Since you’re reading this blog, you’ve most likely been asked to justify the investment in information security with hard numbers. There have been few better allies in the fight to prove the need for cybersecurity spending than Ponemon Institute. Ponemon regularly produces meticulous, field driven studies on all aspects of privacy, data protection and information security. Recently they worked with IBM on the cost of data breaches around the world, breaking down the factors that contribute to those costs. You can get the study’s full text online for free.
For IT security pros, much of what the study concludes about the need to protect data will not be surprising. Costs of data breaches are going up around the world. Places with less developed information security practices see larger numbers of records stolen, but also see less cost associated per record. The nations where regulation is active have much higher costs for breaches due to the burdens associated with compliance and notification.
There were a couple of disappointments, however, which are common to reports like these. Some issues still seem to miss the attention of even the most careful observers.
The Insider Threat is Still Hiding in Plain Sight
One thing Ponemon always does very well is give you many different breakdowns of the data they collect. This report is no exception. One very useful chart1 shows the root causes of the breaches distributed as follows:
- 48% Malicious or criminal attack
- 27% System glitch
- 25% Human error
(1Pie Chart 2 – Distribution of the benchmark sample by root cause of the data breach.)
Now, if you look at this casually, it’s easy to think that the insider was either so small as not to factor in or included in the human error category. But when we check the footnote we read, “… Malicious attacks can be caused by hackers or criminal insiders (employees, contractors or third parties).”
Clearly, the kind of insider we mean when we talk about “insider threat” is actually part of the largest slice of the pie – the malicious or criminal attack. We’re so trained by the press to think of “attack” as being a “hacker” from the outside that this is easily missed. How large a percent are these insiders? Who knows?
Also hard to decipher is the more critical question of how often outsiders leveraged insider credentials to commit crimes. Fighting folks who use SQL attacks on websites and fighting folks who use malware to highjack insider credentials to spread laterally through your network are two very different battles. We all continue to work in the dark regarding how often this happens, even though we see the post mortems for every huge, public breach telling us privileged credentials are key to pulling off the really big jobs.
Not Even An Ounce Of Prevention
Now, it may seem that I’m picking on Ponemon’s report a bit, but I still think it’s an awesome resource and gets things 95% right. The reason I highlight the other 5% is because it’s likely important for many of us as we make our case to executives to get the investments we need to improve IT security posture.
With that in mind, the other issue is how measures to save on data breach costs. Ponemon highlights a number of items that are absolutely excellent to focus on as a security program. Topping their list are instituting an incident response team, using encryption extensively, training employees, and participating in threat sharing.
However, nowhere on their list did they make room for truly preventative measures. There are a few angles on data protection – DLP, classification – and you could make a case that an incident response team will likely put in preventative controls. But there is no mention of patching, continuous privileged credential rotation and identity management. We all know these are key in today’s cyber defense behind the firewall, but they never seem to get their 15 minutes in these reports.
Get the report, read it, and use the charts and graphs to wow your executives. There are excellent stats, and very good, plain language descriptions of concepts that management needs to understand about IT security.
As you build your case, also keep in mind you may need to spin things a bit to ensure you deliver the whole picture. Of course, that shouldn’t be an issue for folks who have been making these programs work in a vacuum of good data for so very long.