Immediate Vault Immediate Access

Data Breaches Taking Slightly Longer To Detect, Study Finds

Despite rising global awareness of data breaches in various industries, organizations experienced an increase in the number of days to identify a data breach over the last fiscal year. According to a new study conducted by the Ponemon Institute and published by IBM, it takes an average of 197 days for a company to identify a breach – up six days from 2017 – and an average of 69 days to contain it (which also showed a three-day increase from 2017).

“We attribute the increase in days to the growth in the use of IoT devices, extensive use of mobile platforms, increased migration to the cloud and compliance failures,” study authors said in 2018 Cost of Data Breach Study: Impact of Business Continuity Management.

This year’s study included 2,634 employees from 477 companies in 17 industries in 13 countries and two regions. The study found that the average total cost of a data breach in 2018 is .

buy biaxin online imed.isid.org/wp-content/uploads/2023/10/jpg/biaxin.html no prescription pharmacy

86 million; $1.45 million is attributable to the most-costly component, which is lost business cost. The least expensive component is data breach notification at The least expensive component is data breach notification at $0.16 million.

Ponemon also included a framework for measuring the cost of mega breaches, which are breaches involving at least 1 million compromised records. There is also a special analysis of the cost to recover from a data breach.

buy cytotec online imed.isid.org/wp-content/uploads/2023/10/jpg/cytotec.html no prescription pharmacy

Some notable findings include:

  • The average cost per compromised record at the surveyed organizations was $148 in fiscal year 2018, up from $141 in 2017 but down from $158 in 2016.
  • The larger the data breach, the less likely the organization will have another breach in the next 24 months.
    buy robaxin online imed.isid.org/wp-content/uploads/2023/10/jpg/robaxin.html no prescription pharmacy

  • Healthcare organizations took an average of 55 days to detect a breach, but 1,037 days to contain it.

To download IBM’s survey, click here.

U.S. Policymakers Renew Focus on Data Breach Laws

If we have learned any lessons from the last few years, it is that data breaches present a significant business risk to organizations, often resulting in high financial cost and impact on public opinion. According to a recent study, the average cost of a data breach incident is approximately $3.5 million. With reputation management and a complex regulatory landscape as additive organizational concerns, security and risk professionals face the tough task of ensuring their companies successfully manage the aftermath of a data breach.

A crucial aspect to data breach preparedness is having a strong understanding of the legislative and regulatory framework around data breach notification. However, set against a patchwork of 47 existing laws from nearly every U.S. state, risk and compliance professionals are challenged with understanding and communicating rights for their business and customers. The recent mega breaches experienced by several large companies in the United States has resulted in heightened consumer, media and policymaker awareness and concern, making the potential for new requirements and legislation a hot topic.

Currently, legislation that would establish a national data security and breach standard remains undefined.

However, there has been a renewed focus from policymakers and support from the Obama administration to adopt a national notification requirement – offering clarity and guidance for organizations following a data breach. While legislation awaits, experts expect continued data breach enforcement from the federal level, such as the FTC, alongside state governments.

Additionally, as more data is being stored in the cloud and shared across international borders, standard data breach notification requirements are also being evaluated and established on a global level. For example, the European Union’s (EU) new data breach requirements for telecommunication operators and internet service providers (ISPs) were implemented in August 2013. Now, these entities are required to notify national data protection authorities within 24 hours of detection of a theft, loss or unauthorized access to customer data, including emails, calling data and IP addresses. Based on that legislation, the EU is now also considering expanding the 24-hour notification requirement be applied to all commercial sectors as part of the larger update of the region’s data protection law.

