• For the first time, malicious or criminal attacks are the most expensive cause of data breaches and not the least common one
• Organizations are more proactively protecting themselves from malicious attacks

Perhaps we would call this some bad news, and some good news. A summary of these points is found on page 5 of the study. In the past, directly malicious or criminal attacks were the least common cause of breach. This is not to say that they were not potent and very damaging, but merely that they were relatively uncommon. Not true anymore. Incidents of direct, malicious attack are on the rise.

Thankfully, this is at least somewhat tempered by some good news: there seems to be an increase in organizations proactively protecting themselves from malicious attack. Clearly, some are “getting it” and starting to take action before the breach, rather than merely reacting after it. Remember, an ounce of prevention is worth a pound of cure.

Don’t forget to dig in and take a look at the study using the links above.

We plan to spend the next several posts digesting the new study. For now, some interesting key findings (please be sure to visit the links above and download the full study):

• The average organizational cost of a data breach rose to $7.2 million.
• The average cost per breached data record rose to $214 from $204 in 2009.
• Rapid response to data breaches is costing companies 54 percent more per record that a slower response.

That last point will yield some further discussion over the coming weeks. It’s been said many times that a very slow response will cost an organization dearly. But it has also been said, and is now becoming clearer, that responding too rapidly is also more damaging. There’s a fine line to walk, but walking it correctly makes a very large financial difference to a breaching organization. Preparedness is a key.

82% of respondents claimed to be extensively involved in security functions, or involved in a limited/supporting role. Overall, the survey showed a “surprising lack of awareness of security issues.”

For example:

• Only 4% admitted to being fully informed about security breaches within their organizations
• 80% of those who said their organizations had suffered a recent data breach were unable to tell which IT components might have been impacted
• 90% of those who had been breached had “no idea” of the resulting costs to their companies
• 53% said they had no idea what the security budget was, or weren’t privy to it
• 33% expressed a lack of understanding of security threats
• 50% expressed the belief that security efforts were being constrained by low budgets

The article mentions the OAUG’s response:

Mark Clark, president of the OAUG, expressed surprise at the broad takeaway from the survey results. “While OAUG members may not be the primary points of contact for IT security in their organizations, it is a bit surprising that many of the respondents to the survey indicate they are unaware or unsure of the security efforts taking place in their organizations,” he said.

“The opportunity to provide its members information and education in this area is something the OAUG will explore,” Clark added.

Indeed, this survey reveals another example of a very pervasive lack of security/risk knowledge in IT organizations, which highlights the danger of personal data in the hands of many stewards. Many thanks to Redemtech for the tip.

1. Change Your Passwords
2. Check the Lost-and-Found
3. Make Clients Aware
4. Utilize Computer Tracking
5. Invest in an Online Backup Service

For #4, she digs into the MyLaptopGPS solution a bit and has a quotable or two. It’s a decent, short article, and worth a read.

A key element of the attack is the fact that in many cases a bank or financial institution will ALLOW a red-flagged transaction to proceed, even in the midst of fraud suspicion, if the institution cannot get ahold of the account owner. It may seem odd, but in many cases the default posture is to hold, check, then allow if not denied.

The ring of thieves used a malware program called “Zeus Trojan” to hijack bank account info. They embedded the malware in emails and attachments. Once in possession of the necessary account access, the crooks were ready to strike. But what to do about the alert responses that the institutions would make–the calls to account owners to verify suspicious transactions?

Just ask good old Joe Jones: “You Talk Too Much.” The thieves used automated calling programs to bombard the victims’ telephone lines with bogus calls. While the lines were tied up with this bogus traffic (essentially a telephone DDOS), the financial institutions couldn’t get through to verify transactions. And because of the “proceed if not denied” policy in play in many cases, the transactions succeeded, with funds shuttled off to standard “mule” accomplices who could transfer it overseas.

Read the full article for details. You just never know what creativity these criminals will show.

In the case of laptops, keeping the paper right in the laptop bag or even posted on the palm rest is a common practice with a common result: compromised passwords.

Folks have been doing this since the first passwords were invented–since the first day that IT stopped by and said, “Hey, we need you to have a ‘password’ to get into the system now” and earned yet another thumbs-down from the troops. Even as security needs have increased and technology has proliferated, this problem has remained.

In fact, it’s the primary reason that MyLaptopGPS has Remote Decryption Kill. Even a thief who has the decryption password (probably because the laptop owner posted it on a sticky note right on the palm rest) is blocked when the MyLaptopGPS Recovery Team remotely kills the decryption system entirely.

In any case, Ferrell’s article is worth a read, followed by a stroll around the cubicles at the office. There’s more than chocolate chip cookie crumbs hanging out under those keyboards.

But given recent legislation dealing with data breach notification requirements, why might it still be true that many breaches either don’t get reported at all, or get a bit “under-reported” inasmuch as they provide few, if any, details and numbers about the breach (such as the number of individuals affected)?

The article claims that the ITRC (Identity Theft Resource Center) believes that the fact that some states now harbor a “protected” breach list that is not made public at all, or is only accessible via an official Freedom of Information Act request, is one cause. Similarly, for medical data breaches, the US Department of Health and Human Services has created a “risk of harm” threshold for notification requirements, which has been contentious since it was first introduced, with opponents claiming that it removes the very core incentive of data breach notification requirements: incentive for organizations to protect data in the first place, lest they have to report a breach.

