IBM and Ponemon Institute count the true cost of data breaches

IBM in conjunction with US independent data protection and security organisation The Ponemon Institute have published that the per-record cost of a data breach reached $154 in 2015, up 12% from $145 in 2014.  Aggregated, this amounted to an average total cost of a single data breach of $3.79 million.  The survey reviewed 350 companies across 11 countries, each of which had suffered a breach.

Prior to this, technology and communications giant Verizon had estimated the per record cost to be a scant 54 cents. However Ponemon Institute Chairman Larry Ponemon noted this was based on a small sample of 191 reports from cyber insurance claims and represented only around 10% of the insurance coverage for the cost of the breach and ignored the indirect costs or loss of resulting business.

Target’s latest breach was estimated to cost the company over $1 billion, but it was only insured for $100 million. Ponemon added:  “Companies generally buy enough insurance to cover 50% of the value of their fixed assets, but only 12% of the value of their digital assets”.

Loss of business is a growing part of the total cost of a data breach, with an increased trend of customer churn, with reputation and goodwill adding up to $1.57 million per company cost (up from $1.33 million the previous year).

VP at IBM Security, Caleb Barlow commented:  “At a minimum, a company with a data breach has to send out letters notifying customers that they were breached pay for credit monitoring”.

Data breach costs reportedly varied substantially in different industries and geographies, with healthcare having the highest costs due to its long shelf life, at an average of $363 per record and the US with the highest per-record cost at $217, followed by Germany at $211, with India the lowest at $56 per record.

Healthcare records are especially valuable due to the volume of personal information, Social Security numbers and insurance details which can be used to create credit records or for identify fraud in 10-15 years.

Cyber breach cost reductions:
• Companies with incident response teams reduced the costs per record by $12.60 because of their ability to swiftly respond
• Using encryption reduced costs by $12.
• Employee training reduced costs by $8.
• If business continuity management personnel were part of the incident response team, costs fell by $7.10.
• CISO leadership lowered costs by $5.60
• Board involvement lowered costs by $5.50
• Cyber insurance lowered costs by $4.40.

Having an assured and well prepared management response has a definite impact on the bottom line cost of any cyber security breach.  As Caleb Barlow darkly warned:  “You don’t have days to respond.  You don’t even have hours. You have minutes to get your act together.”

Cyber breach cost increases:
• Bringing in outside consultants added $4.50 per record.
• Lost or stolen devices added $9 per record on average.
• Third party involvement as the cause of a breach increased the average per-record breach cost by $16 (from $154 to $170).

Factoring in time to respond to end cost proved significant too:
• Respondents took 256 days on average to spot a breach caused by a malicious attacker – and 82 days to contain it.
• Breaches caused by system glitches took 173 days to spot – and 60 days to contain.
• Human error breaches took an average of 158 days to notice – and 57 days to contain.

With cyber security a major thorn in the side of business and an increasingly sophisticated route to damaging trust and reputation, no organisation of any size can afford a) not to have reviewed the security of its estate and b) taken steps to develop relevant and up to date policies and measures to safeguard its digital assets – and share this regularly with the Board.

Additionally and crucially, as our Head of Technology & Governance, JP Norman reminds us, “The reputational and financial losses quoted are without the EU Data Directive changes on the way which will enable fines of up to 5% of global turnover. CIO’s need to ensure their boards are aware of the potential financial risks that are likely to be in place by late 2016”.

Ponemon

 

Legal sector encryption failure gifts large payout to cyber criminals

A recent account published in the Telegraph newspaper, reported the alarming story of a London couple who inadvertently became the victims of a cruel cyber attack.  Completion funds on the sale of their property were intercepted by cyber criminals and the couple lost all proceeds, totalling £333,000.

The law firm handling the conveyancing, Perry Hay & Co in Surrey, had emailed owner Paul Lupton, requesting his bank account details for the proceeds of sale to be paid into upon completion.  Mr Lupton duly replied, giving both account and sort code.  The fraudsters, using ‘xray’ technology which identifies data patterns with financial information, intercepted this email and replied to the law firm, requesting the previous email be ignored and funds be transferred to a different account, theirs.

On discovery that the monies had not transferred, the owner alerted the bank (Barclays) and the police.   The account was frozen and £271,000 was returned.

With conveyancing a lucrative target for cyber criminals, law firms have to take responsibility for their clients money and use encrypted emails, requiring passwords, for confidential or financially sensitive information.

