New Study Reveals Data Breach Costs

How costly is a data breach? That depends on where you live.

Symantec sponsored a study conducted by the Ponemon Institute that looks at such costs at 209 enterprises in eight countries: the U.S., UK, Germany, France, Australia, and, new this year, Italy, India, and Japan. Costs such as detection, escalation, notification, and post-breach responses were included, as were estimates of the “economic impact of lost or diminished customer trust and confidence as measured by customer turnover, or churn rates.”

The 2011 Global Cost of Data Breach report puts the cost at $194 per compromised record in the United States (down from $214 in the previous year’s report), the highest figure in the study. Germany came next at $191, unchanged from last year; India had the lowest cost, at $42 per compromised record.

It’s tough to track the cost of losing a customer, but Ponemon said its estimate put the U.S. at the top of the list, losing $3 million from customer churn; Germany was second (at $1.7 million), and India came in last, at $289,060.

Released in March but just now made available to the public, the report breaks down losses by industry, causes of breaches (negligent insiders and malicious attacks ranked highest), variations among countries (detection and escalation costs were most expensive in Germany and France), and organizational attributes and factors. One such factor caught my eye: data breaches were less costly at organizations with CISOs having “overall responsibility for enterprise data protection.”

A PDF version of the report, which is full of interesting facts and figures, is available for free download here.

-- James E. Powell
Editorial Director, ESJ

Posted on 07/23/2012 at 11:53 AM0 comments

Why IT Must Embrace BYOD

A new report summarizing a June survey of 335 IT professionals conducted by MokaFive makes one thing clear: “bring your own device” (BYOD) is here to stay. According to 88 percent of respondents, their companies had some sort of BYOD -- sanctioned or not.

IT departments that don’t pay attention to this trend are sure to suffer; the survey points out that BYOD brings “rampant use of insecure cloud services like Dropbox.” If you need proof, consider this: 73.6 percent admit to personally using (or knowing that their company uses) such a service. “These commercial cloud storage and backup providers can present security risks to corporate data, since data in is the hands of a third party,” the survey summary points out.

More than three-quarters (77.9 percent) of respondents say their company allows employees to use personal computing hardware (including laptops and mobile devices such as smartphones) at work. Nearly two-thirds (65.6 percent) of respondents can (or have permission to) access corporate resources such as file shares from a personal device. Of these, 63 percent use a VPN, 17.8 percent use full-disk encryption, 28.3 percent use two-factor authentication, and 26.4 percent use mobile device management software.

Survey respondents are under no illusions about security issues; 77 percent said “current security approaches, such as Mobile Device Management (MDM) [is] too intrusive.” MokaFive characterizes respondents’ animosity this way: “BYOD approaches provide security at the expense of privacy.” Of course, many organizations have no BYOD policy -- as many as 10 percent in this survey.

The two-page summary is available at no cost at here.

-- James E. Powell
Editorial Director, ESJ

Posted on 07/23/2012 at 11:53 AM1 comments

Is IT Losing the Battle to Keep Security Devices Safe?

It’s not just the loss of smartphones and laptops that keep security administrators busy. According to a new survey of 300 IT security professionals in London conducted by SecurEnvoy, enterprises are wasting resources “recovering and replacing lost physical authentication tokens.”

When asked to quantify that cost, “a staggering 12 percent of companies waste ‘months’” every year because of lost security tokens, and 10 percent said such tasks cost them “weeks every year in management time chasing and replacing physical tokens.” Some enterprises are luckier: 13 percent estimate the loss in days, and 16 percent said the cost was just a few hours.

One number in the survey popped out at me: 7 percent of companies report losing up to three-quarters of their tokens each year, and 14 percent of companies lose between 26 and 50 percent of theirs. The figure drops to 13 percent of companies with losses between 11 and 25 percent, and nearly a third (32 percent) say they lost 10 percent of their tokens. No wonder SecurEnvoy says the loss is in millions of pounds and calls the loss rates “galling.”

In a release, the company notes, “You really do have to admire the commitment of the 3 percent of respondents who confessed that between 76 percent and 100 percent of all physical tokens in their organization were being lost every year! When you think each token has an overhead cost -- averaged at £50 per token, that’s a lot of money to write off.” You bet it is.

Andy Kemshall, CTO and co-founder of SecurEnvoy, pointed out that “We advocate the use of mobile phones which can be turned into an authentication device eliminating many of the management costs associated with 2FA [two-factor authentication] systems. Our mantra is simple: authenticate anyone, anywhere, any phone -- simply and securely.” Of course, given the rates of cell phone loss, I’m not sure how much easier this will make a security administrator’s job.

