november 2019 - s3.ca-central-1.amazonaws.com · financial impact of data breaches. here are some...

Organizations use a wide range of tools and best practices for protecting against cyberattacks. But malicious efforts targeting end users are driving the need for a more people-focused approach to cybersecurity.

November 2019

How Data Breaches Affect the Enterprise

Sponsored by


November 2019 2


CONT

ENTS

TABLE OF

Table of Contents

3 About the Author

4 Executive Summary

6 Research Synopsis

7 Increased Spending Does Little to Slow Data Breaches

11 Broadening Cost and Other Consequences of a Data Breach

16 The Enterprise Response to Increased Breach Activity

18 Conclusion

20 Appendix

Figures

Figure 1: Security Breaches Over Past Year

Figure 2: Reasons for Increased Vulnerability

Figure 3: Preparedness of Organization

Figure 4: Top Causes of Major Breach

Figure 5: Assessing Cloud Service Providers’ Capabilities

Figure 6: Risk Assessment of Cloud Providers

Figure 7: Attack Fallout

Figure 8: Ransomware Attacks

Figure 9: Paying Ransom

Figure 10: Security Practices and Disciplines

Figure 11: Dedicated Cybersecurity Staff

Figure 12: Formal Security Incident Management Team

Figure 13: Cyberbreach or Cyber-Risk Insurance

Figure 14: File Insurance Claim

Figure 15: Respondent Job Title

Figure 16: Respondent Industry

Figure 17: Respondent Company Size

Figure 18: Respondent Company Revenue

CONT

ENTS

TABLE OF

Dark Reading Reports

https://www.informationweek.com/whitepaper/company/detail/342

November 2019 3

Table of Contents


Jai VijayanDark Reading Reports

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He specializes in writing on information security and data privacy topics. He was most recently a Senior Editor at Computerworld. He is a regular contributor to Dark Reading, CSO Online, TechTarget, and several other publications.



November 2019 4

Table of Contents


SUM

MAR

YDespite increased enterprise investments in cybersecurity, 2019 is on track to be the worst year ever for data breaches. A growing number of organizations are experiencing significant financial losses, brand damage, and customer alienation issues as a result of the increased breach activity.

Dark Reading surveyed 150 IT and security professionals about their preparedness to deal with data breaches and a wide range of other issues. Their responses show that end-user vulnerabilities, attack volumes, and growing threat sophistication are leading to more breaches than ever. Organizations have deployed a wide range of tools and best practices for protecting networks and systems against attack. But a relentless adversary focus on end users is driving the need for a more people-focused approach to cybersecurity.

Organizations in our survey that experienced a security breach suffered through a wide range of consequences, including network and business disruption, credential theft, customer data compromise, fraud, and identity theft. A larger proportion of respondents compared with our last two surveys reported intellectual property theft and the loss of confidential business data.

Our survey shows increased breach activity is driving a focus on cyber insurance as a way to reduce the financial impact of data breaches.

Here are some key takeaways from the report:

• 52% of organizations had a malware-related security breach; 50% experienced a phishing-related data breach.

• 44% of survey respondents expect a major data breach will happen at their organization in the next 12 months.

• 23% of organizations experienced network or application availability issues following a data breach.

• 16% of respondents say their companies lost intellectual property or confidential data as the result of a data breach.

EXECUTIVE



November 2019 5

Table of Contents


• 11% of breached organizations experienced brand damage because of a data breach.

• 10% of enterprises got hit with ransomware in the previous 12 months; 15% of those that got hit paid a ransom to get their data back.

• 49% of respondents feel their organizations are well-prepared to deal with a data breach.

• 17% of respondents say their organizations do not have a single individual dedicated exclusively to the cybersecurity function.

• 42% of organizations plan to implement a formal security operations center capability over the next 12 months.

• 18% of organizations filed a cyber insurance claim after a security incident.



November 2019 6

Table of Contents


SYNO

PSIS

ABOUT USDark Reading Reportsoffer original data and insights on the latest trends and practices in IT security. Compiled and written by experts, Dark Reading Reports illustrate the plans and directions of the cybersecurity community and provide advice on the steps enterprises can take to protect their most critical data.


