New Study Reveals Data Breach Costs

How costly is a data breach? That depends on where you live.

Symantec sponsored a study conducted by the Ponemon Institute that looks at such costs at 209 enterprises in eight countries: the U.S., UK, Germany, France, Australia, and, new this year, Italy, India, and Japan. Costs such as detection, escalation, notification, and post-breach responses were included, as were estimates of the “economic impact of lost or diminished customer trust and confidence as measured by customer turnover, or churn rates.”

The 2011 Global Cost of Data Breach report puts the cost at $194 per compromised record in the United States (down from $214 in the previous year’s report), the highest figure in the study. Germany came next at $191, unchanged from last year; India had the lowest cost, at $42 per compromised record.

It’s tough to track the cost of losing a customer, but Ponemon said its estimate put the U.S. at the top of the list, losing $3 million from customer churn; Germany was second (at $1.7 million), and India came in last, at $289,060.

Released in March but just now made available to the public, the report breaks down losses by industry, causes of breaches (negligent insiders and malicious attacks ranked highest), variations among countries (detection and escalation costs were most expensive in Germany and France), and organizational attributes and factors. One such factor caught my eye: data breaches were less costly at organizations with CISOs having “overall responsibility for enterprise data protection.”

A PDF version of the report, which is full of interesting facts and figures, is available for free download here.

-- James E. Powell
Editorial Director, ESJ

Posted on 07/23/2012 at 11:53 AM0 comments


Why IT Must Embrace BYOD

A new report summarizing a June survey of 335 IT professionals conducted by MokaFive makes one thing clear: “bring your own device” (BYOD) is here to stay. According to 88 percent of respondents, their companies had some sort of BYOD -- sanctioned or not.

IT departments that don’t pay attention to this trend are sure to suffer; the survey points out that BYOD brings “rampant use of insecure cloud services like Dropbox.” If you need proof, consider this: 73.6 percent admit to personally using (or knowing that their company uses) such a service. “These commercial cloud storage and backup providers can present security risks to corporate data, since data in is the hands of a third party,” the survey summary points out.

More than three-quarters (77.9 percent) of respondents say their company allows employees to use personal computing hardware (including laptops and mobile devices such as smartphones) at work. Nearly two-thirds (65.6 percent) of respondents can (or have permission to) access corporate resources such as file shares from a personal device. Of these, 63 percent use a VPN, 17.8 percent use full-disk encryption, 28.3 percent use two-factor authentication, and 26.4 percent use mobile device management software.

Survey respondents are under no illusions about security issues; 77 percent said “current security approaches, such as Mobile Device Management (MDM) [is] too intrusive.” MokaFive characterizes respondents’ animosity this way: “BYOD approaches provide security at the expense of privacy.” Of course, many organizations have no BYOD policy -- as many as 10 percent in this survey.

The two-page summary is available at no cost at here.

-- James E. Powell
Editorial Director, ESJ

Posted on 07/23/2012 at 11:53 AM1 comments


Is IT Losing the Battle to Keep Security Devices Safe?

It’s not just the loss of smartphones and laptops that keep security administrators busy. According to a new survey of 300 IT security professionals in London conducted by SecurEnvoy, enterprises are wasting resources “recovering and replacing lost physical authentication tokens.”

When asked to quantify that cost, “a staggering 12 percent of companies waste ‘months’” every year because of lost security tokens, and 10 percent said such tasks cost them “weeks every year in management time chasing and replacing physical tokens.” Some enterprises are luckier: 13 percent estimate the loss in days, and 16 percent said the cost was just a few hours.

One number in the survey popped out at me: 7 percent of companies report losing up to three-quarters of their tokens each year, and 14 percent of companies lose between 26 and 50 percent of theirs. The figure drops to 13 percent of companies with losses between 11 and 25 percent, and nearly a third (32 percent) say they lost 10 percent of their tokens. No wonder SecurEnvoy says the loss is in millions of pounds and calls the loss rates “galling.”

In a release, the company notes, “You really do have to admire the commitment of the 3 percent of respondents who confessed that between 76 percent and 100 percent of all physical tokens in their organization were being lost every year! When you think each token has an overhead cost -- averaged at £50 per token, that’s a lot of money to write off.” You bet it is.

