november 2019 - s3.ca-central-1.amazonaws.com · financial impact of data breaches. here are some...
TRANSCRIPT
Organizations use a wide range of tools and best practices for protecting against cyberattacks. But malicious efforts targeting end users are driving the need for a more people-focused approach to cybersecurity.
November 2019
How Data Breaches Affect the Enterprise
Sponsored by
How Data Breaches Affect the Enterprise
November 2019 2
How Data Breaches Affect the Enterprise
CONT
ENTS
TABLE OF
Table of Contents
3 About the Author
4 Executive Summary
6 Research Synopsis
7 Increased Spending Does Little to Slow Data Breaches
11 Broadening Cost and Other Consequences of a Data Breach
16 The Enterprise Response to Increased Breach Activity
18 Conclusion
20 Appendix
Figures
Figure 1: Security Breaches Over Past Year
Figure 2: Reasons for Increased Vulnerability
Figure 3: Preparedness of Organization
Figure 4: Top Causes of Major Breach
Figure 5: Assessing Cloud Service Providers’ Capabilities
Figure 6: Risk Assessment of Cloud Providers
Figure 7: Attack Fallout
Figure 8: Ransomware Attacks
Figure 9: Paying Ransom
Figure 10: Security Practices and Disciplines
Figure 11: Dedicated Cybersecurity Staff
Figure 12: Formal Security Incident Management Team
Figure 13: Cyberbreach or Cyber-Risk Insurance
Figure 14: File Insurance Claim
Figure 15: Respondent Job Title
Figure 16: Respondent Industry
Figure 17: Respondent Company Size
Figure 18: Respondent Company Revenue
CONT
ENTS
TABLE OF
Dark Reading Reports
November 2019 3
Table of Contents
How Data Breaches Affect the Enterprise
Jai VijayanDark Reading Reports
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He specializes in writing on information security and data privacy topics. He was most recently a Senior Editor at Computerworld. He is a regular contributor to Dark Reading, CSO Online, TechTarget, and several other publications.
Dark Reading Reports
November 2019 4
Table of Contents
How Data Breaches Affect the Enterprise
SUM
MAR
YDespite increased enterprise investments in cybersecurity, 2019 is on track to be the worst year ever for data breaches. A growing number of organizations are experiencing significant financial losses, brand damage, and customer alienation issues as a result of the increased breach activity.
Dark Reading surveyed 150 IT and security professionals about their preparedness to deal with data breaches and a wide range of other issues. Their responses show that end-user vulnerabilities, attack volumes, and growing threat sophistication are leading to more breaches than ever. Organizations have deployed a wide range of tools and best practices for protecting networks and systems against attack. But a relentless adversary focus on end users is driving the need for a more people-focused approach to cybersecurity.
Organizations in our survey that experienced a security breach suffered through a wide range of consequences, including network and business disruption, credential theft, customer data compromise, fraud, and identity theft. A larger proportion of respondents compared with our last two surveys reported intellectual property theft and the loss of confidential business data.
Our survey shows increased breach activity is driving a focus on cyber insurance as a way to reduce the financial impact of data breaches.
Here are some key takeaways from the report:
• 52% of organizations had a malware-related security breach; 50% experienced a phishing-related data breach.
• 44% of survey respondents expect a major data breach will happen at their organization in the next 12 months.
• 23% of organizations experienced network or application availability issues following a data breach.
• 16% of respondents say their companies lost intellectual property or confidential data as the result of a data breach.
EXECUTIVE
Dark Reading Reports
November 2019 5
Table of Contents
How Data Breaches Affect the Enterprise
• 11% of breached organizations experienced brand damage because of a data breach.
• 10% of enterprises got hit with ransomware in the previous 12 months; 15% of those that got hit paid a ransom to get their data back.
• 49% of respondents feel their organizations are well-prepared to deal with a data breach.
• 17% of respondents say their organizations do not have a single individual dedicated exclusively to the cybersecurity function.
• 42% of organizations plan to implement a formal security operations center capability over the next 12 months.
• 18% of organizations filed a cyber insurance claim after a security incident.
Dark Reading Reports
November 2019 6
Table of Contents
How Data Breaches Affect the Enterprise
SYNO
PSIS
ABOUT USDark Reading Reportsoffer original data and insights on the latest trends and practices in IT security. Compiled and written by experts, Dark Reading Reports illustrate the plans and directions of the cybersecurity community and provide advice on the steps enterprises can take to protect their most critical data.