Survey Name Dark Reading 2019 Strategic Security Survey

Survey Date September 2019

Primary Region North America

Number of Respondents 150 technology and cybersecurity professionals at organizations with 100 or more employees and revenues ranging from under $6 million to over $5 billion. The margin of error for the total respondent base (N=150) is +/-7.9 percentage points.

Purpose Dark Reading surveyed technology and cybersecurity professionals to discover the causes for, impact of, and enterprise response to data breaches.

Methodology The survey queried decision-makers with IT or IT security job titles at North American organizations. Questions centered around organizations’ cybersecurity challenges, plans, and directions as well as respondents’ experiences and concerns about data breaches. The survey was conducted online. Respondents were recruited via an emailed invitation containing an embedded link to the survey. The email was sent to a select group of Informa’s qualified database; Informa is the parent company of Dark Reading. Informa Tech research was responsible for all programming and data analysis. These procedures were carried out in strict accordance with standard market research practices.

RESEARCH




Increased Spending Does Little to Slow Data Breaches 2019 is on track to be the worst year on record for data breaches, even though enterprises will spend more on cybersecurity this year than ever before.

According to Risk Based Security, there was a total of 3,813 publicly disclosed breaches in the first six months of 2019. Together, the breaches exposed 4.1 billion records.

The numbers were 54% and 52% higher, respectively, compared with the same period last year.

Dark Reading’s 2019 Strategic Security survey data shows that malware and phishing were the biggest causes for data breaches at a high percentage of organiza-tions. Asked to identify the types of security breaches that might have occurred at their organizations over the past 12 months, 52% of respondents point to malware-related incidents and 50% to phishing (Figure 1).

The numbers were very similar to the results from our survey last year (54% and 48%, respectively) and suggest that while breach activity has increased, little has changed with the threat landscape itself.

Figure 1

November 2019 7

Table of Contents


Security Breaches Over Past YearWhich types of security breaches have occurred in your organization in the past year?

Note: Maximum of three responses allowed Base: 150 respondents in 2019; 300 respondents in 2018 Data: Dark Reading survey of technology and cybersecurity professionals at organizations with 100 or more employees, September 2019

50

Malware

Phishing

Targeted attack aimed specifically at my organization

Ransomware

Data theft

Theft of computers or storage devices

Database/content/data management system compromise

Denial of service

Compromise of internally developed applications

Attackers gained access through partner systems

Network compromise

Operating system compromise

Compromise of off-the-shelf applications

Website vandalized or site content manipulated

Mobile device or application compromise

Hardware compromise

Physical break-in

Compromise by state-sponsored attacker

52%

50%

19%

14%

12%

12%

11%

11%

10%

9%

9%

9%

8%

7%

6%

5%

5%

2%

54%

48%

16%

16%

11%

14%

2%

15%

6%

5%

7%

5%

7%

10%

7%

2%

4%

2%

2019 2018


https://pages.riskbasedsecurity.com/2019-midyear-data-breach-quickview-report


November 2019 8

Table of Contents


Indeed, many of the other responses to our question on the types of security breaches organizations experienced over the past 12 months are very similar to results last year as well. Sixteen percent in our 2018 survey said they had experienced a security breach resulting from a targeted attack, compared with 19% this year.

Breach activity increased in 2019 even as enterprises continued to invest heavily in IT security. Analyst firm IDC has projected that IT security spending will top $103 billion in 2019 and exceed $133 billion in 2022. Gartner’s estimates are even higher, at $124 billion in 2019 alone — an 8.7% increase from the $114 billion that organizations spent on information security in 2018. Spending on information security in 2018 in turn was more than 12% higher than the previous year.

Both Gartner and IDC have described enterprises as spending the most money on managed security services, both currently and over the next few years. Other major areas of investment include identity and access management, infrastructure protection products, and network security controls such as unified

threat management products, firewalls, and intrusion prevention tools.

If enterprises are spending more on information security and the threat land-scape itself is largely unchanged, why is there still no letup in data breaches?

