Sunday, 20 August 2023

Security breach – it’ll never happen! Part 2

This time we continue our look at IBM Security’s latest Cost of a Data Breach Report.

I thought that it would be useful to see what recommendations the report had for busy IT security teams.

37% of ransomware victims opted not to involve law enforcement to help contain a ransomware breach, but those that did experienced a less costly ransomware breach overall. The average cost of a ransomware breach was US$5.11 million when law enforcement wasn’t involved and US$4.64 million when law enforcement was involved – a 9.6% difference.

The total amount of time to identify and contain a ransomware breach was 33 days shorter with law enforcement involvement, at 273 days in total compared to 306 days (a saving of 11.4%). The mean time to contain a ransomware breach was 63 days or 23.8% shorter with law enforcement involvement compared to 80 days without.

For organizations that experienced a ransomware attack, those that used automated response playbooks or workflows designed specifically for ransomware attacks were able to contain them in 68 days compared to the average of 80 days for organizations without automated response playbooks or workflows (16% less).

Does paying the ransom actually save your organization any money? The report suggests that the savings are minimal. Their findings were that the cost of a ransomware attack for an organization that paid the ransom was US$5.06 million. If the organization didn’t pay the ransom, the cost was US$5.17 million – a difference of 2.2%. However, the figures don’t include the cost of the ransom itself. The report suggests that paying the ransom is probably not a cost-effective strategy overall.

The report strongly makes the case for the use of security AI, saying that organizations with extensive use of security AI and automation identified and contained a data breach 108 days faster than organizations that didn’t use AI or automation. What falls into that category includes the use of AI, machine learning, automation, and orchestration to augment or replace human intervention in detection and investigation of threats as well as the response and containment process. On the opposite end of the spectrum are processes driven by manual inputs, often across dozens of tools and complex, non-integrated systems, without data shared between them.

In addition, there were cost savings with AI and automation. The report found a US$1.76 million lower data breach costs compared to organizations that didn’t use security AI and automation capabilities.

Perhaps not surprisingly, the report found that 51% of organizations are planning to increase their security investments as a result of a breach – although one must worry about the other 49%. For those who are planning to invest, the top areas identified included incident response (IR) planning and testing, employee training, and threat detection and response technologies.

The report recommends that organizations take a DevSecOps approach tin order to build security into any tools or platforms an organization depends on to engage its workforce or its customers. Organizations of all types, the report says, should look to ensure that security is at the forefront of the software they’re developing as well as commercial off-the-shelf software that they’re deploying. Application developers must continue to accelerate the adoption of the principles of secure by design and secure by default to ensure that security is a core requirement that’s considered during the initial design phase of digital transformation projects and not simply addressed after the fact. The same principles must be applied to cloud environments to support cloud-native app development in order to makes a serious effort to protect user privacy and minimize attack surfaces.

The report recommends application testing or penetration testing from the perspective of an attacker in order to give organizations the opportunity to identify and patch vulnerabilities before they turn into breaches. No technology or application will ever be fully secure, and adding more features introduces new risks. Ongoing application testing can help organizations identify new vulnerabilities.

The report suggests that organizations should strengthen their resiliency by knowing their attack surface and practicing their Incident Response (IR). Various tools can help organizations gain an attacker-informed perspective into their unique risk profile and vulnerabilities, including which vulnerabilities are readily exploitable.

Secondly, having a team in place that’s versed in the right protocols and tools to respond to an incident has been shown to significantly reduce costs and the time to identify and contain a breach. Organizations with high levels of these countermeasures in place incurred US$1.49 million lower data breach costs compared to organizations with low levels or none.

Another recommendation is for organizations to implement network segmentation practices to limit the spread of attacks and the extent of damage they can cause, strengthening overall resiliency and reducing recovery efforts.

The report also recommends that organizations modernize data protection across hybrid cloud. 82% of data breaches in the report involved data stored in cloud environments, and 39% of breaches included data that spanned multiple types of environments. The report recommends gaining visibility and control of data spread across hybrid cloud as a top priority for organizations, and should include a focus on strong encryption, data security, and data access policies.

Newer technologies such as data security posture management can help find unknown and sensitive data across the cloud, including structured and unstructured assets within cloud service providers, software as a service (SaaS) properties, and data lakes. This can help identify and mitigate vulnerabilities in underlying data store configurations, entitlements, and data flows.