Andy Kemshall, CTO and co-founder of SecurEnvoy, pointed out that “We advocate the use of mobile phones which can be turned into an authentication device eliminating many of the management costs associated with 2FA [two-factor authentication] systems. Our mantra is simple: authenticate anyone, anywhere, any phone -- simply and securely.” Of course, given the rates of cell phone loss, I’m not sure how much easier this will make a security administrator’s job.

The study examined password use and discovered that 57 percent of respondents “confirmed that a password is required as part of their ‘log-on’ procedure. While 78 percent of the sample agreed that using a secret question to secure a password is not enough, still a staggering 21 percent relied on this verification when a password reset is needed.” That’s not the worst of it: “Worryingly, an additional 10 percent didn’t know if they did or didn’t!”

Kemshall wisely notes that enterprises understand the risks of these password policies “yet they still continue with the practice in the blind hope that nothing will go wrong. With 2FA arguably the strongest realistic authentication option, it makes sense for it to be incorporated whenever a person needs to do something that requires them to validate they are who they say they are -- password resets being an obvious candidate.”

If IT wants to save money, Kemshall has a recommendation: “Users can now very easily reset their passwords, themselves, via a self-help Web page using a one-time passcode sent to their mobile phone. This method eliminates the average help desk cost of £14 for each password reset, but also allows companies to introduce more secure practices for everyday eventualities.”

-- James E. Powell
Editorial Director, ESJ

Posted on 07/11/2012 at 11:53 AM1 comments


Firewall Management Survey Reveals Real-World Practices

What better place than the show floor of April’s Infosecurity Europe 2012 conference to ask 119 network security specialists about their firewall management practices?

The study, conducted by Tufin Technologies (a security policy management solutions provider) and released today, found that only 6 percent of respondent’s organizations have implemented continuous firewall compliance; 39 percent are considering moving to continuous compliance to satisfy legislation such as the EU Directive on Privacy. More than half (51 percent), however, aren’t considering such a move “just yet.”

The survey also reported that 28 percent perform firewall audits quarterly, and a third perform the audit yearly. More than one in ten (12 percent) never perform an audit, and 5 percent perform the task once every five years.

Security administrators clearly have their hands full: 62 percent say they have, on average, hundreds of rules in their rule base, which Tufin says is a 14 percent increase from its 2011 survey. About 8 percent say their rules number in the thousands, down from 8 percent in last year’s study. One in ten report that the rules include “ANY” in one of the rule’s fields; 36 percent say up to 10 percent of their rules contains the term.

It’s no easy task: 65 percent of respondents say they manage four or more distinct network security consoles -- and nearly a third (32 percent) of all respondents manage more than 10.

Survey participants, for the most part, think their rule base is up to date. Only about 40 percent say less than a quarter of their rules are obsolete, and 35 percent say no more than 5 percent of their rules are out of date. These figures are similar to 2011’s survey.

Changing rules has been problematic for most participants: 62 percent answered “yes” when asked, “Have you, or any of your colleagues, ever been asked to make a rule/configuration change against your better judgment?”

Respondents are almost evenly divided when it comes to whether their companies “are focusing on cost savings at the expense of IT security” -- 48 percent said yes, 50 percent said no. More than a quarter (27 percent) of those surveyed think their IT security budget is being “spent on compliance issues that do not improve security.”

-- James E. Powell
Editorial Director, ESJ

Posted on 07/10/2012 at 11:53 AM2 comments


Restoring Critical Applications Tops Protection Concerns

Enterprises know that employees and customers both expect critical systems to run around the clock without failure. That’s putting pressure on IT to examine their backup and recovery strategies and procedures.

A survey conducted last quarter and sponsored by Quest Software asked over 200 North American IT professionals about their concerns; almost three in four organizations (73 percent) put restoring critical applications along with recovering lost or corrupted data at the top of their list of backup and recovery concerns. Even so, a mere 5 percent are creating recovery objectives based on applications, and 78 percent still create their objectives ”based at data, servers, or a combination of both.”

Another 22 percent put “simply ensuring the recoverability of lost or corrupt data” at the top of the list.