Dark Reading Reports
Survey Name Dark Reading 2019 Strategic Security Survey
Survey Date September 2019
Primary Region North America
Number of Respondents 150 technology and cybersecurity professionals at organizations with 100 or more employees and revenues ranging from under $6 million to over $5 billion. The margin of error for the total respondent base (N=150) is +/-7.9 percentage points.
Purpose Dark Reading surveyed technology and cybersecurity professionals to discover the causes for, impact of, and enterprise response to data breaches.
Methodology The survey queried decision-makers with IT or IT security job titles at North American organizations. Questions centered around organizations’ cybersecurity challenges, plans, and directions as well as respondents’ experiences and concerns about data breaches. The survey was conducted online. Respondents were recruited via an emailed invitation containing an embedded link to the survey. The email was sent to a select group of Informa’s qualified database; Informa is the parent company of Dark Reading. Informa Tech research was responsible for all programming and data analysis. These procedures were carried out in strict accordance with standard market research practices.
RESEARCH
Dark Reading Reports
Increased Spending Does Little to Slow Data Breaches 2019 is on track to be the worst year on record for data breaches, even though enterprises will spend more on cybersecurity this year than ever before.
According to Risk Based Security, there was a total of 3,813 publicly disclosed breaches in the first six months of 2019. Together, the breaches exposed 4.1 billion records.
The numbers were 54% and 52% higher, respectively, compared with the same period last year.
Dark Reading’s 2019 Strategic Security survey data shows that malware and phishing were the biggest causes for data breaches at a high percentage of organiza-tions. Asked to identify the types of security breaches that might have occurred at their organizations over the past 12 months, 52% of respondents point to malware-related incidents and 50% to phishing (Figure 1).
The numbers were very similar to the results from our survey last year (54% and 48%, respectively) and suggest that while breach activity has increased, little has changed with the threat landscape itself.
Figure 1
November 2019 7
Table of Contents
How Data Breaches Affect the Enterprise
Security Breaches Over Past YearWhich types of security breaches have occurred in your organization in the past year?
Note: Maximum of three responses allowed Base: 150 respondents in 2019; 300 respondents in 2018 Data: Dark Reading survey of technology and cybersecurity professionals at organizations with 100 or more employees, September 2019
50
Malware
Phishing
Targeted attack aimed specifically at my organization
Ransomware
Data theft
Theft of computers or storage devices
Database/content/data management system compromise
Denial of service
Compromise of internally developed applications
Attackers gained access through partner systems
Network compromise
Operating system compromise
Compromise of off-the-shelf applications
Website vandalized or site content manipulated
Mobile device or application compromise
Hardware compromise
Physical break-in
Compromise by state-sponsored attacker
52%
50%
19%
14%
12%
12%
11%
11%
10%
9%
9%
9%
8%
7%
6%
5%
5%
2%
54%
48%
16%
16%
11%
14%
2%
15%
6%
5%
7%
5%
7%
10%
7%
2%
4%
2%
2019 2018
Dark Reading Reports
November 2019 8
Table of Contents
How Data Breaches Affect the Enterprise
Indeed, many of the other responses to our question on the types of security breaches organizations experienced over the past 12 months are very similar to results last year as well. Sixteen percent in our 2018 survey said they had experienced a security breach resulting from a targeted attack, compared with 19% this year.
Breach activity increased in 2019 even as enterprises continued to invest heavily in IT security. Analyst firm IDC has projected that IT security spending will top $103 billion in 2019 and exceed $133 billion in 2022. Gartner’s estimates are even higher, at $124 billion in 2019 alone — an 8.7% increase from the $114 billion that organizations spent on information security in 2018. Spending on information security in 2018 in turn was more than 12% higher than the previous year.
Both Gartner and IDC have described enterprises as spending the most money on managed security services, both currently and over the next few years. Other major areas of investment include identity and access management, infrastructure protection products, and network security controls such as unified
threat management products, firewalls, and intrusion prevention tools.
If enterprises are spending more on information security and the threat land-scape itself is largely unchanged, why is there still no letup in data breaches?
Our survey data suggests that growing threat sophistication and increased attack volumes are two major reasons. Sixty-seven percent and 47%, respectively, of our survey respondents identify those two factors as making their organizations more suscepti-ble to security breaches (Figure 2).
