Data-Breach Costs Rising, Study Finds 67
BobB-nw writes to tell us that a recent study of 43 companies that suffered from data breaches last year showed the total cost of dealing with the breach to have risen to $6.6 million per incident. The cost is about $202 per record compromised for first timers, while the repeat offenders seem to have their mojo down and only suffer about $192 per record. With 88% of all data loss cases for 2008 being traced back to insider negligence it's a wonder that a little upfront money isn't being directed at prevention; guess as soon as they idiot-proof it someone will build a better idiot.
BS (Score:5, Insightful)
Well, that's what they told the insurance company.
Corporate Bail Outs (Score:2)
That's how much money is missing from the books that they haven't been able to cook since SOX.
2 cents,
QueenB.
Re:Corporate Bail Outs (Score:5, Informative)
Oh, no worries, cooked books taste just as good with SOX as without. As predicted, SOX hasn't changed jack; take a look at the average financial institution today and they have the vast majority of their liabilities in special purpose off balance sheet vehicles (see, as long as you only own 49% of the subsidiary, and the rest is owned by your cousins neighbours grammas old dog you don't have to bring the liabilities onto your balance sheet).
And when rules to change that (strongly opposed by Citigroup, etc) were supposed to enter into force last november, it was suddenly 'impractical' and got delayed by the FASB.
Right, 'impractical' as in 'the banks are insolvent and unless they get to cook their books it's going to be bloody obvious that actual bailout requirements are in the tens of trillions, which might be a bit unpalatable for taxpayers'.
So SOX has merely added a bunch of expensive administrative crap with no actual extra security for stock holders; they'll get screwed anyway as politically expedient.
"idiot proof" (Score:4, Interesting)
If they need to try to Idiot-proof a system take out the "Idiot". If these companies hire more technology inclined workers (people who read /.) they they won't have this problem as often.
Re:"idiot proof" (Score:5, Funny)
If they need to try to Idiot-proof a system take out the "Idiot". If these companies hire more technology inclined workers (people who read /.) they they won't have this problem as often.
Maybe, but then they'd have to deal with everyone putting goatse links all over the company newsletter and sending out gay porn featuring the CEO of the company, so there's a little bit of a downside too.
On the other hand, most Slashdotters never leave the basement, so you would save on office space.
Re: (Score:1)
If they need to try to Idiot-proof a system take out the "Idiot". If these companies hire more technology inclined workers (people who read /.) they they won't have this problem as often.
Maybe, but then they'd have to deal with everyone putting goatse links all over the company newsletter and sending out gay porn featuring the CEO of the company, so there's a little bit of a downside too.
On the other hand, most Slashdotters never leave the basement, so you would save on office space.
Self Loathing
See Also
eln (21727)
Re: (Score:2, Funny)
and sending out gay porn featuring the CEO of the company
Featuring the CEO of the company? I say "the CEO and the company"!!!
Re: (Score:3, Funny)
If these companies hire more technology inclined workers (people who read /.) they they won't have this problem as often.
"shut the fuck up (Score:-1, Troll)
by Anonymous Coward on 2009-02-02 21:34 (#26700021)
you bunch of slashfaggots don't know anything. shut your fucking mouths and get an education instead of making up a bunch of lies."
He's going to be the CEO.
Re: (Score:3, Insightful)
Re: (Score:3, Interesting)
Re: (Score:2)
If they need to try to Idiot-proof a system take out the "Idiot".
In other words: don't hire idiots.
If these companies hire more technology inclined workers (people who read /.)...
In other words: hire idiots.
Re: (Score:2)
No, no, no.....people who just read /. aren't idiots.
It's the people who comment on /. that are the idiots.
Oh.....wait.....
Re: (Score:2)
I too had a chilling sense of proving my own point unintentionally. Weird huh? Wonder where that was coming from.
Oops, forgot to make a 1, 2, ??? profit joke.
Re: (Score:2)
It could be that /. is where clever people come to exercise the idiocy that's stifled in the corporate environment. But what would I know, I work from home...
Teach, teach and teach (Score:2)
And require your workers to learn. That's the quintessential base for security. You can employ the tightest security standards if your users are not able to see a problem in a security breach.
What people do not understand, they will not take serious. It's the "can't someone else do it" attitude that causes the problem. Not the lack of /. readers in business positions. An IT person cannot replace an auditor, and, frankly, I'd be rather found dead than in an auditor's position.
People, especially in the leadin
Re: (Score:2, Insightful)
Although I generally agree that Windows is not the "winner" when it comes to running a server (or any business machine) it must be said that correlation is not causation
Re: (Score:3, Insightful)
So who will need to pay me if my Linux box get hacked.