“Problematically," Quest points out, “traditional data protection solutions require organizations to build recovery objectives based on servers and infrastructure, with no visibility into the recoverability of the underlying applications that drive business activity. As a result, only 5 percent of organizations surveyed indicated that they build their recovery objectives strictly around applications; 78 percent said applications 'play no role whatsoever' in forming the recovery objectives for their enterprise."

Rapid recovery and, from what ESJ readers tell me, self-service recovery, are gaining IT’s attention. That’s especially true the more data you have. In fact, 70 percent of respondents said that at least “half of the data their organizations produce is considered mission-critical” (23 percent of all respondents said the figure was at least 75 percent), and “nearly one-third of respondents (32 percent) [indicated] that company management has specifically asked them to seek ways to reduce recovery times within the past year.”

For some (15 percent) enterprises, there’s a disconnect between “their formal service level agreements (SLAs) and the actual service level expectations (SLEs) of their employees and customers.” That’s amplified by the one-quarter of respondents who said they only “revisit their SLAs once every few years.” (emphasis added)

 -- James E. Powell
Editorial Director, ESJ

Posted on 07/10/2012 at 11:53 AM0 comments


Can a $70 Device Really Provide Decent Phone Service?

When I signed up with my cable company to add telephone service as part of a bundle, I knew I was getting a better deal than the phone company offered. At least I thought I was, until the fees and miscellaneous taxes started appearing on my itemized cable bill.

That’s when I started experimenting with Magic Jack, the low-cost ($39 for hardware plus first year of service) VoIP phone service. No hidden fees, taxes, monthly modem rental, or surcharges, and most of the same features (call forwarding, voice mail, unlimited local and long-distance calls) of my cable provider’s plan, using VoIP.

The only problem was that while the quality of the line was acceptable, it wasn’t as good as what the phone company or cable company provided. Sometimes the people I called said I sounded like I was calling from inside a tunnel or a tin can. Then there was the connectivity issue: your telephone must be connected to the deck-of-playing-cards-sized device, which must be connected to your computer (and that must be running if you want to make or receive a call).

When MagicJack PLUS was released late last year, I wondered -- could the device be significantlybetter? At about that time, I was approached by a competitor --- netTALK -- that was introducing its DUO product line with WiFi functionality.

Is a $69.95 initial investment (MagicJack PLUS device plus first year of service) worth the money or just pouring money down the drain -- and what about netTALK DUO WiFi’s $64.95 offering?

MagicJack PLUS

For the last six months I’ve been using MagicJack PLUS, and I must say, and I’m quite impressed. The sound quality is vastly superior to its “regular” (non-Plus) sibling, which is still available. When I called a friend and asked about the quality of the line, he answered without hesitation: “Sounds just like a land line.”

Rather than plugging your MagicJack PLUS device into a PC (as you did with the previous MagicJack hardware -- though you can connect it this way as well), you connect the tiny (2.5” x 1.5” x .5” LWH) unit to a power source and plug in an Ethernet cable, then plug your phone into the device. A tiny green light lets you know that service is connected.

Because my router is on all the time, this hookup means I don’t have to wait for my PC to boot up in order to place or receive a call. (You must plug the device in to your PC for initial installation and configuration.)

You use a Web site to manage your account, including buying additional years of service, porting your existing telephone number to the service (assuming your current provider allows your number to be moved), set voice mail options, and request a vanity number (for an additional yearly charge).

Promotional literature (including e-mail I’ve received from third-party sellers) boasts that international calls are free, but that really means calls to Canada or to other MagicJack users throughout the world. Customers can use their MagicJack PLUS outside the U.S. to call U.S. phone numbers for free.

With MagicJack PLUS you can set the dial tone to stutter when you have an e-mail message (a feature netTALK doesn’t offer); the system will also forward to you in an audio file to the e-mail inbox you specify. Additional years of service are $29.99, or $99.75 will buy you five more years (which comes out to a paltry $19.95 per year). Users with current MagicJack plans can carry their prepaid time over to a brand new PLUS unit for a low fee thanks to a special promotion available at press time.

NetTALK DUO WiFi

Take the best features of the MagicJack PLUS and add WiFi and you have telephone service that offers more freedom for phone placement. You must connect the device to your PC in order to set up the parameters (such as entering your WiFi’s password), but once that’s done, you won’t need your PC. (Like MagicJack’s set-up, you can connect the DUO WiFi device to your computer’s USB port if you wish.)

