A new survey from Tripwire, Inc., has discovered that 40% of retail and financial organisations need 2-3 days to detect a breach.
Last Tuesday I met up with detective novel-inspired Dwayne Melancon and other key Tripwire personnel as part of the Eskenzi press lunch that was being held in conjunction with InfoSecurity Europe 2014. The topic of discussion was data breaches, including within the retail sector, the area in which I work when I’m not at my keyboard. That, combined with the recent high profile breaches at the likes of Target and Nieman Marcus, made sure that my curiosity and interest were piqued in equal measure.
As I am sure many of you know, a recent report from the Ponemon Institute has revealed that the costs associated with a breach have risen significantly over the last year, rising 15% to $3.5 million in total. Furthermore, each individual record containing sensitive and confidential information that is lost or stolen is now costing business $145 a time, a year on year rise of 9%. Significantly, the Ponemon Institute also discovered that the probability of a company having a data breach involving 10,000 or more confidential records is 22 percent over a two-year period.
So, given the above, can we expect organisations to be considering the risk of suffering a data breach far more seriously than ever before?
Apparently not, according to Tripwire’s findings.
A survey conducted by Atomic Research, encompassing 102 financial organisations and 151 retail organisations in the U.K., all of which process card payments, indicate that recent data breaches have actually had little impact on the security controls employed by those businesses.
Additionally, 35% of those polled said it would take as long as two to three days to detect a breach on their systems whilst 44 percent admitted that their customer data could be better protected.
The Payment Card Industry Data Security Standard (PCI DSS) is a security standard that outlines minimum security requirements for organisations that handle cardholder information. When the surveyed organisations were asked how important PCI compliance is to their overall security program, 43 percent said it was the backbone of their security program, and 36 percent said it was half of their security program.
PCI compliance is not, of course, a silver bullet and, in my opinion, should only be seen as one part of a much broader security program. Even so, it is still interesting to learn that only 11.1% of businesses were fully compliant in 2013 and, as Neira Jones recently told me:
“It has been evidenced in the Verizon PCI Compliance Report 2014 that ‘organisations that are breached tend to be less compliant with PCI-DSS than the average of organisations in our research'”.
In response to the survey findings, Tripwire’s Tim Erlin, director of IT security and risk strategy, said:
“It is shocking to see the high level of confidence exhibited by respondents in the wake of the recent series of high-profile cardholder data breaches. Sixty percent of respondents said they are confident that their security controls are able to prevent the loss of data files, but this confidence flies in the face of recent evidence to the contrary.”
Other notable findings from the Atomic Research survey include:
- 24 percent of the organisations polled have already suffered a data breach in which Personally Identifiable Information (PII) was either stolen or accessed by intruders.
- 36 percent of respondents do not have confidence in their incident response plan.
- 51 percent of respondents are only somewhat confident that their security controls can detect malicious applications.
- 40 percent of respondents said they do not believe that recent high profile cardholder breaches have changed the level of attention executives give to security.
Melancon, chief technology officer for Tripwire said:
“It is great that recent breaches have increased cybersecurity awareness and internal dialogue. However, the improved internal communication may be biased by a false sense of security. For example, 95 percent of respondents said they would be able to detect a breach on critical systems within a week. In reality, nearly all of the recent publicly disclosed breaches have gone on for months without detection.”
Melancon added that:
“Furthermore, only 60 percent of respondents believe their systems have been hardened enough to prevent the kind of data loss similar to that seen in recent high profile breaches. These attitudes seem to indicate a high degree of overconfidence or naivete among information security practitioners. I believe a number of these organisations may be in for a rude awakening if their systems are targeted by criminals.”
I’ve said in the past that UK business needs to pay attention to what happened at Target, Nieman Marcus, et al, but there still appears to be much more that could be done to mitigate the data breach risk in this country, including improved controls, better communication, improved security awareness training and, perhaps, more openness and better incident response from those companies that have been breached.