And yes a poorly configured/administrator Linux system can get hacked into, just as easily as a Windows system.
The problem is a lot of these places that get hacked have a pathetic Understaffed/underfunded IT team.
If you can get someone who know hows to use Linux they can normally keep a windows network secure too. But more often then you think these companies are run by the guy who currently knows the most about computers at the time and becomes the IT g
Re: (Score:2)
It isn't the OS it is more who maintains the OS.
It is both.
---
Beware deceptive astroturfers [wikipedia.org].
Re: (Score:2)
So who will need to pay me if my Linux box get hacked. And yes a poorly configured/administrator Linux system can get hacked into, just as easily as a Windows system. The problem is a lot of these places that get hacked have a pathetic Understaffed/underfunded IT team.
If you can get someone who know hows to use Linux they can normally keep a windows network secure too. But more often then you think these companies are run by the guy who currently knows the most about computers at the time and becomes the IT guy by default.
That the case if the person who doesn't know what is going on will choose windows by default without any consideration of other platforms. A good IT person may still choose windows for it advantages over Linux but knows where it is week and works to secure those points.
It isn't the OS it is more who maintains the OS.
as much as i'd like throwing microsoft out of the window, third party software that we need to use is locked into windows. i'll be lucky of I escape the vista nightmare, and keep using win XP, and i'll probably squeal if and when the Ms guys will tell me that they do not support it any mo
Re: (Score:2)
This argument is retarded. Every single software company, Microsoft included, disclaims liability.
The only cases I heard of a company getting into actual legal trouble due to their software is with things like Sony where they knowingly made something that was actively malicious.
I've never heard of a single case of Microsoft or anybody else paying a single cent due to a vulnerability. If they did, MS would be bankrupt by now.
Re: (Score:2)
Err Umm... I was responding post that we should charge the OS Company for any security holes. At this point the argument is pointing out a problem with the proposed suggestion from an IT manager point of view. Please try to keep current, and realize proposed ideas are not ideas that are currently in place.
Re: (Score:2)
Ok, fair enough. My mistake.
This is anectodal evide
As a network admin... (Score:3, Interesting)
Re: (Score:1)
I'm by no means a network admin, and I have zero experience in the field, but is there no way in which the services for each client can be shared across multiple machines, and then the updates can be progressively 'rolled' across each? (i.e. update machine A and restart, whilst leaving the load to machine B and C, do the same to machine B leaving the load to A and C etc.)
Or is that more prohibitive/expensive to maintain? (I suppose it depends entirely on what machines you're running and what services you pr
Em... (Score:2)
Not suprising at all... (Score:5, Interesting)
it's a wonder that a little upfront money isn't being directed at prevention
No it's not... Only in the last few years have management began to look at IT as something more than a "support" department. I have worked in companies where the IT department head reported to the Facilities Management Director (think landscaping and custodial services), who reported to the VP of Finance. Essentially, IT had no influence or budget to speak of, even when we pointed out that we were ripe for the picking when it concerned customer data and trade secrets.
Jump forward a few years, and now that same company has an VP of Information Technology and an annual IT budget of 4X the Finance department's total budget.
It's no surprise that it's still taking time to get pro-active expenditures approved. What I'm actually surprised about is that most Presidents/CEO's are actually aware of the risks now. If not for a few recent high profile leaks, most IT departments couldn't get any money for such projects.
Finally, there is no evidence that upfront money wasn't spent. Most companies just haven't figured out how to adequately secure their data, not for lack of resources or trying, but because there isn't a formula for guaranteed success.
Re: (Score:2)
Only in the last few years have management began to look at IT as something more than a "support" department. I have worked in companies where the IT department head reported to the Facilities Management Director (think landscaping and custodial services), who reported to the VP of Finance. Essentially, IT had no influence or budget to speak of, even when we pointed out that we were ripe for the picking when it concerned customer data and trade secrets.
Here's an interesting aside...
"landscaping and custodia
Re:Not suprising at all... (Score:4, Interesting)
I would probably start a unit in charge of security -- ALL Security, and have them monitor and interact with IT and janitorial and anyone else to manage security.
Great, so to work for you, in addition to Linux/Windows certs, I now need a Johnson Controls cert, journeyman electricians papers, and an endorsement for use of lethal force?
Do you really want your net admin to carry a gun and/or taser backed up with a hammer? Just sayin...
Re: (Score:3, Insightful)
Great, so to work for you, in addition to Linux/Windows certs, I now need a Johnson Controls cert, journeyman electricians papers, and an endorsement for use of lethal force?
