Cost of a Security Breach

There are many types of security breaches. Some attackers want your data. Some want your money. Some want your intellectual property. Others want chaos. Not matter what they want, a breach is going to cost you money. But how much money? IBM has a Cost of Data Breach Calculator.

Data records are stolen at a rate of 58/sec. And with an annual average cost of $3.6M per breach that works out to $141 per record. But what about other costs?

Yahoo lost $350M in their deal with Verizon because of a data breach.

In recent years, three high profile companies were put out of business from security breaches:
  1. Code Spaces
  2. Nirvanix
  3. MyBizHomepage
And 60% of small businesses fail within 6 months of a security breach. The cost to recover are high and the damage to reputation can be too.

How common are security breaches?
Last year 43% of companies had a data breach.

While security breaches may be costly, so is preventing them. Worldwide spending on information security products and services will reach more than $114 billion in 2018, an increase of 12.4 percent from last year, according to the latest forecast from Gartner, Inc. In 2019, the market is forecast to grow 8.7 percent to $124 billion. See link for breakdown of spending by segment.

Here are the 30 cybersecurity stats that matter most according to Tech Beacon.
Some amazing stats from this survey are:

  • 191 days: The average length of time it takes for organizations to identify a data breach 
  • 66 days: The average time needed to fully contain a data breach in 2017 
  • 77%: Proportion of respondents in a survey of 2,800 IT professionals who said their organizations do not have a formal cybersecurity incident response plan
My personal opinion, which is backed by the spending trends and the data breach trends, is that organizations broadly don't take security seriously enough and don't spend enough on security.

That said, money alone isn't the answer.

Everyday developers and office workers make 100s of decisions and many of them have security impacts. But you can't train yourself into a secure position. Instead, you have to develop a set of guard rails that largely make it impossible for users to make bad decisions.

And you have to realize that threats from the inside are just as big as those from the outside. This requires a two pronged approach to defense. You have to secure end points and networks from external attackers with proper security orchestration and automated response (SOAR) tools. But you also have to have adequate governance and compliance regimes in place to do basic things like encrypt data at rest and in transit and implement least privileged security models, automated provisioning with approval workflows, access certification and automated termination. Offsite backup and incident and disaster response plans and drills are also necessities as fail safes for when everything else fails. This defense in depth strategy is really the only path forward.

Comments

Post a Comment

Popular posts from this blog

Authentication for RESTful APIs

Lately I've been working on designing authentication (authN) and authorization (authZ) services for an API Gateway layer sitting on top of a collection supposedly RESTful APIs written by a diverse and disconnected population of developers. One of the many challenges I've faced is that it turns out that "REST" means different things to different people. I've been looking for a simple way to explain to developers what a high quality RESTful API looks and functions like. While I have found some good material, I felt I needed pull together a few different concepts, so I wrote this. Why is being fully RESTful important? Turns out that poorly designed and implemented, RESTful APIs are harder to design authentication and authorization services. First I want to discuss  RESTful APIs in general, so we can agree on what they are and are not. Then I will explain why weakly RESTful APIs are harder to implement authN/Z. Reading the documentation for supposedly "RE
Read more

How to build a simple RESTful API with Flask

I built this proof of concept (POC) for another project someone else was working on. They had built a basic RESTful API using Flask. But needed to add authentication and HTTPS support. I was pleasantly surprised how easy it was to go from zero to a basic RESTful API with TLS HTTPS and authentication via URL argument or headers. I'm writing this post to demonstrate how easy it truly is to setup a simple, safe and secure RESTful API using Flask. Step 1  Install Python I'll skip the steps on how to install Python. But I will just say that I got this working easily with both Python 2.7 on Linux and Python 3.5 on Windows. Step 2  Install Flask and clone my repo Flask is also easy to install by following their Quickstart Installation Guide. However, stop before doing the "mkdir myproject" step and clone my " flask-api-key " repo instead. Step 3  Activate a venv Then do: $ cd flask-api-key $ virtualenv venv New python executa
Read more

Security From Happiness

The data is beginning to paint an interesting picture about the relationship between security and developer happiness. The 2020 DevSecOps survey from Sonatype indicates that happy developers are 3.6 times less likely to neglect security in their code. And 2.3 times more likely to set up automated security tools, and 1.3 times more likely to follow open source security policies. In addition, developers working within a mature DevOps practice are 1.5 times more likely to enjoy their work, and 1.6 times more likely to recommend their employer to their peers. These last conclusions about the relationship between DevOps maturity and developer happiness are also supported in multiple versions of the DORA State of DevOps survey data. Businesses actually want five things from developers, but usually only ask for one and assume the  other four take care of themselves. What they want, and ask for the most are new features. The next ask is improvements in new feature velocity. Rarely do they ask
Read more