For email users, account numbers, sort codes, passwords and Pins should never be transmitted by email or be written down.  Online passwords should be strong (involving numbers and characters) and changed regularly.  Devices should also be protected with security software including regularly update installations to help defend accounts.

This is little comfort for the Luptons who are currently still out of pocket to the tune of £62,000 after Perry Hay & Co (and Barclays) rejected responsibility, despite legal watchdog, the Solicitors Regulation Authority (SRA) asserting that member firms were responsible for safeguarding client funds and must replace any monies “improperly withheld or withdrawn from a client account”.

email-file-encryption

Beware of the local cloud

straps-c

A new wearable device is currently being crowdsourced called the ReVault. On the face of it, it looks like a fairly standard smartwatch – but its secret weapon is invisible – your own local cloud.

The Revault watch comes in both 32GB and 128GB variants and can connect to your phone, tablet or even PC as a wireless hard drive.  The pitch is that you can have one copy of your data on your watch and can then access it across all your devices without the need of syncing each to a PC or a cloud in advance. You can even access this data when you have no internet connection as it connects locally via either Bluetooth or WiFi so this local cloud will work in places where you can’t connect to your regular cloud services.

The idea of separating physical storage from your device is not a new one, although the idea has faded away in recent years due to Cloud storage offerings and manufacturers being able to charge more for high capacity flash storage models. Having a memory card in your phone is seen by some as an advantage as you could get additional storage (including capacity far outreaching the device manufacturers options for a lot less), plus the flexibility to move your content to your next device, again without the additional cost on a pricier high capacity model.

Portable wireless storage could be the replacement for memory cards as it has distinct advantages and doesn’t require the device manufacturers to physically include compatibility – which is something they have little incentive to do.

A real concern is when these devices, personally owned by employees, are taking into the work space. Many companies will block the use of USB storage and block public cloud networks, however as the Revault is neither reliant on a physical or internet connection these devices is unlikely to be blocked by a standard company security policy.

The Revault will probably be a niche product and the chances of copycat devices or functionality remains uncertain at this point.  However, the strength of this crowdsourcing campaign could play a vital role in its success if personal clouds become relevant to a larger market.  One thing is certain though, new devices will always test your security practices and you will need to be vigilant to safeguard your corporate data from the ever evolving and unmonitored consumer device and services market.

 

Europe aims to close the door on encryption flaw risk

There has been a lot of talk recently about whether Government entities be allowed direct, back door access to encrypted messaging systems such as Apple’s iMessage and Facebook’s acquired WhatsApp.

In the US, the FBI asked the U.S. Congress to make encryption back doors in mobile devices mandatory to help combat crime.    Apple, Google and other major  tech companies are currently urging Barack Obama to reject the proposals for back doors for smart phones.

This conversation has mostly taken place in America where government bodies have argued that without back door access to these systems, how can they have a clear avenue for investigating terrorism claims?   There are two main arguments against allowing this. First is users rights’ to have private information. The second is a technical one, with any back door access, you are making a once secure system less-secure, and introducing a new front through which the system can be breached.

European Commission Vice President Andrus Ansip states there are no plans to require backdoors in communications encryption in Europe, “We don’t want to destroy people’s trust by creating some back doors,”

It is reassuring that back doors to secure, encrypted services that users trust is not on the cards for Europe, but if America does get its way then these services and our own mobiles could in fact have back doors – whether or not Europe chooses.  With such security flaws in place, how long would it take a resourceful hacker to use it for their own needs?   Hopefully in a post back door world, countries which do not enforce such a policy will have their own data unreachable from those who do.   If not we could see a new market for European-only encrypted services which promise no back doors for anyone.

Can digital technology enhance our work/life balance?

Striking a good work/life balance and embracing the rapid developments of technology has been a challenge for employees, as well as employers for a number of years now, especially for a business like Amicus ITS where we operate and support clients 24×7.  With the rapid deployment and acceptance in the workplace of mobile devices (BYOD and corporate mobiles + increased procurement of laptops), this has created flexibility options for many workers to answer emails, work on projects or just keep track of workload, out of hours or from offsite.

The question is – does this extra work, or working in a different environment create greater productivity and effectiveness, or is it allowing the individual to be swamped and creating a guilt culture about completing work or a ‘see I’m working now’ badge?