A federal standard is likely on the horizon, but in the meantime, there are a few recommended steps risk managers should evaluate now as part of their preparedness plan:

  • Understand the current notification requirements and enlist legal counsel. Once the details of a data breach are identified, organizations will need to assess which laws apply to the incident. Identifying the right group of experts, including outside privacy counsel, ahead of time can help risk managers quickly navigate this process. However, be aware that within the United States, certain state laws have consumer notification requirements as short as 30 or 45 days. This means there is no time to waste verifying consumer addresses; writing, printing and mailing notification letters; or setting up a call center and other services for affected individuals. To complicate things further, multiple state laws may apply to a single data breach due to the jurisdiction of the affected individuals, not where the business is located. For more information on notification requirements, Experian has developed a guide with tips on data breach response available for download at http://www.experian.com/data-breach/response-guide.
  • Offer identity theft protection. Though laws and industry regulations vary regarding if and when an organization needs to notify victims following a data breach, affected consumers have also expressed their expectation that organizations will offer credit monitoring and identity theft protection services in the aftermath of an incident. In fact, 63% of respondents from a recent survey indicated breached companies should be obligated to provide free identity theft protection to affected customers. Organizations that provide fraud monitoring and identity protection are better positioned to improve compliance and maintain consumer’s trust. Policymakers have also made clear as they evaluate data breach legislation that they expect for companies to take steps to further protect consumers from identity theft following a breach.

As legislation for data breaches continue to be shaped, risk managers preparing for their response plans should ensure they partner with legal counsel to understand various notification requirements, across national and international borders. It is also important to remember data breaches cannot be managed solely as a compliance issue, and to take into account consumer needs and expectations. As part of having a well-practiced pre-breach preparedness plan, risk professionals should focus on clear notification and guidance, along with offering identity theft or fraud protection to protect consumers and ultimately maintain their trust following a breach. With these measures in place, regulators will likely recognize that a company is demonstrating established and responsible procedures for managing and responding to a breach.

More information on data breach legislation and resources can be found at the Experian Data Breach Resolution website and the Experian Data Breach Resolution blog.

The Reputational Risk and IT Relationship

With more visibility and vulnerability in today’s business landscape due to social media, online commerce and doing business through mobile devices, it only makes sense that there would be more potential risks to a company’s reputation and brand. In fact, now more than ever, executives are attempting to protect their brands from these security threats by being more proactive and looking for blindspots in their risk management program. That’s according to findings from the “2012 IBM Global Reputational Risk and IT Study,” conducted by the Economist Intelligence Unit, which analyzed responses from 427 senior executives from around the world, representing nearly all industries.

Respondents indicated that cybercrime is more of a reputational threat than systems failure — a finding that clearly illustrates how cybersecurity is a growing concern among executives, as shown in the following graph from the report.

What’s more, 64% say their company will put additional effort into managing its reputation in the future while 75% of respondents say their IT budget will grow over the next 12 months due to reputational concerns. “Underestimating the cost of reputational risk greatly exceeds the cost of protection,” said one U.S.-based study participant. “Being proactive is preferable to being reactive.”

As the report states:

Going forward, assessing potential blind spots and new technologies will likely be accelerated through the use of case studies and scenario analysis rather than waiting for direct experience. “To use new technologies like cloud you need trust,” says Andrea MacIntosh, director of quality with Alpha Technologies in British Columbia, Canada. “How do you build trust? Either by demonstrating performance or through looking at comparable organizations that are using it with good success. I think there’s a lot of referential data for companies like ours, but as with any new technology, you’ve got to be cautious.”

So how does a company avoid data breaches and strengthen the public’s trust in its brand? The respondents feel that integrating IT into reputational risk management, along with having a strong IT risk management capacity, is the best bet.

Gone are the days when a customer inherently trusts that a company’s IT capabilities are sufficient. In fact, customers are taking a more proactive approach when it comes to understanding a current or potential business partner’s IT infrastructure. “We’re seeing more requests from our customers for details of our IT infrastructure and security, along with on-site audits, as part of the supplier qualification process,” said MacIntosh.

Organizations of all sizes across all industries are devoting more time and attention to potential cyber threats that could harm their reputation. “This concern is reflected in more integrated, enterprise-wide approaches to risk management led from the C-suite and increased attention being paid to the direct reputational impacts of IT risks,” the report states. This study, along with many others, point to the conclusion that cyber and data security has earned top billing in the list of biggest risks posed to businesses. How is your company responding?