The study examined password use and discovered that 57 percent of respondents “confirmed that a password is required as part of their ‘log-on’ procedure. While 78 percent of the sample agreed that using a secret question to secure a password is not enough, still a staggering 21 percent relied on this verification when a password reset is needed.” That’s not the worst of it: “Worryingly, an additional 10 percent didn’t know if they did or didn’t!”

Kemshall wisely notes that enterprises understand the risks of these password policies “yet they still continue with the practice in the blind hope that nothing will go wrong. With 2FA arguably the strongest realistic authentication option, it makes sense for it to be incorporated whenever a person needs to do something that requires them to validate they are who they say they are -- password resets being an obvious candidate.”

If IT wants to save money, Kemshall has a recommendation: “Users can now very easily reset their passwords, themselves, via a self-help Web page using a one-time passcode sent to their mobile phone. This method eliminates the average help desk cost of £14 for each password reset, but also allows companies to introduce more secure practices for everyday eventualities.”

-- James E. Powell
Editorial Director, ESJ

Posted on 07/11/2012 at 11:53 AM1 comments

Firewall Management Survey Reveals Real-World Practices

What better place than the show floor of April’s Infosecurity Europe 2012 conference to ask 119 network security specialists about their firewall management practices?

The study, conducted by Tufin Technologies (a security policy management solutions provider) and released today, found that only 6 percent of respondent’s organizations have implemented continuous firewall compliance; 39 percent are considering moving to continuous compliance to satisfy legislation such as the EU Directive on Privacy. More than half (51 percent), however, aren’t considering such a move “just yet.”

The survey also reported that 28 percent perform firewall audits quarterly, and a third perform the audit yearly. More than one in ten (12 percent) never perform an audit, and 5 percent perform the task once every five years.

Security administrators clearly have their hands full: 62 percent say they have, on average, hundreds of rules in their rule base, which Tufin says is a 14 percent increase from its 2011 survey. About 8 percent say their rules number in the thousands, down from 8 percent in last year’s study. One in ten report that the rules include “ANY” in one of the rule’s fields; 36 percent say up to 10 percent of their rules contains the term.

It’s no easy task: 65 percent of respondents say they manage four or more distinct network security consoles -- and nearly a third (32 percent) of all respondents manage more than 10.

Survey participants, for the most part, think their rule base is up to date. Only about 40 percent say less than a quarter of their rules are obsolete, and 35 percent say no more than 5 percent of their rules are out of date. These figures are similar to 2011’s survey.

Changing rules has been problematic for most participants: 62 percent answered “yes” when asked, “Have you, or any of your colleagues, ever been asked to make a rule/configuration change against your better judgment?”

Respondents are almost evenly divided when it comes to whether their companies “are focusing on cost savings at the expense of IT security” -- 48 percent said yes, 50 percent said no. More than a quarter (27 percent) of those surveyed think their IT security budget is being “spent on compliance issues that do not improve security.”

-- James E. Powell
Editorial Director, ESJ

Posted on 07/10/2012 at 11:53 AM2 comments

Restoring Critical Applications Tops Protection Concerns

Enterprises know that employees and customers both expect critical systems to run around the clock without failure. That’s putting pressure on IT to examine their backup and recovery strategies and procedures.

A survey conducted last quarter and sponsored by Quest Software asked over 200 North American IT professionals about their concerns; almost three in four organizations (73 percent) put restoring critical applications along with recovering lost or corrupted data at the top of their list of backup and recovery concerns. Even so, a mere 5 percent are creating recovery objectives based on applications, and 78 percent still create their objectives ”based at data, servers, or a combination of both.”

Another 22 percent put “simply ensuring the recoverability of lost or corrupt data” at the top of the list.

“Problematically," Quest points out, “traditional data protection solutions require organizations to build recovery objectives based on servers and infrastructure, with no visibility into the recoverability of the underlying applications that drive business activity. As a result, only 5 percent of organizations surveyed indicated that they build their recovery objectives strictly around applications; 78 percent said applications 'play no role whatsoever' in forming the recovery objectives for their enterprise."

Rapid recovery and, from what ESJ readers tell me, self-service recovery, are gaining IT’s attention. That’s especially true the more data you have. In fact, 70 percent of respondents said that at least “half of the data their organizations produce is considered mission-critical” (23 percent of all respondents said the figure was at least 75 percent), and “nearly one-third of respondents (32 percent) [indicated] that company management has specifically asked them to seek ways to reduce recovery times within the past year.”

For some (15 percent) enterprises, there’s a disconnect between “their formal service level agreements (SLAs) and the actual service level expectations (SLEs) of their employees and customers.” That’s amplified by the one-quarter of respondents who said they only “revisit their SLAs once every few years.” (emphasis added)

 -- James E. Powell
Editorial Director, ESJ

Posted on 07/10/2012 at 11:53 AM0 comments

Can a $70 Device Really Provide Decent Phone Service?

