved following the purchase of cyber insurance. Taking the steps outlined above in connection with applying for cyber coverage makes good business sense and can help an entity obtain the best cyber policy to protect itself against growing threats.