Only if your applying to be a one man security ninja hero or something. It would be far more likely though to have more than one person, each with different areas of expertise.
Do you really want your net admin to carry a gun and/or taser backed up with a hammer? Just sayin...
Not at all. But I also don't want my net security team to be
Re: (Score:2)
Look at the advantages. You've got only one person to call if your toilets back up or your servers don't.
Re: (Score:1)
I do wholeheartedly agree, however, with the idea of a separated IT/helpdesk team (call it Computer Support, as part of facilities management) and an 'Information Security
Re: (Score:2)
I would probably start a unit in charge of security -- ALL Security, and have them monitor and interact with IT and janitorial and anyone else to manage security.
I think it might make sense to have a department (or at least person) that is in charge of developing, distributing, and enforcing policies that have a bearing on all forms of security... but I think you'll have a problem finding someone competent to supervise *both* the physical maintenance and server maintenance staff.
Re: (Score:2)
I think it might make sense to have a department (or at least person) that is in charge of developing, distributing, and enforcing policies that have a bearing on all forms of security... but I think you'll have a problem finding someone competent to supervise *both* the physical maintenance and server maintenance staff.
Just as your CEO is incompetent to do much of anything but is ultimately responsible for seeing that everything gets done -- solution: delegate.
Delegate overall security to someone with a fi
Re: (Score:2)
Just as your CEO is incompetent to do much of anything but is ultimately responsible for seeing that everything gets done
Clearly our physical security needs some work, because you've been spying on our office! ;-)
Delegate overall security to someone with a firm grasp of what real security is (vs security theatre) and who has a good head for risk assessment and return-on-investment, and above all the competence to surround himself with specialized people competent in specific fields of security and you'll be fine.
Your right that will definitely result in different people managing network and physical security. But working together under one person, you won't spend millions on vault-like physical security while you have a hundred dollar linksys router protecting what's inside... or vice versa.
But one issue still remains, which is that while physical security is somewhat intuitive (you can note that it's way too easy for you to walk in after someone else and bypass the card reader, for example), it may be difficult if not impossible to determine whether your information security measures are in place. It takes a different skillset to check for security holes in your network, website, etc.
Ultimately (and t
Re: (Score:2)
This depends on how the organization is structured. Sure you could have a VP who oversees all security related issues, and in some organizations where security is a very high priority it makes sense (banks for example).
However most small-medium companies don't have significant physical security needs, except perhaps to hire a consultant to assess, recommend, and implement. And maybe contract a security company to patrol or monitor the cameras. These kind of companies need someone with some weight in the I
negligence (Score:3, Insightful)
Re: (Score:2)
From the Stats-Pulled-From-My-Nether-Regions:
85% of all system intrusions are inside jobs. Why would this be any different?
Fake Breaches (Score:1)
Re: (Score:2)
All our sec people are busy doing real ones, we don't have time for stupid fakes!
At an IT Manager I say this: (Score:5, Insightful)
I find the problem has several facets.
1. Nearly everything requires Windows
2. Too many Windows applications want or require administrator privileges
3. Users like little gadget software so much they think they need them
4. Microsoft Internet Explorer (need I say more?)
Malware is ALWAYS an internal network security problem. You can bullet-proof your web site from intrusion all you like but when the threat comes from an internal machine on your network, you're done for. There are lots of ways to address the problem, but none of them make users or executives happy. For much data processing, I'd like to see a return of the green CRT and keyboard. They don't crash (easily) and don't get infected with malware and keyloggers. Sure, they don't tell you what the weather is outside, but this is sensitive/valuable data being processed. We don't WANT those things connected.
User technology culture is out of hand and does not address technical/functional needs.
Cost (Score:4, Funny)
I guess data doesn't just want to be "free" :)
Repeat offenders? (Score:2)
The cost is about $202 per record compromised for first timers, while the repeat offenders seem to have their mojo down and only suffer about $192 per record.
What, so now repeat data breachers get a frequent flier discount? No wonder security sucks so bad!!
Only $202 per record? Underestimate! (Score:2)
I suspect that $202 per record is a vast underestimate. One single record compromise could devastate someone's life, so they're obviously not factoring in the end-user cleanup effort required, or the insurance required to cover damages from a (possibly class-action) law suit based on that.
Re: (Score:2)
Re: (Score:2)
Cracker vs IT staff (Score:1, Interesting)
OK, here's the deal. You have options:
1. You can be the cracker, were you merely need to find one hole in the OS of one server out of 100 at the site, the 100 pieces of software installed on the servers, the firewall, or any other device or piece of software on the network to get a foot in the door. Or more likely, you just need to social engineer to get the 20% of users who don't have a clue to do your work for you. In other words 3 months of casing the joint, infinite payoffs.