More than half (53%) say their organi-zations have become more vulnerable to data breaches because threat actors have so many more ways to attack them these days compared with a few years ago. That sentiment likely reflects concerns over a broadening attack surface caused by digital transformation initiatives, cloud migration, and enterprise mobility efforts.
Growing data volumes (33%) and a short-age of skilled staff (33%) are two other reasons for increased vulnerability to data breaches, as is the growing adoption of cloud services (27%) and buggy software (27%).
Larry Ponemon, chairman and founder of the Ponemon Institute, says another reason companies report more breaches these days could simply be because they have gotten better at detecting them and because regula-tions require them to report incidents. Digital transformation initiatives, too, have signifi-cantly increased the amount of data that organizations need to protect these days and made them more vulnerable to accidental and malicious breaches, Ponemon says.
Unsurprisingly, even though 65% of survey respondents say their organizations have an effective, well-considered strategy for defending critical data, more than four in 10 (44%) expect they will have to respond to a major data breach in the coming year (Figure 3). That number is a full one-third higher than the proportion of respondents that felt the same way in our survey last year.
Our survey revealed a high level of concern over end users and end-user- related threats. Sixty-two percent of respondents say that if their organization experiences a major data breach in the next 12 months, it will likely be caused by an end user who is negligent or violates security
Dark Reading Reports
FAST FACT
67%point to a higher level of vulnerability due to increased sophistication of threats.
November 2019 9
Table of Contents
How Data Breaches Affect the Enterprise
policy (Figure 4). Twenty-nine percent say if a breach happens, it would be the result of a social engineering attack that cannot be anticipated or prevented by current technology.
The concern that survey respondents express over end users reflects a lot of what’s going on in the real world. Verizon’s “2019 Data Breach Investigations Report” shows that 32% of the breaches and 78% of cyber espionage incidents that the company investigated last year involved phishing. In many of the incidents, attackers used phish-ing to drop malware on a target network or to steal credentials that they later used to access the victim’s network.
Security experts say the trend has high-lighted the need for organizations to take a more people-focused approach to security.
Attackers are using guerilla tactics to target consumers not just digitally but socially as well, says Richard Bird, chief customer information officer at Ping Identity. “We built information security over the last 20 years to protect assets and data,” he says. Now, hackers are getting to those things not
Dark Reading Reports
Reasons for Increased VulnerabilityWhy is your organization more vulnerable to these attacks than a year ago?
Note: Maximum of three responses allowed Base: 150 respondents in 2019; 300 respondents in 2018 Data: Dark Reading survey of technology and cybersecurity professionals at organizations with 100 or more employees, September 2019
50
Increased sophistication of threats
More ways to attack corporate networks
Increased volume of attacks
Inadequate information security strategy
Increasing amount of customer data to secure
Shortage of skilled security staffers
Budget constraints
Internally developed software not written with security in mind
Lack of patching
Rapid growth of ransomware
Use or increased use of public cloud
Inability to audit/assess outsourcing and/or cloud vendors
Incompatible or noninteroperable security products
Use or increased use of mobile devices
Use or increased use of outsourcing
Challenges posed by the Internet of Things (IoT)
Continued vulnerability of key technology products
Failure to enforce security policies
Lack of senior management attention or interest
67%
53%
47%
33%
33%
33%
27%
27%
27%
27%
27%
20%
20%
20%
20%
13%
13%
13%
13%
60%
50%
38%
30%
28%
33%
25%
33%
35%
40%
25%
18%
18%
38%
18%
25%
15%
23%
30%
2019 2018
Figure 2
Table of Contents
How Data Breaches Affect the Enterprise
by attacking the defenses that organizations have built but by attacking people instead. “That trend won’t stop until we change the very structure of cybersecurity and begin to protect people ahead of protecting ‘things,’” Bird says.
Dark Reading’s survey suggests that orga-nizations — for the moment, at least — are less concerned about cloud-related breach risks than they are about end users, phish-ing, and an array of other threats. Only 27%, for instance, say their vulnerability to data
breaches has increased because of cloud adoption. An even smaller 15% expect they will have to respond to a major data breach over the next 12 months because of their cloud services provider.
But that could change soon. Many analysts believe that as enterprises migrate more critical business applications and workloads to the cloud, attackers will follow them there. They expect that over the next few years, data breaches resulting from enter-prise security missteps in the cloud and from attacks on cloud service providers will increase sharply.