Our survey data suggests that growing threat sophistication and increased attack volumes are two major reasons. Sixty-seven percent and 47%, respectively, of our survey respondents identify those two factors as making their organizations more suscepti-ble to security breaches (Figure 2).

More than half (53%) say their organi-zations have become more vulnerable to data breaches because threat actors have so many more ways to attack them these days compared with a few years ago. That sentiment likely reflects concerns over a broadening attack surface caused by digital transformation initiatives, cloud migration, and enterprise mobility efforts.

Growing data volumes (33%) and a short-age of skilled staff (33%) are two other reasons for increased vulnerability to data breaches, as is the growing adoption of cloud services (27%) and buggy software (27%).

Larry Ponemon, chairman and founder of the Ponemon Institute, says another reason companies report more breaches these days could simply be because they have gotten better at detecting them and because regula-tions require them to report incidents. Digital transformation initiatives, too, have signifi-cantly increased the amount of data that organizations need to protect these days and made them more vulnerable to accidental and malicious breaches, Ponemon says.

Unsurprisingly, even though 65% of survey respondents say their organizations have an effective, well-considered strategy for defending critical data, more than four in 10 (44%) expect they will have to respond to a major data breach in the coming year (Figure 3). That number is a full one-third higher than the proportion of respondents that felt the same way in our survey last year.

Our survey revealed a high level of concern over end users and end-user- related threats. Sixty-two percent of respondents say that if their organization experiences a major data breach in the next 12 months, it will likely be caused by an end user who is negligent or violates security


FAST FACT

67%point to a higher level of vulnerability due to increased sophistication of threats.

https://www.idc.com/getdoc.jsp?containerId=prUS44935119

https://www.gartner.com/en/newsroom/press-releases/2018-08-15-gartner-forecasts-worldwide-information-security-spending-to-exceed-124-billion-in-2019


November 2019 9

Table of Contents


policy (Figure 4). Twenty-nine percent say if a breach happens, it would be the result of a social engineering attack that cannot be anticipated or prevented by current technology.

The concern that survey respondents express over end users reflects a lot of what’s going on in the real world. Verizon’s “2019 Data Breach Investigations Report” shows that 32% of the breaches and 78% of cyber espionage incidents that the company investigated last year involved phishing. In many of the incidents, attackers used phish-ing to drop malware on a target network or to steal credentials that they later used to access the victim’s network.

Security experts say the trend has high-lighted the need for organizations to take a more people-focused approach to security.

Attackers are using guerilla tactics to target consumers not just digitally but socially as well, says Richard Bird, chief customer information officer at Ping Identity. “We built information security over the last 20 years to protect assets and data,” he says. Now, hackers are getting to those things not


Reasons for Increased VulnerabilityWhy is your organization more vulnerable to these attacks than a year ago?


50

Increased sophistication of threats

More ways to attack corporate networks

Increased volume of attacks

Inadequate information security strategy

Increasing amount of customer data to secure

Shortage of skilled security staffers

Budget constraints

Internally developed software not written with security in mind

Lack of patching

Rapid growth of ransomware

Use or increased use of public cloud

Inability to audit/assess outsourcing and/or cloud vendors

Incompatible or noninteroperable security products

Use or increased use of mobile devices

Use or increased use of outsourcing

Challenges posed by the Internet of Things (IoT)

Continued vulnerability of key technology products

Failure to enforce security policies

Lack of senior management attention or interest

67%

53%

47%

33%

33%

33%

27%

27%

27%

27%

27%

20%

20%

20%

20%

13%

13%

13%

13%

60%

50%

38%

30%

28%

33%

25%

33%

35%

40%

25%

18%

18%

38%

18%

25%

15%

23%

30%

2019 2018

Figure 2

https://www.proofpoint.com/us/security-awareness/post/verizons-2019-dbir-phishing-top-threat-action


Table of Contents


by attacking the defenses that organizations have built but by attacking people instead. “That trend won’t stop until we change the very structure of cybersecurity and begin to protect people ahead of protecting ‘things,’” Bird says.

Dark Reading’s survey suggests that orga-nizations — for the moment, at least — are less concerned about cloud-related breach risks than they are about end users, phish-ing, and an array of other threats. Only 27%, for instance, say their vulnerability to data

breaches has increased because of cloud adoption. An even smaller 15% expect they will have to respond to a major data breach over the next 12 months because of their cloud services provider.

