Tag Archives: Ponemon

Is Your Cybersecurity Program Working?

That’s kind of a loaded question, but still important.

After all, you are spending a bunch of money on it;  how do you know if you are getting your money’s worth?

Or maybe you are not spending very much at all – in that case how do you know if you are adequately protecting your company?

Given those questions, Larry Ponemon, the researcher who performs research for almost anyone who pays him (but there is no evidence that his research is skewed because of that) and AttackIQ conducted a study.  AttackIQ is a security tool vendor.

Larry’s study says that on average, enterprises spend around $18 milion on cybersecurity every year (what is included in that is, of course, somewhat variable) and more than half of them plan to increase that by as much as 14% next year.

53 percent of those responding said that they have no idea how well the tools are working in their corporate networks.

On average, these IT folks say that they have almost 50 cybersecurity tools installed.  Larger companies run sometimes as many as a couple hundred.  How could you know if the tools are working if you have that many?

A little over a third think they are getting “full value” from their investments.

Worse yet, over 60% said that they have actually experienced a tool that said that it blocked a security threat, when, in fact, it had not.

Almost 60% of the respondents said that lack of visibility was the reason there were still breaches, even though they have almost 50 tools installed.

40 percent think that their teams are effective at finding and plugging security holes.  This means that almost two thirds do NOT think their teams are effective at their primary mission.

Almost two thirds said that their is no set schedule for penetration tests.

Click here to see the full report.

So what does all of this mean?

It likely means that buying more tools will not fix the problem.

It doesn’t mean that you should halt your security program either, however.

It does mean that you have to have a robust cybersecurity governance program.  That should not come as much of a surprise.  At some levels, cybersecurity is a hard problem.  At other levels, it is very straight forward.

The basics need to be done –  governance, planning, training, policies, backups, incident response, endpoint protection, encryption and so on.

What requires more analysis is some of the very expensive tools that some of the vendors are selling.  Some of the tools cost tens of thousands of dollars – or more. 

It is fair that companies need to assess the programs that they have in place.  No different than any other program that a company runs.

The challenge is how do you measure whether the program is working or not?    Is it working because you didn’t get hacked today?  At some level, yes, but at other levels no.  How do you measure success?

I don’t have all the answers.  I wish I did.  But every company needs to consider what they are doing.  If you are just doing the basics then that analysis is pretty simple.   But if you are looking, like enterprises are, at spending $18 million a year, then you need to figure out how to define success.

Most of our clients are not in the league of spending that kind of money on security, but security is a $125 billion a year business according to Gartner and growing. so for every company that is spending way less than that $18 million, there are some that are spending way more.

Cybersecurity is a big investment for every company.  Make sure that you are spending that money wisely.  Start with the basics.  Do those basics right.  Then look at the advanced things.  Set up metrics.  Brief management.  Ask questions.  It is, after all, something that could take down your company if you do not do it right.

Again, the Ponemon study is available here.





Majority of Businesses Lack Resources To Manage Cyber Threats

A recent Ponemon Institute study revealed what a lot of us have been saying for a long time.  Despite spending millions of dollars, 79 percent of the IT and IT security staff reported that their ability to identify and stop threats are either non-existent, ad hoc or inconsistently applied throughout the enterprise.

The companies participating in this study said that they were on the receiving end of at least one cyber attack per month and spent about $3 million a year to deal with them.

Other results include:

  • 59 percent said that protecting intellectual property is essential or very important to their company’s survival
  • Respondents said that they averaged 32 material cyber attacks a year.
  • 38 percent said that their security processes for monitoring the Internet and social media were not existent; another 23 percent said they were ad hoc and 18 percent said  they were inconsistently applied.
  • Over 60 percent of the security leaders – directors and above – said they did not have the tools they needed to monitor, analyze, understand and mitigate external threats.

What this report is saying is that the majority – in some cases three quarters – of the people assigned to protect company information and systems say that they do not have the ability to protect their companies.  That is a scary concept.

Certain industries are probably exceptions to this – the big banks (but not the smaller banks) and the Defense Department, for example.  This does not mean they don’t get breached.  It means that they have the budget for tools and people to try and stop them from getting breached.