Our survey shows that organizations are not entirely unaware of the threat. Forty-two percent of those using cloud services believe their providers have some security capabilities but also some undisclosed vulnerabilities, and 24% are unsure about the quality of the security available from their cloud provider (Figure 5). One in five wants to be able to audit its cloud services company but is unable to do so because the cloud provider is not cooperative (Figure 6).
Only 2% of organizations in Dark Reading’s
Dark Reading Reports November 2019 10
Preparedness of OrganizationDo you agree with these statements?
My organization has an effective, well-considered strategyand architecture for defending its most critical data.
I believe that, if implemented effectively, the security technologiesand practices my organization has in place today will prevent databreaches in the coming year.
My organization has an effective method for measuring the currentstate of its security posture.
I believe my organization has an effective process for measuringthe cybersecurity risk that my organization will face in the coming year. I believe my organization is well-prepared to respond to a majordata breach in the coming year.
My organization has an effective method for measuring theeffectiveness/performance of its security department.
I believe my organization will have to respond to a major data breachor compromise in the coming year.
65%
63%
63%
52%
49%
47%
44%
17%
26%
15%
22%
28%
29%
34%
14%
7%
17%
22%
18%
19%
17%
4%
4%
5%
4%
5%
5%
5%
Base: 150 respondents in 2019 Data: Dark Reading survey of technology and cybersecurity professionals at organizations with 100 or more employees, September 2019
Agree orstrongly
agree
Disagree orstronglydiaagree
Neutral Don’tknow
Figure 3
November 2019 11
Table of Contents
How Data Breaches Affect the Enterprise
survey experienced a data breach caused by a nation-state-backed actor over the last 12 months. Fewer than one in 10 (9%) expects a nation-state actor will be the cause of a major data breach if one happens over the next year. But as with cloud-related data breaches, the threat posed by state-backed actors and advanced persistent threat (APT) groups is quickly evolving.
Broadening Cost and Other Consequences of a Data BreachOrganizations in our survey that experi-enced a security breach suffered through a wide range of consequences. Twenty-three percent of survey respondents describe applications or network services becoming unavailable following a security breach, 18% say employee credentials or personal data was compromised, 16% report identity theft, 14% had to deal with fraudulent activity, and 12% lost customer records (Figure 7). Other consequences include trouble with regula-tory agencies, customer alienation, brand damage, and legal liability.
Ten percent — or roughly the same
Dark Reading Reports
End users who are negligent or break security policy
Social engineering attacks that cannot be anticipated/prevented by current technology
A targeted attack aimed directly at my organization
Highly sophisticated, automated malware
A shortage of people and/or skills required to protect my organization’s data
A lack of budget
A breach of cloud, network, or web services providers that my security team cannot control
Failure of current security technology to prevent increasingly sophisticated attacks
Compromise of a third-party supplier, customer, or contractor
An attack by nation-state-sponsored hackers
A lack of support from upper management
The inability of current security technology to keep up with the latest advances in IT
The ineffectiveness of end user security awareness programs
A lack of communication between security, general IT, applications development, and/or service provider teams
The inability of my security systems/tools to effectively work together
Top Causes of Major BreachIf your organization experiences a major breach within the coming year, what will most likelybe the cause?
Note: Maximum of three responses allowed Base: 150 respondents in 2019; 300 respondents in 2018 Data: Dark Reading survey of technology and cybersecurity professionals at organizations with 100 or more employees, September 2019
60
62%
29%
27%
22%
20%
18%
15%
13%
12%
9%
9%
9%
7%
5%
5%
61%
24%
26%
28%
18%
10%
18%
20%
11%
9%
8%
7%
8%
7%
10%
2019 2018
Figure 4
Table of Contents
proportion of organizations as in our survey last year — got infected with ransomware as the result of a security breach (Figure 8). Of them, 15% paid the demanded ransom to get their encrypted data back (Figure 9). Though that proportion might seem small, it represented a nearly fourfold increase over the 4% who admitted paying a ransom in last year’s survey. The data suggests that many companies are willing to pay a ransom — even though experts caution against the practice — if it can help them avoid costly operational disruptions and downtime.