But that could change soon. Many analysts believe that as enterprises migrate more critical business applications and workloads to the cloud, attackers will follow them there. They expect that over the next few years, data breaches resulting from enter-prise security missteps in the cloud and from attacks on cloud service providers will increase sharply.

Our survey shows that organizations are not entirely unaware of the threat. Forty-two percent of those using cloud services believe their providers have some security capabilities but also some undisclosed vulnerabilities, and 24% are unsure about the quality of the security available from their cloud provider (Figure 5). One in five wants to be able to audit its cloud services company but is unable to do so because the cloud provider is not cooperative (Figure 6).

Only 2% of organizations in Dark Reading’s

Dark Reading Reports November 2019 10

Preparedness of OrganizationDo you agree with these statements?

My organization has an effective, well-considered strategyand architecture for defending its most critical data.

I believe that, if implemented effectively, the security technologiesand practices my organization has in place today will prevent databreaches in the coming year.

My organization has an effective method for measuring the currentstate of its security posture.

I believe my organization has an effective process for measuringthe cybersecurity risk that my organization will face in the coming year. I believe my organization is well-prepared to respond to a majordata breach in the coming year.

My organization has an effective method for measuring theeffectiveness/performance of its security department.

I believe my organization will have to respond to a major data breachor compromise in the coming year.

65%

63%

63%

52%

49%

47%

44%

17%

26%

15%

22%

28%

29%

34%

14%

7%

17%

22%

18%

19%

17%

4%

4%

5%

4%

5%

5%

5%

Base: 150 respondents in 2019 Data: Dark Reading survey of technology and cybersecurity professionals at organizations with 100 or more employees, September 2019

Agree orstrongly

agree

Disagree orstronglydiaagree

Neutral Don’tknow

Figure 3


November 2019 11

Table of Contents


survey experienced a data breach caused by a nation-state-backed actor over the last 12 months. Fewer than one in 10 (9%) expects a nation-state actor will be the cause of a major data breach if one happens over the next year. But as with cloud-related data breaches, the threat posed by state-backed actors and advanced persistent threat (APT) groups is quickly evolving.

Broadening Cost and Other Consequences of a Data BreachOrganizations in our survey that experi-enced a security breach suffered through a wide range of consequences. Twenty-three percent of survey respondents describe applications or network services becoming unavailable following a security breach, 18% say employee credentials or personal data was compromised, 16% report identity theft, 14% had to deal with fraudulent activity, and 12% lost customer records (Figure 7). Other consequences include trouble with regula-tory agencies, customer alienation, brand damage, and legal liability.

Ten percent — or roughly the same


End users who are negligent or break security policy

Social engineering attacks that cannot be anticipated/prevented by current technology

A targeted attack aimed directly at my organization

Highly sophisticated, automated malware

A shortage of people and/or skills required to protect my organization’s data

A lack of budget

A breach of cloud, network, or web services providers that my security team cannot control

Failure of current security technology to prevent increasingly sophisticated attacks

Compromise of a third-party supplier, customer, or contractor

An attack by nation-state-sponsored hackers

A lack of support from upper management

The inability of current security technology to keep up with the latest advances in IT

The ineffectiveness of end user security awareness programs

A lack of communication between security, general IT, applications development, and/or service provider teams

The inability of my security systems/tools to effectively work together

Top Causes of Major BreachIf your organization experiences a major breach within the coming year, what will most likelybe the cause?


60

62%

29%

27%

22%

20%

18%

15%

13%

12%

9%

9%

9%

7%

5%

5%

61%

24%

26%

28%

18%

10%

18%

20%

11%

9%

8%

7%

8%

7%

10%

2019 2018

Figure 4


Table of Contents

proportion of organizations as in our survey last year — got infected with ransomware as the result of a security breach (Figure 8). Of them, 15% paid the demanded ransom to get their encrypted data back (Figure 9). Though that proportion might seem small, it represented a nearly fourfold increase over the 4% who admitted paying a ransom in last year’s survey. The data suggests that many companies are willing to pay a ransom — even though experts caution against the practice — if it can help them avoid costly operational disruptions and downtime.