2. Or you can be the IT staff
Re: (Score:2)
So duck an cover is the strategy again? Teach snakeoil and hope you won't be caught in the fallout?
cost of data vs. breach (Score:2)
single break-in can cost days (if not weeks) worth of business disruption/outage, or even secondary/failover site can add up to annual budget.
while cost of data can vary, breach in itself is very costly. in the article, user records cost/value seemed to be cost factor (emphasizing "per incident"), what about aftermath? i'm sure total cost is not as small as figure shown in the article, given that at least for proper preventive measure has been implemented after "first" incident.
Re: (Score:1)
...We don't need smarter programs and more restrictions, we need smarter people. period.
And that smarter person that you hired needs to be allowed to use their brain when performing their job.
Also they must be given time to do the job right. Are your deadlines honestly realistic? If an Agile company, is your velocity realistically maintainable over time without burning out your staff?
I remember one site where the schedule was created by a big 5 accounting firm; where the consultants were working 12 - 14 hour days and living out of a hotel room, their family was not in the same city. They were paid for every hour of course.
When the project was finally turned over to the company employees, the schedule was kept at the same pace yet those employees lived with their families in town and were only paid for an 8 hour day, even though overtime was expected by all if the project was perceived to be slipping. It was unacceptable to slip the schedule for any reasons, even valid ones.
I saw the writing on the wall and found a better opportunity real fast, gave my two weeks notice and never looked back...even have good references from the job as with all my positions.
I have no problem with working hard and typically put in 50 - 60 hour weeks as a rule, rare is the week where I only work 40 hours.
At one consulting site, where I was paid for every hour that I worked thank
who pays? (Score:2)
What may be rising is the share of that cost shouldered by the companies that make money by warehousing data about individuals, as compared to the share shouldered by the individuals concerned. If that's true, that would be wonderful. It would create the right incentive for said companies to get real about data security.
With a little luck... (Score:2)
...data will actually become more of a liability for these companies, and maybe, just maybe, we will finally see the end of data-mining browser bars being included in everything under the sun.
Trust, easy to lose, hard to earn...still no wake (Score:1)
Its all about TRUST!
Its all about TRUST! Once lost, trust is very difficult to rebuild. Since many businesses simply refuse to change their business practices, I am of the opinion that too many simply do NOT understand that. If they did, they would make sure that they did NOT get hit the first time. Which means hiring qualified professionals and giving them the time to do the job right!.
Just last week I was offered a System Administration job at a company not too far from me. I was told that they were they had been in business for over 10 years and where the Cadillac of the web server hosting business. They really focused on their customers needs, unlike a company, she called them by name , I do NOT like them however still do not see the reason to state their name, that advertises during the Super Bowl.
I did not laugh when she offered me a rate that was $28 less per hour than what current jobs are paying in my area now, even with this economy. I did not mention that the rate was $12.00 per hour less than what I was paid to do the equivalent job at a company in the mid 1980s. My guess is that whoever they hire will be on call 24/7 and will be responsible for their server security in short order. They probably will not be allowed time to monitor those servers for Break Ins either. Just too few people and too much work. Oh and you can bet that they are not hiring additional bodies, just because they are getting them at a lower rate. And were I live it is not considered cheaper to live than most other areas of the country.
The would be smarter to re evaluate all their hardware and software licensing and annual renewals to see how much they could save by replacing them with effective open source and FOSS solutions.
In this specific case, I am confidant that the company will get what they are willing to pay for. And when the economy turns around, which it will do eventually, whoever they hire will be the first to leave them and they will be starting all over again. And that is their upside; their downside is getting hit by crackers and losing their customers trust.
Actions speak louder than words.
So many companies will pay lip service to so many things that they claim are important, yet when it comes time to do the right thing, they
Re: (Score:1)
They developed a process ...
I am sure they called it something fancy too, lmao...thanks for the laugh, still smiling as I type this.
Anyway, I'm through with cheapskates and idiots. I now work as an independent for very high grade people who care about quality, not cost (withing sensible limits, of course) and my reputation and the trust I am granted is now something *I* control, not some flunky in an office who has been tasked by his superior to flog the troops some more because he needs a new Rolls.
Congrats on finally getting there and I hope that you are able to maintain it through the foreseeable future, something tells me that you will.
Hey companies hiring tech workers. Take a good look at your requirements in your job posting. Are you expecting a Senior level person but paying at a Junior level rate?
Are you listing 20 years worth of requirements but looking for someone with a minimum of th