Troublingly, 16% of the respondents in Dark Reading’s 2019 Strategic Security Survey — compared with 10% a year ago — report loss of intellectual property (IP) and other confidential business data. That data point reflects the still relatively low but steady threat activity involving cyber espionage.
In a report last year, the Office of the National Counterintelligence Executive described economic espionage in cyber-space as a threat to US prosperity, security, and competitive advantage. The report identified threat actors based in China, Iran,
Dark Reading Reports
Figure 5
Assessing Cloud Service Providers’ CapabilitiesHow would you assess the security capabilities of the cloud service providers you work with?
My providers have some security capabilities, but I thinkthere might be vulnerabilities that I don’t know about
My providers have strong security capabilities and I amconfident that my data is secure
I am using the security services that my providers offer,but I’m honestly not sure how good or bad they are at security
I am not confident at all in my providers’ security capabilities,and I am very concerned about any data my organization puts into the cloud
Base: 150 respondents in 2019 Data: Dark Reading survey of technology and cybersecurity professionals at organizations with 100 or more employees, September 2019
5%
29%
24% 42%
2019
Figure 6
Risk Assessment of Cloud ProvidersDoes your organization perform its own risk assessments of cloud service providers?
Yes; we conduct ourown audits
We want to conduct ourown audits, but providersare generallyuncooperative
No; we use providers'self-audit reports
No
Other
We do not usecloud services
Base: 150 respondents in 2019; 300 respondents in 2018 Data: Dark Reading survey of technology and cybersecurity professionals at organizations with 100 or more employees, September 2019
5%
20%20%
8%
14%
33%
2019
12%20%
21%
6%6%
35%
2018
November 2019 13
Table of Contents
How Data Breaches Affect the Enterprise
and Russia as being especially active in this regard but warned of countries with closer ties to the US also conducting cyber espio-nage to obtain US secrets.
Over the next few years, new technologies such as artificial intelligence and the Internet of Things will introduce new vulnerabilities that threat actors will seek to exploit and for which US organizations are unprepared. “Building an effective response will require understanding economic espionage as a worldwide, multivector threat to the integrity of the US economy and global trade,” the National Counterintelligence and Security Center report noted.
The short-term and long-term costs associated with a data breach are another major factor, of course. Eight percent of organizations in Dark Reading’s survey report significant financial losses related to a data breach. That is double the percentage of organizations that indicated the same thing last year. Twenty-three percent in our survey this year say they experienced at least minor financial losses, compared with 15% in 2018.
In recent years, breach costs have kept
Dark Reading Reports
Figure 7
Minor financial losses
Network or business applications unavailable
Employees’ online credentials or personal data compromised
Identity theft
Intellectual property theft or information confidentiality compromised
Fraud
Customer records compromised
Violated government regulations regarding data security
Alienated customers
Negative publicity or brand damage
Legal liability
Significant financial losses
Internal records lost or damaged
Cyber insurance claim filed
System destruction or physical damage to computer systems
Attack FalloutWhat were the effects of the attack(s)?
Note: Multiple responses allowed Base: 150 respondents in 2019; 300 respondents in 2018 Data: Dark Reading survey of technology and cybersecurity professionals at organizations with 100 or more employees, September 2019
50
23%
23%
18%
16%
16%
14%
12%
12%
11%
11%
8%
8%
6%
6%
5%
15%
24%
9%
10%
10%
13%
5%
5%
6%
7%
5%
4%
4%
3%
5%
2019 2018
Table of Contents
increasing steadily especially for organizations in the US. The Ponemon Institute, in a report for IBM earlier this year, pegged the average cost of a data breach for US companies in 2019 at $8.19 million; the global average is $3.92 million. Contrary to popular perception, costs are not rising simply because breaches are becoming bigger. In fact, the Ponemon Institute found the global average of compromised records per breach to be just over 25,000.
The costs that breached organizations typically incur include those associated with breach detection, containment, remediation, notification, and lost business, says Ponemon.
Also contributing in a major way are legal expenses and costs associated with engaging outside experts, communicating with regulators, ensuring regulatory obligations are met, help desk activities, customer support, and myriad other issues, he says. Breaches can also trigger other costs, such as those stemming from decisions to outsource security functions or business processes to reduce risk, he notes.
Dark Reading Reports
Figure 9
Paying RansomDid your organization pay the ransom?