Troublingly, 16% of the respondents in Dark Reading’s 2019 Strategic Security Survey — compared with 10% a year ago — report loss of intellectual property (IP) and other confidential business data. That data point reflects the still relatively low but steady threat activity involving cyber espionage.

In a report last year, the Office of the National Counterintelligence Executive described economic espionage in cyber-space as a threat to US prosperity, security, and competitive advantage. The report identified threat actors based in China, Iran,


Figure 5

Assessing Cloud Service Providers’ CapabilitiesHow would you assess the security capabilities of the cloud service providers you work with?

My providers have some security capabilities, but I thinkthere might be vulnerabilities that I don’t know about

My providers have strong security capabilities and I amconfident that my data is secure

I am using the security services that my providers offer,but I’m honestly not sure how good or bad they are at security

I am not confident at all in my providers’ security capabilities,and I am very concerned about any data my organization puts into the cloud


5%

29%

24% 42%

2019

Figure 6

Risk Assessment of Cloud ProvidersDoes your organization perform its own risk assessments of cloud service providers?

Yes; we conduct ourown audits

We want to conduct ourown audits, but providersare generallyuncooperative

No; we use providers'self-audit reports

No

Other

We do not usecloud services

Base: 150 respondents in 2019; 300 respondents in 2018 Data: Dark Reading survey of technology and cybersecurity professionals at organizations with 100 or more employees, September 2019

5%

20%20%

8%

14%

33%

2019

12%20%

21%

6%6%

35%

2018

https://www.dni.gov/files/NCSC/documents/news/20180724-economic-espionage-pub.pdf


November 2019 13

Table of Contents


and Russia as being especially active in this regard but warned of countries with closer ties to the US also conducting cyber espio-nage to obtain US secrets.

Over the next few years, new technologies such as artificial intelligence and the Internet of Things will introduce new vulnerabilities that threat actors will seek to exploit and for which US organizations are unprepared. “Building an effective response will require understanding economic espionage as a worldwide, multivector threat to the integrity of the US economy and global trade,” the National Counterintelligence and Security Center report noted.

The short-term and long-term costs associated with a data breach are another major factor, of course. Eight percent of organizations in Dark Reading’s survey report significant financial losses related to a data breach. That is double the percentage of organizations that indicated the same thing last year. Twenty-three percent in our survey this year say they experienced at least minor financial losses, compared with 15% in 2018.

In recent years, breach costs have kept


Figure 7

Minor financial losses

Network or business applications unavailable

Employees’ online credentials or personal data compromised

Identity theft

Intellectual property theft or information confidentiality compromised

Fraud

Customer records compromised

Violated government regulations regarding data security

Alienated customers

Negative publicity or brand damage

Legal liability

Significant financial losses

Internal records lost or damaged

Cyber insurance claim filed

System destruction or physical damage to computer systems

Attack FalloutWhat were the effects of the attack(s)?

Note: Multiple responses allowed Base: 150 respondents in 2019; 300 respondents in 2018 Data: Dark Reading survey of technology and cybersecurity professionals at organizations with 100 or more employees, September 2019

50

23%

23%

18%

16%

16%

14%

12%

12%

11%

11%

8%

8%

6%

6%

5%

15%

24%

9%

10%

10%

13%

5%

5%

6%

7%

5%

4%

4%

3%

5%

2019 2018


Table of Contents

increasing steadily especially for organizations in the US. The Ponemon Institute, in a report for IBM earlier this year, pegged the average cost of a data breach for US companies in 2019 at $8.19 million; the global average is $3.92 million. Contrary to popular perception, costs are not rising simply because breaches are becoming bigger. In fact, the Ponemon Institute found the global average of compromised records per breach to be just over 25,000.

The costs that breached organizations typically incur include those associated with breach detection, containment, remediation, notification, and lost business, says Ponemon.

