Posts Tagged ‘ponemon’

According to the 2009 Annual Study on Enterprise Encryption Trends, completed by Ponemon Institute and sponsored by PGP, indicates that while encryption strategies have become more consistent, data breaches continue to be an issue. In addition, the data indicates that mobile security is becoming more of an issue, with 51% of respondents indicating a complete lack of encryption on mobile devices (smartphones, PDAs).

This is the 4th annual study on enterprise encryption, basing the data this year on 997 IT and security practitioners in the US (a UK study is also available). The study looks at trends in encryption use, planning strategies, budgeting, and deployment methodologies in enterprise IT.

Highlights from the study:

• 78% of organizations have an encryption strategy in place (74% in 2008)
• 85% experienced at least one data breach in the last 12 months (84% in 2008)
• 22% experienced >5 data breaches in the last 12 months (13% in 2008)
• 58% say data protection is a very important part of overall risk management
• 59% say encryption of data on mobile devices is very important or important
• 26% indicate they encrypt their smartphone or PDA ‘most of the time’
• 51% have no encryption in place for the smartphone or PDA

I was surprised that the repeat data breach figures had gone up so dramatically, showing perhaps that data breaches are becoming chronic issues in some companies. This could indicate a lack of proactive security planning and risk assessment.

The study does indicate that companies are seeking out encryption solutions to preserve brand and reputation, in addition to mitigating breaches and meeting compliance regulations. This shows, perhaps, that companies are ready to take a more pro-active approach to security planning. Remember, too, that encryption is only a part of the solution to pro-active security planning. Absolute Software can help with other pieces of that puzzle, providing IT Asset Management & Theft Recovery for laptops and mobile devices.

Download the report, for the UK or the US, here.

Via SC Magazine

The Ponemon Institute, along with Intel, have released the results of a new study about the Cost of a Lost Laptop. The study concluded that the average cost of a lost laptop was nearly $50k, in both tangible and intangible costs.

The study was prompted by an increasingly mobile workforce carrying around more sensitive data on their laptops than ever before. The study focuses on samples of organizations in the US that have experienced laptop loss or theft within the last 12-month period. The 138 cases involved loss by employees, temporary employees and contractors.

Key Highlights from the Study:

• The average value of a lost laptop is $49,246 (replacement cost, detection, forensics, data breach, lost intellectual property costs, lost productivity and legal, consulting and regulatory expenses)
  • The occurrence of a data breach represents 80% of the cost associated with a lost laptop
  • Of the remaining 20% of cost, 59% of that can be attributed to intellectual property loss
• The faster a company realizes of a loss, the lower the average cost associated.
  • If a loss is discovered in the same day, the average cost is $8,950
  • If a loss takes more than 1 week to discover, the average cost rises to $115,849
• Director laptop losses are most costly
  • The average cost of a lost laptop for a senior executive is $28,449, with the highest costs for manager ($60,781) and director ($61,040)
• Encryption saves money, with an average savings of $20,000 for lost laptops with encryption vs those without – but that’s less than half the savings than if you discovered that the laptop went missing the first day it happened
• The cost of a lost laptop varies by industry. The average full cost of a lost laptop is highest for services industry ($112,853) and lowest in manufacturing ($2,184)
•  The average data breach cost of a lost laptop varies by industry. The highest average data breach cost is in the services industry ($108,699) followed by financial services, healthcare and pharmaceutical. The other industires were far less.

What the highlights demonstrate is the high cost associated with lost laptops, but also the possibilities for minimizing the damage if companies can identify when laptops are missing quickly. With software such as Computrace by Absolute Software, you can inventory all your mobile computers and devices, know when one is missing and when its stolen get the Absolute Recovery Team to help find it. You can also do a remote data wipe to ensure your lost data does not fall into the wrong hands. And Computrace with Intel Anti-Theft Technology can lock the computer so it can’t even be booted-up. It can easily help reduce the costs of a lost laptop.

Download the White Paper here [PDF]

Also check out Absolute Software’s recent study with the Ponemon Institute: The Human Factor in Laptop Encryption.

The Ponemon Institute has released its annual study on the Cost of a Data Breach. The 2008 Study indicates that the total average costs of a data breach continue to rise. The average cost per breached record is now $202; the average cost per breach is $6.6 million.

The Ponemon Study tracks a wide range of cost factors that relate to data breaches: from detection & notification to legal ramifications and customer loss (tangible or not). The first study from four years ago helped to identify “direct, indirect and opportunity costs from the loss or theft of personal information, thus requiring notification to breach victims as required by law or policy.”

The 2008 Study looks at the actual data breach experiences of 43 US companies across 17 industry sectors. This is a larger base sample to draw from, vs the 35 breaches studied in 2007. The breaches in the survey ranged from 4,200 records to more than 113,000 records.

The average cost per breached record has gone up from $182 in 2006 to $197 in 2007 to $202 in 2008. The average total cost per reporting company was more than $6.6 million per breach (up from $6.3 million in 2007). The range for costs was anywhere from $613,000 to $32 million.

“In these very tough economic times, businesses cannot afford to lose customers as a result of breach. Although new data breaches are reported each week, and seem to be getting larger, consumers have not become immune. While organizations have learned how to respond to a breach more cost-effectively, customers are increasingly prone to terminate their business relationship due to lost data, producing consistently higher abnormal churn rates.”

The costs of lost business has the highest impact on the per-record breach cost, accounting for 69% of data breach costs. According to the study, breach costs for first-timers (companies with no previous breach history) are higher and that 85% of cases in the study involved companies with more than one major data breach. Insider negligence was the #1 cause of data breaches with over 88% resulting from negligence.