Yes, we paid the ransom
No, we did notpay the ransom
Data: Dark Reading survey of technology and cybersecurity professionals at organizations with 100 or more employees, September 2019
85%
15%
96%
4%
2019 2018
Figure 8
Ransomware AttacksIn the past 12 months, has your organization fallen victim to a ransomware attack in which someoneencrypted or threatened to damage your data unless a ransom was paid?
Yes
No
Don’t know
Base: 150 respondents in 2019; 300 respondents in 2018 Data: Dark Reading survey of technology and cybersecurity professionals at organizations with 100 or more employees, September 2019
9%
81%
10% 10%
78%
12%
2019 2018
Some of the biggest financial conse-quences, though, are tied to factors such as lost business, brand damage, and customer loss. Sometimes, organizations can feel the financial impact from these issues lingering long after the breach event, according to Ponemon.
Breach costs can vary significantly based on type of data, industry vertical, and even geography, Ponemon says. Breaches involving loss of IP and trade secrets often end up costing a lot more than other breaches. Healthcare organizations and financial services companies, for example, typically end up experiencing the biggest costs. Ponemon Institute’s study also found that breach costs per employee tended to be higher for smaller organizations. The average per employee cost for a data breach for an organization with more than 25,000 employees was $204 compared with $3,533 per employee for entities with between 500 and 1,000 employees.
Dark Reading’s 2019 survey data reflects some of these issues. Twelve percent say a data breach had put them afoul of
Table of Contents
How Data Breaches Affect the Enterprise
Figure 10
End user security awareness training
Multifactor authentication
Strong passwords
Virus and worm detection and analysis
Incident response team
Risk analysis and risk assessment
Internal security information and event analysis
Malware analysis
Monitoring employee behavior
DevOps
Threat intelligence analysis
Internal penetration testing
Cloud security management tools/services
Forensics or advanced threat detection
Secure development processes or source-code auditing
Offensive security program
Attacker attribution
Security Practices and DisciplinesWhich of these practices or disciplines are currently in use in your organization?
Note: Multiple responses allowed Base: 150 respondents in 2019; 300 respondents in 2018 Data: Dark Reading survey of technology and cybersecurity professionals at organizations with 100 or more employees, September 2019
72%
59%
57%
44%
41%
40%
39%
39%
32%
29%
29%
27%
18%
15%
14%
8%
5%
67%
52%
69%
53%
53%
41%
35%
48%
35%
32%
31%
34%
25%
18%
19%
14%
9%
2019 2018
Dark Reading Reports
November 2019 16
Table of Contents
How Data Breaches Affect the Enterprise
regulatory requirements, 11% admit to alienating customers, and 11% report negative publicity and brand damage. The proportion of responses in each of these three instances was substantially higher compared with our survey last year. Just 5% in our 2018 survey, for example, reported regulatory compliance issues, 6% of alienating customers, and 7% of negative publicity/brand damage.
The data suggests hardening attitudes against organizations that mishandle data. Breaches in recent years have affected large swaths of the US population, and many victims are no longer as forgiving as they might have been previously.
“For the first time, customers and citizens are actually demanding that the companies they choose to interact with or stay with must be trusted not just with their data but with their security,” says Bird from Ping Identity.
The company earlier this year surveyed 4,000 consumers in the US, UK, and several other countries on their attitudes toward data breaches and data misuse by organiza-tions. Eighty-one percent of the respondents
said they would stop engaging with a company online following a data breach. Twenty-five percent said they would stop interacting with the brand in any capacity following a breach. Sixty-three percent in Ping’s survey said a company is always responsible for protecting user data even when users themselves might fall victim to a phishing scam or use weak endpoints and unencrypted Wi-Fi connections.
People felt personally affected by news stories that declared that large amounts of their deeply personal data had been stolen, Bird says. Consumers are finally “[connect-ing] the dots of their personal risk to the obligations of those companies and orga-nizations they trusted with their business,” Bird says.
The Enterprise Response to Increased Breach ActivityHow are enterprises responding to all the increased breach activity?
As might be expected, many organizations have deployed a wide array of tools and best practices for protecting against, detecting, and responding to breaches. The
most widely used are those designed to protect organizations against end-user-borne threats. Seventy-two percent, for instance, have implemented end-user awareness training programs, 59% have multifactor authentication, and 57% insist on strong passwords (Figure 10). More than 40% of organizations in each instance also have virus and malware detection controls as well as incident response teams and do risk assess-ment and risk management processes. Other relatively widely deployed measures include employee monitoring (another user-focused measure), threat intelligence analysis, and penetration testing.