Also contributing in a major way are legal expenses and costs associated with engaging outside experts, communicating with regulators, ensuring regulatory obligations are met, help desk activities, customer support, and myriad other issues, he says. Breaches can also trigger other costs, such as those stemming from decisions to outsource security functions or business processes to reduce risk, he notes.


Figure 9

Paying RansomDid your organization pay the ransom?

Yes, we paid the ransom

No, we did notpay the ransom

Data: Dark Reading survey of technology and cybersecurity professionals at organizations with 100 or more employees, September 2019

85%

15%

96%

4%

2019 2018

Figure 8

Ransomware AttacksIn the past 12 months, has your organization fallen victim to a ransomware attack in which someoneencrypted or threatened to damage your data unless a ransom was paid?

Yes

No

Don’t know


9%

81%

10% 10%

78%

12%

2019 2018

https://www.ibm.com/security/data-breach?cm_mmc=OSocial_Blog-_-Security_Optimize+the+Security+Program


Some of the biggest financial conse-quences, though, are tied to factors such as lost business, brand damage, and customer loss. Sometimes, organizations can feel the financial impact from these issues lingering long after the breach event, according to Ponemon.

Breach costs can vary significantly based on type of data, industry vertical, and even geography, Ponemon says. Breaches involving loss of IP and trade secrets often end up costing a lot more than other breaches. Healthcare organizations and financial services companies, for example, typically end up experiencing the biggest costs. Ponemon Institute’s study also found that breach costs per employee tended to be higher for smaller organizations. The average per employee cost for a data breach for an organization with more than 25,000 employees was $204 compared with $3,533 per employee for entities with between 500 and 1,000 employees.

Dark Reading’s 2019 survey data reflects some of these issues. Twelve percent say a data breach had put them afoul of

Table of Contents


Figure 10

End user security awareness training

Multifactor authentication

Strong passwords

Virus and worm detection and analysis

Incident response team

Risk analysis and risk assessment

Internal security information and event analysis

Malware analysis

Monitoring employee behavior

DevOps

Threat intelligence analysis

Internal penetration testing

Cloud security management tools/services

Forensics or advanced threat detection

Secure development processes or source-code auditing

Offensive security program

Attacker attribution

Security Practices and DisciplinesWhich of these practices or disciplines are currently in use in your organization?

Note: Multiple responses allowed Base: 150 respondents in 2019; 300 respondents in 2018 Data: Dark Reading survey of technology and cybersecurity professionals at organizations with 100 or more employees, September 2019

72%

59%

57%

44%

41%

40%

39%

39%

32%

29%

29%

27%

18%

15%

14%

8%

5%

67%

52%

69%

53%

53%

41%

35%

48%

35%

32%

31%

34%

25%

18%

19%

14%

9%

2019 2018



November 2019 16

Table of Contents


regulatory requirements, 11% admit to alienating customers, and 11% report negative publicity and brand damage. The proportion of responses in each of these three instances was substantially higher compared with our survey last year. Just 5% in our 2018 survey, for example, reported regulatory compliance issues, 6% of alienating customers, and 7% of negative publicity/brand damage.

The data suggests hardening attitudes against organizations that mishandle data. Breaches in recent years have affected large swaths of the US population, and many victims are no longer as forgiving as they might have been previously.

“For the first time, customers and citizens are actually demanding that the companies they choose to interact with or stay with must be trusted not just with their data but with their security,” says Bird from Ping Identity.

The company earlier this year surveyed 4,000 consumers in the US, UK, and several other countries on their attitudes toward data breaches and data misuse by organiza-tions. Eighty-one percent of the respondents

said they would stop engaging with a company online following a data breach. Twenty-five percent said they would stop interacting with the brand in any capacity following a breach. Sixty-three percent in Ping’s survey said a company is always responsible for protecting user data even when users themselves might fall victim to a phishing scam or use weak endpoints and unencrypted Wi-Fi connections.

People felt personally affected by news stories that declared that large amounts of their deeply personal data had been stolen, Bird says. Consumers are finally “[connect-ing] the dots of their personal risk to the obligations of those companies and orga-nizations they trusted with their business,” Bird says.

The Enterprise Response to Increased Breach ActivityHow are enterprises responding to all the increased breach activity?