Phil Libin, CEO of Evernote speaking ahead of the ‘Silicon Valley Comes to Oxford 2015’ conference this week, commented:  “The challenge today is that we are a first generation digital society and still figuring out how to make it help us.  We now have mobile devices with email and most people think they should respond to the traffic all the time.  People need to manage their time right and access to work, to be in the right environment to be most productive. The point of the devices is to enable you to choose when you should engage with work. To do this successfully, we need new culture to support this”.

As part of the management team at Amicus ITS and with overall line management responsibility for our HR function, I believe that having the flexibility of a mobile workforce is a valuable tool for business in delivering productivity for the business and flexibility for the workforce.  However, I think we have to acknowledge that there needs to be a mature management culture overseeing this and individual discipline for those involved.  With all the enablement and security activated, it can also ensure that business continuity plans are quicker to exercise.  We have to get smarter about distinguishing work expectations and move away from micro-managing employees to thinking about how we can engage better with staff.  We should provide this balance when staff are out of the office both supporting them to escape and enjoy their downtime, as well as facilitating those who want to utilise some of this time for ‘clearing the decks’ or innovative thinking, by providing them with anywhere access to systems and data.

This is a thought echoed by Head of Envisioning at Microsoft UK, Dave Goplin, whose view is that, “It would be wrong to stifle innovation or good work if it suits the individual”.

The 2009 MacLeod Report for UK Government “Engaging for Success”, showed that disengaged employees cost the UK economy about £60 billion per year.  Technology is moving swiftly, but corporates are still slow to react and missing the boat on engagement.  As Dave Goplin said:  “If we can fix the challenge of engagement and enthuse the workforce by integrating technology with flexibility, employees will increasingly reconsider the importance of their work and the organisation they are working for”. 

At the back of all this, as a Managed Service Provider there is the corporate handle of ‘Shadow IT’.    Full governance, controls and management of what applications are allowed on a device, as well as keeping the data secure at all times has to be in place, before any of this vision can take place.  But it’s a good idea which progressive companies should position themselves to embrace and consider – and could make the difference of being the ‘go-to’ employer of choice in the next decade.

DSC_0015 Alan Meldrum 10@300

Data centres cool down and radiators go green in the Netherlands!

We all know the adage that there’s no such thing as a free lunch.   But could there really be a company out there offering free heating for us?

The answer is a surprisingly, sustainable yes!   Netherlands-based energy supplier Nerdalize, has joined forces with Dutch energy supplier Eneco, to create a clever solution called Eneco eRadiator, to fix the costly cooling problem faced by data centres worldwide.

Instead of high overhead costs and the size and volume of air conditioning units to cool servers in data centres, this solution spreads the installation of servers across different homes with no worry about the excess heat or overhead of a data centre!   Nerdalize covers the cost of electricity, the heat is generated by the computations and the home or building is heated for free.

It may not yet be a permanent heating solution, but this could be just a matter of time.  It is this sort of lateral thinking that makes technology solutions exciting and the guilt and expense of server farm bi-products acceptable.   Here, the amount of electricity used was monitored and the home owners reimbursed for the running costs.

Naturally, data security and backup issues spring to mind, not to mention maintenance questions with multiple geo-locations, but if the data is decentralised meta data and stays resident in that country it could start to have wider takeup  – but would not be a comfortable model for enterprise level data, no matter how green you are trying to be.

nerdalize_frontpage_logo_starwars_middle_cropped_blurred

Windows as a Service as Windows 10 becomes the last launch for Microsoft

At last week’s Ignite conference, Microsoft’s developer staff were freely talking about some pretty substantial changes in the future direction of Windows.  It is likely that Windows 10 will be the last version of Windows to be released, as Microsoft moves firmly towards “Windows as a Service” fulfilment.

With the engineering and delivery of Windows changed for Windows 10, instead of new releases there will be regular improvements and updates of 10.  How it will work (whilst being a sizeable task), will see Microsoft splitting up operating system components like the Start Menu and built-in apps into separate parts. These can then be updated independently to the entire Windows core operating system.  This gives highly desirable flexibility to span across multiple devices and provide smoother background monthly updates instead of new version launches every 2-3 years.

The apps and services that power Windows 10 are nearing launch and the new version of Windows 10 is currently being trialled by a number of test participants.

All of this bodes well for Managed Service Providers as our embrace of “as a Service” packages makes moving to the Cloud increasingly convenient, smoother and more flexible for tailoring the end user experience.

Windows-10-logo