Furthermore, in many cases organizations are allowed to do their own assessment of the “risk of harm.” Could this be akin to letting a convicted criminal sentence himself? Perhaps.

In any case, the article helps identify some very likely causes of continued data breach under-reporting, which in turn helps reinforce the claim that it’s really worse out there than most people realize. Ignorance may not be bliss.

A nice summary article can be found at NextGov (thanks to Jake K at DataLossDB for that tip). According to the article, the White House review found that “quantifying the value of protection motivates organizations to address vulnerabilities.” And when it comes to crunching numbers, especially with dollar signs attached, the CFO is typically front and center. The message of the guide is clear and very well underscores the growing realization, worldwide, that data security is actually not “an IT issue.”

In many organizations–in fact in most organizations–the security of data is referred to the “IT department.” It is true that IT tends to be the proper group to actually implement protections. But what tends to happen, before solutions can even be discussed or pursued, is called the brick wall of “funding” or “budgetary appropriations.” Quite simply, IT isn’t given the money or the clout to really deal with “data security” and, lacking the leadership and key sponsorship of the CFO, it fizzles. A few steps may be taken but, far and away, the priorities fall elsewhere.

Back to the guide, or “handbook,” the cost estimates included are helpful to make the point that this is indeed a business-wide decision. Here’s an excerpt from the NextGov article:

The publication estimates a data breach of 10,000 records containing personal identification information would cost about $1.6 million, assuming the company carried breach insurance with an 80 percent coverage of direct costs. That sum includes direct expenses for investigations and forensics, consulting services, notification of affected individuals, public relations, legal defense, and credit and identity monitoring — as well as the indirect cost of lost business. The handbook cites several analytical models to help chiefs assess costs and benefits.

Steps to bolster protection also include learning to view digital safety as a business strategy rather than as an operational responsibility and leading a cyber risk team of appropriate subordinates organizationwide. This team should meet in person, if possible, the publication notes. Face-to-face interactions can prevent the confusion that often occurs when separate business units speak in jargon.

Very helpful, indeed, as even the “geek speak” of the day can cause crucial issues to be lost in translation. The news headlines are packed with examples of what happens when these issues aren’t solved in time.

The report was based on a biannual survey of 250 healthcare professionals nationwide and was commissioned by Kroll Fraud Solutions. The overall flavor of the report seems to suggest a bit of an “overconfidence” by healthcare IT professionals regarding the actual security of their data–they perceive it to be much more secure than it is. And, as we see in breach after breach, that often turns out to be true.

Kroll’s summary of key findings states:

• New regulatory activity, including the implementation of the Red Flags Rule and HITECH Act, has created a false sense of security among healthcare organizations that their facilities are secure and prepared should a breach occur.
• Healthcare organizations continue to underestimate the high costs of a data breach, despite new industry data which puts the average cost per industry data breach at $6.75 million.
• Healthcare organizations continue to think of data security in specific silos (IT, employees, etc.) and not as an organization-wide responsibility, which creates unwanted gaps in policies and procedures.

A more extensive list of highlights is found in the Healthcare IT News article:

• Despite new regulatory activity, including the implementation of Red Flags Rule and HITECH Act, and increased compliance among healthcare providers, the reporting of healthcare breaches is on the rise.
• The majority of survey participants indicated that they were compliant with existing laws and regulations.
• Average responses were above a 6.0 (on a scale of 1-7, with 7 being the highest level of compliance) for almost all laws and regulations, including CMS Regulations, HIPAA, State Security Laws and Red Flags Rule. Only HITECH scored lower (5.75), most likely due to the fact that HITECH was still not fully implemented at the time of the survey.
• The number of healthcare organizations that reported a breach increased by six percent in 2010 to 19 percent of total respondents – up from 13 percent in 2008.
• When asked to rate their level of “preparedness” for a future security breach, respondents from organizations having experienced a breach cited a preparedness level of 6.06 (on a scale of 1-7, with 7 being most prepared).
• Healthcare organizations continue to underestimate the high costs of a data breach, despite the fact that penalties for HITECH violations can reach as high as $1.5 million dollars.
• Patient satisfaction was most frequently cited as the primary impact of a data breach on their organization (38 percent), while only 15 percent cited the financial costs —  down from 18 percent in 2008.
• Healthcare organizations continue to think of data security in specific silos (IT, employees, etc.) and not as an organization-wide responsibility, which creates unwanted gaps in policies and procedures.
• Eighty-seven percent of respondents indicated that they have policies in place to monitor access and sharing of electronic health information, yet research shows that 84 percent of healthcare breaches since 2003 were due to “low tech” incidents such as lost or stolen laptops, improper disposal of documents, stolen backup tapes, etc.
• Sixty percent of respondents said they required third party vendors to provide proof of employee training and only half indicated that they required third party vendors to provide proof of employee background checks. As organizations prepare for the broader sharing of electronic health records across massive networks of providers, payers, state and federal repository systems, third party involvement is only expected to increase in the coming years.

There is indeed a lot to crunch and, as noted in the articles, it’s a “bittersweet” set of results. On the positive side, data security is getting much more attention and many healthcare organizations are taking action. But on the negative side, there’s still a very serious gap between “theory and practice,” so to speak. In theory, organizations think they’re secure and are shooting entirely for “compliance.” In practice, not so.

This elicits thoughts of the old cliche: In theory, there’s no difference between theory and practice. In practice, there is.

Download the full report here. Thanks to security curmudgeon on DataLossDB for the heads up.