As might be expected, many organizations have deployed a wide array of tools and best practices for protecting against, detecting, and responding to breaches. The

most widely used are those designed to protect organizations against end-user-borne threats. Seventy-two percent, for instance, have implemented end-user awareness training programs, 59% have multifactor authentication, and 57% insist on strong passwords (Figure 10). More than 40% of organizations in each instance also have virus and malware detection controls as well as incident response teams and do risk assess-ment and risk management processes. Other relatively widely deployed measures include employee monitoring (another user-focused measure), threat intelligence analysis, and penetration testing.

A growing number of organizations have begun using managed service providers, including managed detection and response vendors, to help mitigate data breach risks. As mentioned earlier, analyst firms such as Gartner and IDC expect organizations to spend more on managed security service providers over the next few years than on any other security category.

One primary reason is staff and resource augmentation. Dark Reading’s 2019 Strategic Security Survey shows that while some


FAST FACT

62%say negligent end users are the cause of most major security breaches.

https://www.pingidentity.com/content/dam/ping-6-2-assets/Assets/Misc/en/3464-consumersurvey-execsummary.pdf


November 2019 17

Table of Contents


organizations appear adequately staffed, many others might not have the resources available internally to combat rising breach activity.

Seventeen percent of organizations surveyed do not have anyone dedicated solely to the security function (Figure 11). In these organizations, a member of the broader IT staff also is responsible for security. Another 38% have between one and three dedicated security staff. At the other end of the spectrum 2% of organizations employ more than 500 security staff, and 5% have between 101 and 500 infosec staff.

Significantly, and somewhat disturbingly, the number of organizations with a formal security operation center (SOC) in our latest survey was substantially lower than in our two previous surveys. In 2017, 60% of survey respondents described their organization as having a SOC or formal team for actively managing security breaches. Last year, only 53% said the same thing, and in 2019 just 41% report their organization as having a formal security operation center or incident response team (Figure 12).

Some of that might be because organiza-tions are shifting SOC operations to managed security service providers. According to the IDC report mentioned earlier, firms will spend more than $21 billion in 2019 to have managed security service providers provide around-the-clock monitoring and SOC management services.

Data breaches also appear to be driving

interest in cyber insurance policies as a risk transference mechanism. Fifty-five percent of organizations currently have a cyber insurance policy — a steady increase from 44% in 2017 and 49% last year. Of that 55%, some 34% have a standalone cybersecurity policy, while the remaining companies are covered as part of a broader business insur-ance policy (Figure 13).


Dedicated Cybersecurity StaffHow many individuals in your organization are dedicated solely to the role of cybersecurity?

None

1

2 to 3

4 to 6

7 to 10

11 to 15

16 to 25

26 to 100

101 to 500

More than 500

Don’t know Base: 300 respondents in 2018; not asked in 2017 Data: Dark Reading survey of technology and cybersecurity professionals at organizations with 100 or more employees, September 2019

6%

2% 3%

12%

26%

8%

13%

5%

3%17%

5%

11%

18%11%

9%

7%

7%

2%

5%

2019 2018

6%18%

6%

Figure 11


November 2019 18

Table of Contents


Our data shows more organizations than before are also using these policies success-fully to recover breach-related costs as well. Eleven percent — about double last year’s 6% — say they had filed a claim and collected from their insurance company without trouble, and 7% say they collected after some dispute, compared with 4% the prior year (Figure 14).

John Pironti, president of IP Architects LLC,

says cyber insurance is increasingly becoming part of risk management strategies at many organizations. A growing number are using it as a way to reduce the financial impact of a data breach and as a demonstration of their commitment to security, he says. For smaller organizations, insurance firms can provide quick access to security, legal, com–munications, and other professionals in the immediate aftermath of a data breach, he says.

The danger lies in organizations using cyber insurance as a proxy for good security practices. Companies sometimes make the mistake of assuming they can reduce focus and effort on cybersecurity once they are covered under an insurance policy.

The reality is that to qualify for good premiums and coverage, organizations often have to maintain and sometime increase focus and investments in cybersecurity, Pironti says. Importantly, organizations also need to understand all the limitations and caveats that come with these policies before signing up for one, he notes.

