A major lesson businesses continue to emphasize that they learned this past year is that any organization, regardless of size, is vulnerable to a data breach. Starting with the infamous Target breach in late 2013, which compromised millions of consumers, continuing to the Sony attack that saw personal information exposed, and now the massive breach at Anthem, well-known entities have endured financial and reputational damage due to breaches.
In a Ponemon Institute study, commissioned by sensitive-data-management-solution provider Identity Finder, called “2014: Year of the Mega Breaches;” 735 IT and IT security practitioners were polled to gauge how their organizations reacted — both attitudinally and through IT security investments — to the Target breach in 2014. The study also explored details about breaches that some respondents’ businesses had experienced.
According to the study, organizations are more aware of data breaches, but many continue to invest in solutions that have failed to keep cyber criminals out — for example, JP Morgan Chase spent $250 million on security prior to its breach last year — and those organizations are failing to invest in areas that could empower them to shrink the amount of data that cyber criminals can steal in the first place. In this slideshow, Todd Feinman, CEO, Identity Finder, highlights findings from this study.
Click through for highlights from a survey looking at how organizations reacted to the mega breaches that were suffered across the business world over the past year, commissioned by Identity Finder and conducted by Ponemon Institute.
Prior to the November 2013 Target data breach, only 13 percent of respondents indicated that management had “extreme concern” about data breaches. After the incident, the level of concern rose to 55 percent. From a “paying attention” standpoint, organizations that didn’t previously consider such breaches serious threats to their business were now taking notice.
While attitudes changed, the real question was whether or not that concern would lead to greater resources dedicated to combating the impact of breaches. Of the 735 respondents, 61 percent indicated that the Target incident was the impetus for an increase in IT security budget, with an average increase of 34 percent.
Change in Spending Focus
The study showed that the increased spending was most heavily focused on the task of keeping cyber criminals off of the network, as evidenced by the top five post-Target security investments: security incident and event management (SIEM) (50 percent), endpoint security (48 percent), intrusion detection/prevention (44 percent), encryption/tokenization (38 percent) and web application firewalls (37 percent). A much smaller percentage of respondents invested in sensitive data management (9 percent) and data classification (8 percent) tools, which assist in finding data that could be vulnerable and remediating the issue before a breach occurs.
More Breach Experiences
The study also asked respondents to share specifics related to breaches their organizations had experienced. Of the 735 respondents, 45 percent worked for organizations that experienced a data breach within the previous 24 months.
Evading Existing Security
Breached respondents indicated a false sense of security around their organizations’ ability to block intruders. According to the survey, 65 percent indicated that their attack evaded existing preventive security controls, and 50 percent believed they had the tools necessary to prevent the breach.
Difficulty Remediating Breaches
Organizations also admitted difficulty in both detecting and remediating data breaches. Forty-six percent of respondents indicated that their breaches were discovered accidentally, and 95 percent said the incidents weren’t discovered for at least three months; 74 percent weren’t discovered for at least a year. The lingering impact of breaches was also evident, as 70 percent of data breaches weren’t resolved for at least a year.
Dr. Larry Ponemon, Ph.D., chairman and founder, Ponemon Institute, said, “This study shows that organizations are dedicating greater attention and financial resources towards managing sensitive information and preventing data breaches, which is certainly encouraging news. However, 2015 is predicted to be as bad or worse as 2014 as more sensitive and confidential data and transactions are targeted by attacks and collateral damage. Security is not only about more investments in prevention but also about understanding the data itself that is vulnerable.”