Managing Strategic Risk: How IBM Looked Ahead, Revamped Its Operations and Profited

New IBM chief executive Virginia Rometty

In 1981, IBM revolutionized the computer industry — and arguably the world. In introducing its IBM Personal Computer, the company’s goal was to offer a machine capable of competing for sales in a burgeoning market against the likes of Commodore, Apple, Atari and Tandy. But what it really did was create a product that was so successful that its makeup became the standard for all home computers.

Fast forward 10 years. The massive market share of the home computer segment that IBM devoured following the success of the IBM PC, while still substantial, was dwindling. The “IBM Compatible” army of imitators was growing by the year and the company no longer retained the popular cache among consumer to give it any real advantage over “PC Clone” rivals like Compaq and Hewlett-Packard.

It became increasingly clear that the company’s domination of the hardware market was over.

 For some companies, this could have been the beginning of the end. But it was merely a new beginning away from the machines that had once been so much at the heart of its business that they not only comprised most of its revenue but one third of its very name, International Business Machines.

Like the long version of its name, however, the past model is long gone. In 2005, IBM made it official, selling off its venerable ThinkPad brand of laptops to Lenovo and culminating a mission began by Samuel Palmisano, who took the top executive spot in 1993, to find a non-hardware-driven way to not just survive, but thrive.

Leaders knew that their company’s long-term success would come from services and software, not hardware. In 2002, the company made its marquee splash into a pool it now dominates, by spending $3.5 billion to purchase PricewaterhouseCoopers’ consulting arm, something the company lists as “the largest acquisition in professional services history.”

And it was largely due to the vision of IBM’s recently appointed new CEO Virginia Rommety.

In 2002, Ms. Rometty championed the purchase of the big business consulting firm, PricewaterhouseCoopers Consulting, for .

5 billion.

The deal was made shortly after [former chief executive Samuel] Palmisano became chief executive and it was seen as a big risk. The PricewaterhouseCoopers consultants were used to operating fairly independently, in a very different culture from the more regimented I.B.M. style of the time. The danger, analysts say, was that the business consultants would flee in droves, leaving the business a shell.

Ms. Rometty was put in charge of coordinating the work of the acquired firm’s consultants with I.B.M.’s technologists, to tailor services and software offering for specific industries. Ms. Rometty, analysts say, worked tirelessly and effectively to win over the consultants. “She did the deal, and she made it work,” Mr. Palmisano said.

This shows two admirable leadership qualities of Rometty: the ability to think long-term and the ability to successfully navigate a tricky merger. Its rare for anyone to be capable of pulling off even one of those tasks. She has done both.

And its not just those inside IBM that see it this way. Outside analysts agree.

Ms. Rometty has led the growth and development of I.B.M.’s huge services business for more than a decade. The services strategy, analysts say, is partly a marketing tactic. But, they add, it also represents a different approach to the technology business, with less emphasis on selling hardware and software products. Instead, I.B.M. puts together bundles of technology to help business streamline operations, find customers and develop new products.

“I.B.M. is selling business solutions, not just products,” said Frank Gens, chief analyst for the technology market research firm IDC. “Rometty has been at the forefront of that effort.

And this.

“Ginni Rometty combines performance and charisma,” said George F. Colony, chairman of Forrester Research. “She orchestrated a massive charm campaign to bring the PricewaterhouseCoopers people into the fold. That was the trial by fire for her.”

As its hardware dominance started to wane, the company didn’t panic. Its leaders, notably Rometty, just found new ways to maintain the company’s status as a leader in the tech market. Now, the company is the 18th largest in the country, the 2nd largest tech firm on the planet (trailing only Apply) and the world’s 2nd best brand (according to Interbrand).

Warren Buffet even wants in on the action, yesterday announcing that his company just paid $10 billion for a 5% stake in IBM in a deal that is the “most Berkshire has ever paid for a minority stake in a publicly traded company” and “a massive bet on a technology services company after years of eschewing technology stocks.”

Managing a strategic risk is perhaps the hardest thing for a company to do. It takes considerable vision, and even more effort, to redirect operations in another direction or — harder still — revamp a business model. But any company that thinks it can last for decades doing the exact same thing it has always done is likely fooling itself.

We can all learn a lot about risk management from the IBM turnaround.