Survey Examines Impact Data Breaches at Target and other Organizations Have had on IT Budgets and Security Practices.
Organizations are increasing investment in IT security, but even after a string of high profile data breaches in 2014, they aren’t thinking beyond perimeter-based defenses, according to the latest Ponemon Institute survey.
The mega-breach at Target and other retailers served as a “wake up call” for senior managers at organizations to realize they needed better security. About 13 percent of senior management expressed extreme concern about their security posture before the Target breach was publicized, according to the survey. The number rose to 55 percent after the breach.
More importantly, the new understanding has resulted in more resources to prevent, detect, and resolve data breaches, according to the report from Ponemon Institute. For example, 61 percent of organizations increased its security budget by an average of 34 percent in 2014. The most common areas of investment included security incident and event management (SIEM), endpoint security, intrusion detection and prevention (IDS/IPS), encryption, tokenization, and Web application firewalls. About 63 percent of respondents in the survey said this increase in budget resulted in investments in enabling security technologies to prevent and/or detect breaches.
“This study shows that organizations are dedicating greater attention and financial resources towards managing sensitive information and preventing data breaches, which is certainly encouraging news,” said Dr. Larry Ponemon, chairman and founder of Ponemon Institute.
However, only 9 percent have increased budgets to address sensitive data management, which discovers sensitive information such as Social Security numbers and payment card numbers and protects the documents containing the data. This is a glaring omission because the data is not protected if—or rather, when—the attackers breach the network, said Todd Feinman, CEO of Identity Finder, told SecurityWeek. The company sponsored the “2014: Year of the Mega Breaches” study.
The recent attack at Sony where attackers dumped files containing “millions of instances of Social Security numbers” is an example of the kind of damage that can result when attackers get on the network and the information is not properly protected. “Organizations shouldn’t be solely focusing on how to block the attack and they need to understand how vulnerable they are if the attackers get past the perimeter defenses,” Feinman said.
“They are assuming what they are doing will work,” but in reality, even if they do many things right, they still need to assume they won’t be able to block everything, Feinman said. Not enough is being done in terms of figuring out what needs to be done to minimize the damage, he warned. There must be a balance between blocking threats and reducing the footprint of vulnerable, sensitive data.
“Detection can be more important than prevention. Prevention is important, but when things go sideways, you need to know,” Feinman said.
It’s important to remember that perimeter-defense has a role to play in enterprise defense. The goal is not to shift resources, but to spread them out so that the lion’s share of the money and people isn’t going towards preventive controls such as monitoring the perimeter and endpoint.
“We aren’t saying don’t do perimeter defense,” Feinman said. SIEM is a good thing to invest in, but if organizations are taking three months or longer to detect a breach, then that control alone is not enough. It’s just as important to add controls for data, too, he added.
Having data controls make other security controls more valuable, Feinman noted. If the IT manager knows where the sensitive data is stored, then he or she can write better rules for the firewall, for example. Or in the case of encryption, many organizations see their encryption projects fail because “they are trying to encrypt the world—all the endpoints, all the emails, everything.” Instead, if they know where the confidential information is stored and encrypt “what really matters,” they can minimize the damage from a data breach, Feinman said.
Money is not everything. Businesses are clearly spending money to prevent cyberattacks, but data breaches still occur, Feinman said. JP Morgan Chase spent over $250 million on cyber security last year, but still suffered from a significant data breach. “If one of the world’s largest banks cannot stop an attack from getting through, it’s unrealistic to expect anyone else will be able to,” Feinman said.
Ponemon Institute surveyed 735 IT and IT security practitioners about the impact data breaches at Target and other organizations have had on their IT budgets and security practices. About 45 percent said they’d discovered the breaches by accident, and a staggering 95 percent said they did not discover the breach for at least three months after the initial incident. Half had thought they had the tools necessary to prevent a breach, but 65 percent said the attack evaded existing preventive security controls.
“Security is not only about more investments in prevention but also about understanding the data itself that is vulnerable,” Ponemon said.