Starting this blog with the new publication from Ponemon institute, they have been doing great work in discovering what it actually takes
Some points of the report are:
3.6 Million Cost of a average data breach
$141 — Cost of data breach per row
A major take away point is the cost / record has come down from $208 few years ago when this study became mainstream. This makes sense as the data size has grown exponentially over the years.
They say it takes 6month + to contain a breach, It is not revealed what methodology they used to arrive to this number, I mean you can patch a firewall hole but data once lost is gone, people don’t change their Names and Date of Birth every 6 months.
It also mentions that the 53% of data breach occurs from production and rest from Non-Production, due to deliberate malice or negligence. This is where i wanna raise an alarm!! half of risk comes from inside the organization where the majority of data resides.
Inside the base of iceberg where the internal users have all the access is residing in a zone with no audit , no oversight and it could be residing on a remote laptop over a starbucks wifi.
Three recent breaches highlight these facts
Equifax — 143 Million or perhaps every CC holder in US had the SSN compromised, Issue was with production system patch not being applied, AND concealing breach for months.
The containment of incident was even more troublesome with
- Response being hosted on a separate site which was again vulnerable.
- Their twitter handle relayed links to phishing URLs.
- Some privileged accounts were having default credentials ( admin/admin)
The response made equifax a joke magnet with SM rallying against them
Wired carried a list of the gaffe(s) here. Some burden has to be carried by firm’s auditor EY who say CySec was out of scope
Deloitte — They had the breach while advising everybody else on security, the response was respectful though. One notable point was that it happened on a SQL server on azure cloud leaking tons of email with attachments and PHI/PII.
This is a first major incident involving a cloud however Social Engineering and extracting of password is being credited to this theft. Well Data masking in Non-Prod and better training could have prevented this.
SEC being the third illustration here says that breach happened last year EDGAR system had an intrusion where again Non-Prod testing environment was targeted.
Again notice the pattern where malicious attackers are now targeting alternate sources of data which reside in less secure environments where audit and access controls are much lax compared to their production peers.
Noting a recent study by Economist
Data is the most valuable resource in the world
and its size is increasing exponentially. Most organizations have 10 less secure copies of production data. Imagine the surface area of risk. This is the caveat which any DLP program aims to fix but lags as it is difficult to do.
Hopefully with the attacks and leaks Non-Prod data will be given its due respect.
And next time some one asks what is cost of data breach ask them to start, by multiply their sensitive record count by $141.