A growing number of organizations have begun using managed service providers, including managed detection and response vendors, to help mitigate data breach risks. As mentioned earlier, analyst firms such as Gartner and IDC expect organizations to spend more on managed security service providers over the next few years than on any other security category.
One primary reason is staff and resource augmentation. Dark Reading’s 2019 Strategic Security Survey shows that while some
Dark Reading Reports
FAST FACT
62%say negligent end users are the cause of most major security breaches.
November 2019 17
Table of Contents
How Data Breaches Affect the Enterprise
organizations appear adequately staffed, many others might not have the resources available internally to combat rising breach activity.
Seventeen percent of organizations surveyed do not have anyone dedicated solely to the security function (Figure 11). In these organizations, a member of the broader IT staff also is responsible for security. Another 38% have between one and three dedicated security staff. At the other end of the spectrum 2% of organizations employ more than 500 security staff, and 5% have between 101 and 500 infosec staff.
Significantly, and somewhat disturbingly, the number of organizations with a formal security operation center (SOC) in our latest survey was substantially lower than in our two previous surveys. In 2017, 60% of survey respondents described their organization as having a SOC or formal team for actively managing security breaches. Last year, only 53% said the same thing, and in 2019 just 41% report their organization as having a formal security operation center or incident response team (Figure 12).
Some of that might be because organiza-tions are shifting SOC operations to managed security service providers. According to the IDC report mentioned earlier, firms will spend more than $21 billion in 2019 to have managed security service providers provide around-the-clock monitoring and SOC management services.
Data breaches also appear to be driving
interest in cyber insurance policies as a risk transference mechanism. Fifty-five percent of organizations currently have a cyber insurance policy — a steady increase from 44% in 2017 and 49% last year. Of that 55%, some 34% have a standalone cybersecurity policy, while the remaining companies are covered as part of a broader business insur-ance policy (Figure 13).
Dark Reading Reports
Dedicated Cybersecurity StaffHow many individuals in your organization are dedicated solely to the role of cybersecurity?
None
1
2 to 3
4 to 6
7 to 10
11 to 15
16 to 25
26 to 100
101 to 500
More than 500
Don’t know Base: 300 respondents in 2018; not asked in 2017 Data: Dark Reading survey of technology and cybersecurity professionals at organizations with 100 or more employees, September 2019
6%
2% 3%
12%
26%
8%
13%
5%
3%17%
5%
11%
18%11%
9%
7%
7%
2%
5%
2019 2018
6%18%
6%
Figure 11
November 2019 18
Table of Contents
How Data Breaches Affect the Enterprise
Our data shows more organizations than before are also using these policies success-fully to recover breach-related costs as well. Eleven percent — about double last year’s 6% — say they had filed a claim and collected from their insurance company without trouble, and 7% say they collected after some dispute, compared with 4% the prior year (Figure 14).
John Pironti, president of IP Architects LLC,
says cyber insurance is increasingly becoming part of risk management strategies at many organizations. A growing number are using it as a way to reduce the financial impact of a data breach and as a demonstration of their commitment to security, he says. For smaller organizations, insurance firms can provide quick access to security, legal, com–munications, and other professionals in the immediate aftermath of a data breach, he says.
The danger lies in organizations using cyber insurance as a proxy for good security practices. Companies sometimes make the mistake of assuming they can reduce focus and effort on cybersecurity once they are covered under an insurance policy.
The reality is that to qualify for good premiums and coverage, organizations often have to maintain and sometime increase focus and investments in cybersecurity, Pironti says. Importantly, organizations also need to understand all the limitations and caveats that come with these policies before signing up for one, he notes.
“Cyber insurance is a tool in a toolbox,” he says. “It is not a key security control.” It is a good idea as a financial management mechanism to mitigate data breach cost impact. “But it is not going to help you avoid the things” that lead to a breach in the first place, Pironti says.
ConclusionIncreased investments in cybersecurity have not resulted in any perceptible drop in data breach activity. Growing threat sophistication and attack volumes, in fact, are only driving a
Dark Reading Reports
Figure 12
Formal Security Incident Management TeamDoes your organization have a formal security operations center or team that actively managessecurity incidents and events as they are generated?