Organizations also need to deploy strong identity and access management (IAM) strategies that include technologies such as multifactor authentication (MFA), with particular focus on managing privileged user accounts that have an elevated access level.

There are plenty of evidence-based suggestions in the Cost of a Data Breach Report that most sites would be wise to implement before a data breach happens to them (again) because they need to realize that a breach can definitely happen to them.

Sunday, 13 August 2023

Security breach – it’ll never happen! Part 1

We all know from the press that security breaches have been causing serious problems to computing infrastructure for a number of years now. And yet, there are still too many mainframe sites that are hoping it won’t happen to them. I thought, by way of a wake-up call, it would be useful to take a look at the findings of the latest Cost of a Data Breach Report from IBM Security.

The first thing your CFO will want to know is how much a data breach is likely to cost. The report found that it is US$4.45 million, which is 2.3% higher than the 2022 report’s findings. Worryingly, only 1 in 3 sites that experienced a breach had the breach identified by their own security teams or tools. The remaining 67% of breaches were reported by a benign third party or by the attackers themselves. When the attackers disclosed a breach, it cost organizations nearly US$1 million more compared to internal detection.

The cost of a ransomware attack increased by 13% from 2022, now costing on average US$ 5.13 million. Ransomware attacks made up 24% of all data breaches recorded in the survey. Destructive attacks that left systems inoperable accounted for 25% of attacks. Business partner and software supply chain attacks accounted for 15% and 12% of attacks, respectively.

There’s always a big debate about whether an organization should disclose that it has been hacked and call in law enforcement. After all, the hackers are often based abroad, and a prosecution is unlikely. In addition, the news of the breach may reach the press and the company is very likely will lose customer confidence and is likely to lose money over the next couple of years. The report found that organizations that didn’t inform law enforcement faced an additional cost of US$ 470,000. 63% of sites in the survey had involved law enforcement, the 37% that didn’t also paid 9.6% more and experienced a 33-day longer breach lifecycle.

If you work in healthcare, the report found that since 2020, healthcare data breach costs have increased by 53.3%. For the 13th year in a row, the healthcare industry reported the most expensive data breaches, at an average cost of US$10.93 million.

The big question worrying many sites is are they currently being hacked, and they haven’t realized yet? The survey found that the length of time it takes to identify a breach is 204 days, which, although it might be cold comfort, is better than last year’s figure of 207 days. Once a breach has been identified, how long does it take to recover? The survey found that on average it takes organizations 73 days. That’s three days longer than the 2022 results.

One small comfort for traditional mainframers is that 82% of breaches involved data stored in the cloud – public, private, or multiple environments Mainframe sites that have projects that embrace cloud computing may well wish to review their security policy for the cloud. The report goes on to say that attackers often gained access to multiple environments, with 39% of breaches spanning multiple environments and incurring a higher-than average cost of US$4.75 million.

The location of an organization has big impact on the cost of a data breach. The most expensive place for a data breach is the USA, costing US$9.48 million. The Middle East is the second most expensive at US$8.07 million. Next is Canada, costing US$5.13 million. Fourth is Germany, costing US$4.67 million. And fifth is Japan costing US$4.52 million. The United Kingdom has dropped out of the top five this year.

We said Healthcare was the most expensive. The rest of the top five industries are: Financial costing US$5.90 million; Pharmaceuticals costing US$4.82 million; Energy costing US$4.78 million; and Industrial costing US$4.73 million. Technology has dropped out of this top five list.

Detection and escalation costs are still very expensive. This year the figure rose by 9.7% to US$1.58 million. These costs include activities that enable a company to reasonably detect a breach and can include forensic and investigative activities, assessment and audit services, crisis management, and communications to executives and boards.

When it comes to lost business costs, the figure dropped 8.5% to US$1.30 million. This figure includes activities such as business disruptions and revenue losses from system downtime, the cost of lost customers and acquiring new customers, and reputation losses and diminished goodwill.

This year’s report is its 18th consecutive edition. The research is conducted independently by Ponemon Institute, and sponsored, analysed, and published by IBM Security. Responses were from 553 organizations impacted by data breaches that occurred between March 2022 and March 2023.

Next time will look at more from the report.