Third-party data breaches, such as those experienced with sub-contractors or business partners lose data, are rising in frequency and in cost. 44% of respondents report a third-party data breach (up from 40% in 2007 and 29% in 2006) with higher per-victim costs than internal data breaches ($231 vs $179). The staggering growth of third-party data breaches would indicate a serious, and costly, oversight in data security planning and accountability.

Other highlights from the study:

• 53% of companies are creating more training and awareness programs to prevent future breaches
• Healthcare and financial services suffer the highest customer loss (average churn rate of 6.5% and 5.5%) after a data breach
• Healthcare data breaches cost $282 per record vs retail data breaches at $131
• 44% of companies have expanded their use of encryption technologies

Download the study here.

Also check out Absolute Software’s recent study with the Ponemon Institute: The Human Factor in Laptop Encryption.

Absolute Software and the Ponemon Institute announced the findings of a new study on the use of encryption on laptops in the corporate environment. The study found that 56% of US business managers disable laptop encryption, an action which increases the risk of data and identity theft. The study was also conducted for the UK and Canadian markets with very similar results.

The study was conducted in order to understand employees’ perceptions about ensuring information entrusted to their care remains effectively managed. This includes using encryption, strong passwords, and keeping their laptop physically safe when traveling. The study unearthed a number of troubling issues including a perception by employees that encryption solutions make other security measures unnecessary. IT security professionals were the most careful in abiding by precautionary steps in safeguarding data on their laptops, but non-IT employees were not so as careful (with 56% turning off encryption).

92% of IT security professionals indicate that a laptop has been lost or stolen in their organization. Of those stolen, 71% resulted in a data breach. In the event of a theft, companies relying solely on encryption cannot be sure whether all stored data on a laptop has been encrypted, if it has been compromised, or even which files have been accessed by thieves. To help solve security risks that encryption alone cannot adequately address, companies can employ a security solution that can locate a stolen or lost laptop, detect which data has been accessed, and remotely delete sensitive data. Such a solution, like Absolute’s Computrace, is not dependent on the diligent behavior of corporate employees.

“The data suggests that, because of user behavior, encryption alone is not enough to protect mobile devices and the sensitive data stored on them. These statistics are especially disconcerting when combined with our recent studies demonstrating that lost or stolen laptops are the number one cause of data loss, with 3 out of 4 companies experiencing a data breach when a laptop has been lost or stolen.” - Dr. Larry Ponemon, chairman and founder of The Ponemon Institute

“The Human Factor in Laptop Encryption: U.S. Study” key findings:

• 92% of IT security practitioners report that someone in their organization has had a laptop lost or stolen and 71% report that it resulted in a data breach;
• 56% of business managers have disengaged their laptop’s encryption;
• Only 45% of IT security practitioners report that their organization was able to prove the contents of missing laptops were encrypted;
• Only 52% of business managers – employees most likely to have access to the most sensitive data (personally identifiable information and/or intellectual property) – have employer-provided encryption;
• 57% of business managers either keep a written record of their encryption password, or share it with others in case they forget it;
• 61% of business managers share their passwords, compared to only 4% of IT managers; and,
• Business managers are much more likely than IT security practitioners to believe encryption makes it unnecessary to use other security measures for laptop protection.

The survey breaks down the types of encryption solutions used to protect data assets, from whole disk encryption to thumb drive encryption. The same questions were asked to IT professionals vs non-IT professionals (business managers), with differing perceptions of security protocols. Here’s a preview of one of the data segments from the survey:

To receive a full copy of the study on the Human Factor in Laptop Encryption, for the US, UK and Canadian markets, fill out this form.

Hilb Rogal & Hobbs and the Ponemon Institute have teamed up to launch a new Privacy Breach Index. The Privacy Breach Index (PBI) will be a publicly available benchmarking took to measure responsiveness to data loss or theft. It will be made available at www.privacybreachindex.com

According to the press release, the Index will include objective tools to improve a company’s ability to manage a data breach. The PBI benchmark tool will help: improve existing safeguards to prevent a data breach, determine areas vulnerable to a data breach, and benchmark responsiveness to a data breach against other companies.

The initial PBI was created from the survey results completed by 768 individuals in data protection, IT security and compliance who were experts in their organization for data breaches. All participants had experienced a data breach in the past 24 months, as part of the needs of the benchmarking process.

Although the end result, the PBI benchmarking tool, will be quite useful to see, already the survey results offer some insight. The survey looked at various areas of data incident response: detection and forensics, escalation to management, notification quality and timeliness to breach victims, support to breach victims, post-mortem response, reputation management and response to regulatory or legal action.

“Our study provides further evidence of the importance of having a good quality privacy incidence response plan in place,” said Dr. Ponemon. “More than 83% of respondents believe that the individuals affected by the data breach lost trust and confidence in their organization’s ability to protect their personal information. As we have found in our consumer studies on trust, these perceptions often result in the loss of customer loyalty. In fact, 80% of respondents in the PBI study reported that a certain percentage of data breach victims terminated their relationship with the organization.”

Some interesting findings from the survey:

• 9% of respondents rated their organization’s responsiveness to the most recent data breach as an “A” or excellent. 5% gave their organization an “F” for failure.
• 80% of respondents believe that their organizations experienced some loss of customers or other data breach victims after the incident.
• 50% of participants noted the root cause of the data breach incident to be employee negligence (29% was third party negligence)
• More than 36% of respondents have 1 – 4 data breach incidents involving 100 or more records each year

You can download the 2008 Privacy Breach Index Survey here [PDF]

Via insurance journal