Yes
No, but we arebuilding onewithin the next year
No
Base: 150 respondents in 2019; 300 respondents in 2018 Data: Dark Reading survey of technology and cybersecurity professionals at organizations with 100 or more employees, September 2019
42%
17%
41%
36%
11%
2019 2018
53%
November 2019 19
Table of Contents
How Data Breaches Affect the Enterprise
troubling increase in security incidents and have put 2019 on track to be the worst year ever for data breaches. Organizations have deployed a wide array of security technol-ogies and processes for protecting against
data breaches. But attackers are increasingly finding their way around these defenses by targeting users instead. The trend has height-ened the need for a more people-focused approach to cybersecurity.
Dark Reading Reports
Figure 13
Cyberbreach or Cyber-Risk InsuranceDoes your organization have a cyberbreach or cyber-risk insurance policy?
Yes, we are coveredfor cybersecuritybreaches under abroader businessinsurance policy
Yes, we have aninsurance policyspecifically forcybersecurity breaches
No
Don’t know
Base: 150 respondents in 2019; 300 respondents in 2018 Data: Dark Reading survey of technology and cybersecurity professionals at organizations with 100 or more employees, September 2019
34%
21%
24%
21%
23% 20%
28%
2019 2018
29%
APPE
NDIX
November 2019 20
Table of Contents
How Data Breaches Affect the Enterprise
Like This Report?
Share it!LikeLike
ShareShare
TweetTweet
Dark Reading Reports
Figure 14
File Insurance ClaimHas your organization ever filed a claim under its breach insurance policy?
Yes, and the claimor claims were paidwithout dispute
Yes, but theinsurance companydisputed our claim
No
Don’t know
Base: Respondents who have risk insurance Data: Dark Reading survey of technology and cybersecurity professionals at organizations with 100 or more employees, September 2019
7%30%
52%
11%
53%
4%
37%
2019 2018
6%
November 2019 21
Table of Contents
How Data Breaches Affect the Enterprise
Figure 15
Respondent Job TitleWhich of the following best describes your job title?
Information security department staff
Information security department manager
Network/system administrator
IT executive (CIO, CTO)
Chief security officer
IT director/head
Information security director/head
President/CEO/managing director
Internal auditor
Non-IT/security director/VP
CFO/financial director
OtherBase: 150 respondents in 2019 Data: Dark Reading survey of technology and cybersecurity professionals at organizations with 100 or more employees, September 2019
16%
14%13%8%
8%
5%
2%1%
20%10%
Dark Reading Reports
November 2019 22
Table of Contents
How Data Breaches Affect the Enterprise
Figure 16
Banking/financial services/VC/accounting
Healthcare/pharmaceutical/biotech/biomedical
Education
Government
Computer or technology manufacturer/tech vendor
Transportation/logistics
Manufacturing & process (non-computer)
Consulting/business services
Communications carrier/service provider
Nonprofit/trade association
Aerospace
Legal
Agriculture/mining/oil/gas
Media/marketing/advertising
Travel/hospitality/recreation/entertainment
Other
Respondent IndustryHow did your organization determine the amount of insurance needed?
Base: 150 respondents in 2019Data: Dark Reading survey of technology and cybersecurity professionals at organizations with 100 or more employees, September 2019
12%
12%
12%
11%
9%
8%
7%
5%
4%
4%
3%
3%
2%
2%
2%
4%
Dark Reading Reports
November 2019 23
Table of Contents
How Data Breaches Affect the Enterprise
Figure 17 Figure 18
Respondent Company SizeApproximately how many employees arein your organization?
100 to 499
500 to 999
1,000 to 4,999
5,000 or more
Base: 150 respondents in 2019 Data: Dark Reading survey of technology and cybersecurity professionals at organizations with 100 or more employees, September 2019
19%20%
30% 31%
Respondent Company RevenueWhat is the annual revenue of your entire organization?
Less than $6 million
$6 million to $49.9 million
$50 million to $99.9 million
$100 million to $499.9 million
$500 million to $999.9 million
$1 billion to $4.9 billion
$5 billion or more
Government/nonprofit
Don’t know/decline to answer
Base: 150 respondents in 2019 Data: Dark Reading survey of technology and cybersecurity professionals at organizations with 100 or more employees, September 2019
10%
10%
9%14%
6%
11%
7%
23%10%
Dark Reading Reports