While an unlimited budget is nice, it is also not necessary.  What is needed is for executive management – The C-Suite and the Board – to make protecting their companies a priority.  And then to make operational changes to the way those companies protect information.

It has been reported that when the security team went to Home Depot’s management to ask for more resources, they were told that Home Depot was in the business of selling hammers and how did spending money on cyber security help that.  My guess is if they could reconsider that decision now, they would probably give a different answer.

This risk is not going away.  It will likely get worse before it gets better.  Sorry to be the bearer of bad news.


Information for this post came from Security Magazine.

The Gap Between The Board and IT Security

The Ponemon Institute released a study that compares the views of about 7,000 Board members and 11,000 IT security people and the results show some interesting data.

The first question is ” Our board of directors understands the security risks to the organization”.  While 70% of the board members agree or strongly agree with that statement, only 43% of the IT people agree or strongly agree with it.  That is a pretty big gap.

Given that board members make important cyber security decisions, their knowledge in that domain is important.  Here are a few select answers from the survey:

  • 9% of the board members said they were very knowledgeable about cyber security.  26% said that they had minimal or no knowledge.
  • 59% of the board members said that the company’s cyber security governance practices are very effective.  18% of the IT security people agreed with that statement.
  • 18% of the board members said they were unsure if the company had a breach that resulted in lost or stolen records.
  • 21% of the board members were unsure if the company had a cyber attack that disrupted business operations.
  • 79% of the board members said that cyber security governance is not on the board’s agenda because it is best handled by company management.  51% said it was due to concerns about director liability.  So half of the directors said that they did not want to deal with cyber security because they thought they might get sued.  Given that a cyber breach could cost the company millions of dollars or even have the company go out of business, that seems like a breach of fiduciary responsibility.
  • 69% of the board members are concerned about their potential liability if the company has a serious breach.  That would seem to indicate that they should do their best to make sure that the company does not suffer a breach.
  • Currently, the SEC has  issued voluntary guidelines regarding disclosing cyber breaches.  83% of the board members of companies that have suffered a breach think the SEC will issue mandatory regulations.  Only 17% of those who have not had a breach think the SEC will do that.
  • 81% of the board members think that if the SEC issues those regulations, board involvement will increase.

So, while this indicates boards are concerned, absent regulations requiring disclosure and due to concerns of getting sued, the majority of board members  prefer to avoid the issue.

The study is available here.

Ponemon 2015 Cost Of Data Breach Study

Larry Ponemon surveys companies every year to see how cost of dealing with breaches is trending.  This year shows, among other things, that it costs companies an average of $217 per record breached.  That means, on average, a small breach of say 10,000 records still costs $2 million.  If you assume his numbers are high, half of that is still $1 million.  Absent insurance, that is a large check to write.

Statistics from the report (see here, registration may be required) include:

  • Cost per record breached has been around $210 +/- 5% since 2008.  While it is good that the cost per record is not going up, total records last year were over 1 billion, so that is still a large check for people to write.
  • Average total organizational cost is also basically flat since 2008 – in the $5 mil to $7 mil range per breach.  This number is trending up a little bit over the last 4 years (up $1 mil from 2012, but down from the very highest year, 2011, which was $7.24 mil).
  • Cost per record does vary by industry.  Healthcare was the highest at $398 per record; public sector the lowest at $73 (the public sector is likely the lowest because you cannot sue city hall – at least not successfully).  Other sectors were in the middle – financial at $259, services at $219,  industrial at $190 and retail at $189, for example.
  • 49% were caused by a malicious attack and 32% were caused by system or business process failures.  The rest were attributed to human error (19%).
  • Factors that influence the average cost per breached record include having an incident response team – $23.8 less, using encryption throughout – $19 less and board involvement – $9.8 less.  On the other hand, lost and stolen devices adds $12 and if third parties are involved it adds $29.
  • Churn (loss of customers) has a very big effect on average total cost.  For companies with less than 1% churn, the average total cost is $5.5 mil, for companies with more than 4% churn, the average cost is $12.7 million – more than double.

The report has many other statistics, these are just a few of the highlights.  Please click on the link above to see the report.