WiFi doesn’t completely set you free -- there’s still some tethering because the device needs power, either from a wall plug or from a USB port. However, thanks to WiFi, you can place your phone in more places than you can with the MagicJack PLUS. I tested a pre-release model, which had a codec glitch that the tech support representative was able to fix quickly. (NetTALK has a “take control of your PC” application that let the technician diagnose and solve the problem in a couple of minutes.)

Many of NetTALK’s services are identical to MagicJack PLUS’s: free phone calls to the U.S., Canada, and other netTALK users; call forwarding, voice mail, and caller ID (those you call see your phone number; MagicJack PLUS will only display your name if th person you’re calling is in your contact list). You can access your call history online, block any incoming phone number you add to your blacklist, set up speed dial, get live technical support by dialing 611 (MagicJack offers live chat that was efficient and efficiently answered all my questions). There’s a list online of the keys to press to enable/disable muting, do not disturb, or outgoing calls.

All voice mail messages over 30 days old will be deleted automatically -- a feature I don’t like. (To save a message longer you’ll have to copy the attachment from your e-mail or from the customer online portal and save it to your hard drive or other storage device.)

Additional years of service are $29.95 with discounts for multi-year renewals (a 4-year extension is just $98.95 which is just $24.74 a year), so it’s ever-so-slightly more expensive than MagicJack PLUS.

Many Differences (And a Possible Deal-Breaker for Some)

There are so many things that are alike -- and things to like: both hardware units are about the same size, have very good sound quality (an occasional slight delay is the only clue you’re not using a land line), efficient voice mail, and speedy connections. In the months I’ve been tested both units, I haven’t had a moment of down time (unless my cable service was interrupted, of course).

There are, naturally, some differences between the two products.

NetTALK offers low-cost international flat rates to 60 counties (a $10/month add-on rather than MagicJack’s per-minute charges subtracted from a prepaid balance) though for most countries you cannot use the plan to call mobile phones. For $5.85 per month you can place netTALK calls to Puerto Rican land-line and mobile devices and land lines in Mexico.

Both services provide a free conference-call service (you dial into the service to receive a phone number (not toll-free) and access code, which you share with the other people you want to talk to). However, only NetTALK offers true three-way calling (press the Flash button on your phone, connect to another number, and dial *46# to merge all parties together). With both services you can use the Flash button to switch between incoming calls (in a traditional call-waiting situation).

If you’ve unplugged the device from your Ethernet connection or power source or your Internet service is interrupted, NetTALK rings the phone once service is reestablished, a nice touch. Both products take less than 90 seconds to re-establish a connection to their respective services.

Of the two products, MagicJack’s set up is slightly easier, in part because you don’t have to hassle with WiFi connectivity (selecting the device, entering a password, etc.) but no one reading this article is likely to have a problem with installation

For business users, MagicJack PLUS has one potentially big drawback: calling to a conference service (such as GoToMeeting) requires a prepaid account from which per-minute additional charges are deducted. When I placed a call to GoToMeeting, MagicJack PLUS stopped the call and a recording told me I had to use prepaid minutes. If you use conference dial-in numbers as much as I do, this can be costly. NetTalk had no such restriction; it connected me to GoToMeeting without incident.

With so many similar features, and little perceptible difference in sound quality, making the choice comes down your individual needs and some of the “little features” you might want or need. If you want more flexibility in where you can physically position your phone, netTALK DUO WiFi is a better choice. (If your phone sits atop your desk along with your computer, then it really doesn’t matter.) If you use conference services, again, netTALK is a better option. If you want a vanity telephone number or you’re giving phone service as a gift to a less-technically savvy user, MagicJack PLUS is a better choice.

Either way, if you’re tired of cable or phone company charges atop what you thought might be a decent phone plan, both MagicJack PLUS and netTALK Duo WiFi offer smart alternatives.

-- James E. Powell
Editorial Director, ESJ

Posted on 07/05/2012 at 11:53 AM2 comments


Your Network Could Be Obsolete within 5 Years

Dimension Data's Network Barometer Report 2012 looks at how prepared enterprise networks are to support ongoing operations given current tech trends. The results, released yesterday, aren’t pretty.