“Cyber insurance is a tool in a toolbox,” he says. “It is not a key security control.” It is a good idea as a financial management mechanism to mitigate data breach cost impact. “But it is not going to help you avoid the things” that lead to a breach in the first place, Pironti says.

ConclusionIncreased investments in cybersecurity have not resulted in any perceptible drop in data breach activity. Growing threat sophistication and attack volumes, in fact, are only driving a


Figure 12

Formal Security Incident Management TeamDoes your organization have a formal security operations center or team that actively managessecurity incidents and events as they are generated?

Yes

No, but we arebuilding onewithin the next year

No


42%

17%

41%

36%

11%

2019 2018

53%


November 2019 19

Table of Contents


troubling increase in security incidents and have put 2019 on track to be the worst year ever for data breaches. Organizations have deployed a wide array of security technol-ogies and processes for protecting against

data breaches. But attackers are increasingly finding their way around these defenses by targeting users instead. The trend has height-ened the need for a more people-focused approach to cybersecurity.


Figure 13

Cyberbreach or Cyber-Risk InsuranceDoes your organization have a cyberbreach or cyber-risk insurance policy?

Yes, we are coveredfor cybersecuritybreaches under abroader businessinsurance policy

Yes, we have aninsurance policyspecifically forcybersecurity breaches

No

Don’t know


34%

21%

24%

21%

23% 20%

28%

2019 2018

29%


APPE

NDIX

November 2019 20

Table of Contents


Like This Report?

Share it!LikeLike

ShareShare

TweetTweet


Figure 14

File Insurance ClaimHas your organization ever filed a claim under its breach insurance policy?

Yes, and the claimor claims were paidwithout dispute

Yes, but theinsurance companydisputed our claim

No

Don’t know

Base: Respondents who have risk insurance Data: Dark Reading survey of technology and cybersecurity professionals at organizations with 100 or more employees, September 2019

7%30%

52%

11%

53%

4%

37%

2019 2018

6%

https://www.facebook.com/darkreadingcom/

https://www.linkedin.com/company/dark-reading

https://twitter.com/DarkReading


November 2019 21

Table of Contents


Figure 15

Respondent Job TitleWhich of the following best describes your job title?

Information security department staff

Information security department manager

Network/system administrator

IT executive (CIO, CTO)

Chief security officer

IT director/head

Information security director/head

President/CEO/managing director

Internal auditor

Non-IT/security director/VP

CFO/financial director

OtherBase: 150 respondents in 2019 Data: Dark Reading survey of technology and cybersecurity professionals at organizations with 100 or more employees, September 2019

16%

14%13%8%

8%

5%

2%1%

20%10%



November 2019 22

Table of Contents


Figure 16

Banking/financial services/VC/accounting

Healthcare/pharmaceutical/biotech/biomedical

Education

Government

Computer or technology manufacturer/tech vendor

Transportation/logistics

Manufacturing & process (non-computer)

Consulting/business services

Communications carrier/service provider

Nonprofit/trade association

Aerospace

Legal

Agriculture/mining/oil/gas

Media/marketing/advertising

Travel/hospitality/recreation/entertainment

Other

Respondent IndustryHow did your organization determine the amount of insurance needed?

Base: 150 respondents in 2019Data: Dark Reading survey of technology and cybersecurity professionals at organizations with 100 or more employees, September 2019

12%

12%

12%

11%

9%

8%

7%

5%

4%

4%

3%

3%

2%

2%

2%

4%



November 2019 23

Table of Contents


Figure 17 Figure 18

Respondent Company SizeApproximately how many employees arein your organization?

100 to 499

500 to 999

1,000 to 4,999

5,000 or more


19%20%

30% 31%

Respondent Company RevenueWhat is the annual revenue of your entire organization?

Less than $6 million

$6 million to $49.9 million




$1 billion to $4.9 billion

$5 billion or more

Government/nonprofit

Don’t know/decline to answer


10%

10%

9%14%

6%

11%

7%

23%10%



november 2019 - s3.ca-central-1.amazonaws.com · financial impact of data breaches. here are some...

Documents