Medical ID Fraud A Challenging Problem

The Medical Identity Fraud Alliance (MIFA) and the Ponemon Institute released their fifth annual study on Medical ID fraud.

Short version of the results:  It is very costly, time consuming and complicated for consumers to resolve medical ID fraud and only 10 percent of the respondents to the study report achieving a completely satisfactory conclusion to the incident.

A copy of the report is available from Ponemon at this address.

Some of the report’s key findings are:

  1. 65% of the medical ID theft victims had to pay an average of $13,500 to resolve the crime.
  2. Only 10% of respondents reported achieving a completely satisfactory conclusion to the incident.
  3. Those who resolved the crime spent an average of 200 hours to resolve the issue
  4. Many respondents felt that medical ID fraud had a negative impact on their reputation due to having to discuss very personal subjects with a variety of people.

The report, about 40 pages long, has some interesting specifics as well –

  • 68% of the respondents are not confident that their health care providers security measures will protect their medical records.
  • About half of the respondents think that electronic health records (mandated by the ACA) increases their risk of being a medical ID victim.
  • In case of the theft of a respondent’s medical records, 80% want to be reimbursed for costs, 40% want the organization to notify them promptly and 28% want the organization to provide medical ID theft protection.

NOTE: organizations are not legally required to reimburse you (you can try to sue them) and there is  no such thing as medical ID theft protection.  This is all very different than credit card fraud and likely part of the reason that stolen medical records are extremely profitable to crooks.

  • While the rate of medical ID theft is relatively low (about 1% of the respondents), it has doubled in the last 5 years.
  • Approximately 60% of the respondents said their medical ID was stolen to get treatments, prescriptions or obtain government benefits.
  • 53% of the respondents said that a provider’s negligence caused or contributed to the theft while 30% were unsure.  Only 17% did not think the provider was part of the problem.
  • 47% of the respondents said that either a family member used their ID without permission or they shared personal information with someone they know (50/50 split), so a large part of the crime – but only half – is committed by someone the victim knows.
  • 69% of the respondents are either not familiar with or never heard of HIPAA and the privacy standards – even though everyone has to sign a HIPAA statement prior to getting healthcare.
  • Lastly, when asked why they don’t check their health records for accuracy, the respondents answered this way: 53% did not know how to, 39% trust their provider to do it, 35% said their records are not easily available, 33% said it never occurred to them and 25% said they didn’t care.

The last bullet is the most telling one, which puts medical ID fraud where credit card fraud was about 40 years ago.

Hopefully, we can make up the gap in less than another 40 years.


The simplest hack

CSO Magazine is reporting on an experiment conducted by the Ponemon Institute.  They sent researchers disguised as temporary employees, with temporary badges, into 43 offices belonging to 7 companies.  The management was aware of the plan but the office staffs were not aware.

The researchers went into the offices, wandered around, took pictures of computer screens, picked up documents marked confidential and put them in their briefcases.  The researchers even brought spreadsheets up on their computer screens and took pictures of the screens.  All in full view of the office staff.

The security industry calls these ops red teams.  Been there.  Done that.  I know they work.  Almost 100% of the time.

And the results ….

But out of 43 trials, the researcher was confronted by a company employee only seven times when taking pictures of the screen, only four times when it looked like they were stealing confidential documents, and only twice when wandering around looking at things on people’s desks, computer monitors, and at printers, copiers and fax machines.
And there was only one case where the strange behavior was actually reported to management.

In a little over two percent of the cases, someone spoke up.  97 percent of the time, they told no one.

The information they collected included staff directories, customer information, financial information, confidential documents and access credentials.

Open layout offices were easier to compromise than traditional offices.  Customer service, marketing and sales were the easiest targets;  legal and finance were the hardest.  IT was in the middle.

The sponsor was 3M and the mission was to see if their computer privacy screens made a difference – the answer is not much.

Things did make a difference included clean desk policies, standardized shredding policies and mandatory training.

And, they did not need to be in the offices so long.  They spotted their first target information in the first 15 minutes.

The moral of the story is that we need to deal with the simple stuff before we deal with the impossible.  If we fail at the simplest security tasks, there is no way that we will defeat an advanced persistent threat.