The report says that several trends -- such as bring your own device (BYOD), video, and virtualization -- are “rapidly consuming network capacity and capabilities, and that 45 percent of the enterprise networks assessed during 2011 will be obsolete within five years.” That’s 38 percent “worse” than the survey’s 2010 results.

The survey is based on almost 300 technology life-cycle management (TLM) assessments the company performed at enterprise organizations worldwide last year.

The speed of technology advances is accelerating. Here’s just one sign: of the organizations “considering desktop virtualization and pervasive video” most had better “refresh their routing and switching infrastructure” because only one-fifth (18 percent) of the access switches examined could properly support the move.

Another problem: existing equipment is not without security problems. “Two-thirds of all devices assessed in 2011 had at least one known security vulnerability,” the report points out. Three out of the 10 vulnerabilities found were rated as “high severity,” and one of the 10 was rated as “critical.”

“The introduction of new technologies into the enterprise environment has accelerated to the point where many corporate networks predate current megatrends such as mobility, virtualization, BYOD, and pervasive video,” warned Grant Sainsbury, vice president of advanced solutions at Dimension Data.

Dimension Data expects that 802.11n access-point penetration will exceed 50 percent next year, so the company advises organizations to “carefully consider the underlying network infrastructure responsible for the distribution and delivery of their communication services.”

Aging equipment is also problematic. “The total number of devices that were past end-of-sale jumped from 38 percent to 45 percent, highlighting the fact that organizations must not forget the network as they consider deploying new communication services.”

The full report is available here; no registration is required.

-- James E. Powell
Editorial Director, ESJ

Posted on 06/26/2012 at 11:53 AM1 comments


Where’s the Data? Senior Management Doesn’t Know

Do you know where your company data is? If so, you’re doing better than two-thirds (67 percent) of respondents to a new survey from Varonis Systems Inc., a data governance software provider. Attendees from over 400 companies attending EMC World in May say their organization’s senior managers either “don’t know where all company data resides or are not sure.” Nearly three-quarters (74 percent) of organizations admit that they don’t have a tracking process so they know which files reside on third-party “cloud digital collaboration and storage services.”

A release from Varonis says it best: "With Bring Your Own Device (BYOD) -- particularly mobile and tablet devices -- and file synch services booming, companies are open to a wave of potential devastation. Files kept on third-party cloud services can be lost, misplaced, accessed by unauthorized people, or leave the company with the employee, causing data privacy and compliance issues.”

What’s worse:

Concerning those organizations that do use file synchronization services our survey uncovered some disturbing results: only 9 percent of those organizations using [third-party] collaboration services report that they have created authorization and review processes for the data residing in the cloud; 46 percent report that they don’t know how access is granted or reviewed; 23 percent report that they are still developing access processes; 10 percent report that while access is granted by users, reviews are ad hoc or not performed at all; and an astonishing 12 percent report that they have no plans to manage access to cloud based file sync services.

The report goes on to say that “These findings seem to confirm our worst fears: that organizational data is being spread to the public cloud, with little hope that access to it will be controlled.” Now you know why security surveys repeatedly report that security administrator’s biggest fear comes from the behavior of its users, not external threats.

Varonis points out that without such control, data is virtually "up for grabs.” 

The survey points out:

A bit of almost good news is that of those organizations that use 3rd party file sync services, a little over half (52 percent) hope to keep as much data in-house as possible, with the bare minimum being kept in the cloud. Almost a third (30 percent), however, are resigned to having to manage two separate infrastructures going forward: internal and cloud.

Notice that the report says the respondents hope. It doesn’t say they have any plans. Talk about wishful thinking.

Finally, another number that jumped out at me: when asked “Compared to internal file shares, how secure do you rate third-party cloud digital collaboration and services,” 27 percent said “I have no idea how secure these services are,” and 35 percent admitted the services were less secure than internal file shares.

The full report -- which should serve as a wake-up call to storage and security administrators alike -- is available at http://hub.varonis.com/CloudSurvey. A short registration is required.

-- James E. Powell
Editorial Director, ESJ

Posted on 06/25/2012 at 11:53 AM0 comments