When I signed up with my cable company to add telephone service as part of a bundle, I knew I was getting a better deal than the phone company offered. At least I thought I was, until the fees and miscellaneous taxes started appearing on my itemized cable bill.

That’s when I started experimenting with Magic Jack, the low-cost ($39 for hardware plus first year of service) VoIP phone service. No hidden fees, taxes, monthly modem rental, or surcharges, and most of the same features (call forwarding, voice mail, unlimited local and long-distance calls) of my cable provider’s plan, using VoIP.

The only problem was that while the quality of the line was acceptable, it wasn’t as good as what the phone company or cable company provided. Sometimes the people I called said I sounded like I was calling from inside a tunnel or a tin can. Then there was the connectivity issue: your telephone must be connected to the deck-of-playing-cards-sized device, which must be connected to your computer (and that must be running if you want to make or receive a call).

When MagicJack PLUS was released late last year, I wondered -- could the device be significantlybetter? At about that time, I was approached by a competitor --- netTALK -- that was introducing its DUO product line with WiFi functionality.

Is a $69.95 initial investment (MagicJack PLUS device plus first year of service) worth the money or just pouring money down the drain -- and what about netTALK DUO WiFi’s $64.95 offering?

MagicJack PLUS

For the last six months I’ve been using MagicJack PLUS, and I must say, and I’m quite impressed. The sound quality is vastly superior to its “regular” (non-Plus) sibling, which is still available. When I called a friend and asked about the quality of the line, he answered without hesitation: “Sounds just like a land line.”

Rather than plugging your MagicJack PLUS device into a PC (as you did with the previous MagicJack hardware -- though you can connect it this way as well), you connect the tiny (2.5” x 1.5” x .5” LWH) unit to a power source and plug in an Ethernet cable, then plug your phone into the device. A tiny green light lets you know that service is connected.

Because my router is on all the time, this hookup means I don’t have to wait for my PC to boot up in order to place or receive a call. (You must plug the device in to your PC for initial installation and configuration.)

You use a Web site to manage your account, including buying additional years of service, porting your existing telephone number to the service (assuming your current provider allows your number to be moved), set voice mail options, and request a vanity number (for an additional yearly charge).

Promotional literature (including e-mail I’ve received from third-party sellers) boasts that international calls are free, but that really means calls to Canada or to other MagicJack users throughout the world. Customers can use their MagicJack PLUS outside the U.S. to call U.S. phone numbers for free.

With MagicJack PLUS you can set the dial tone to stutter when you have an e-mail message (a feature netTALK doesn’t offer); the system will also forward to you in an audio file to the e-mail inbox you specify. Additional years of service are $29.99, or $99.75 will buy you five more years (which comes out to a paltry $19.95 per year). Users with current MagicJack plans can carry their prepaid time over to a brand new PLUS unit for a low fee thanks to a special promotion available at press time.


Take the best features of the MagicJack PLUS and add WiFi and you have telephone service that offers more freedom for phone placement. You must connect the device to your PC in order to set up the parameters (such as entering your WiFi’s password), but once that’s done, you won’t need your PC. (Like MagicJack’s set-up, you can connect the DUO WiFi device to your computer’s USB port if you wish.)

WiFi doesn’t completely set you free -- there’s still some tethering because the device needs power, either from a wall plug or from a USB port. However, thanks to WiFi, you can place your phone in more places than you can with the MagicJack PLUS. I tested a pre-release model, which had a codec glitch that the tech support representative was able to fix quickly. (NetTALK has a “take control of your PC” application that let the technician diagnose and solve the problem in a couple of minutes.)

Many of NetTALK’s services are identical to MagicJack PLUS’s: free phone calls to the U.S., Canada, and other netTALK users; call forwarding, voice mail, and caller ID (those you call see your phone number; MagicJack PLUS will only display your name if th person you’re calling is in your contact list). You can access your call history online, block any incoming phone number you add to your blacklist, set up speed dial, get live technical support by dialing 611 (MagicJack offers live chat that was efficient and efficiently answered all my questions). There’s a list online of the keys to press to enable/disable muting, do not disturb, or outgoing calls.

All voice mail messages over 30 days old will be deleted automatically -- a feature I don’t like. (To save a message longer you’ll have to copy the attachment from your e-mail or from the customer online portal and save it to your hard drive or other storage device.)

Additional years of service are $29.95 with discounts for multi-year renewals (a 4-year extension is just $98.95 which is just $24.74 a year), so it’s ever-so-slightly more expensive than MagicJack PLUS.

Many Differences (And a Possible Deal-Breaker for Some)

There are so many things that are alike -- and things to like: both hardware units are about the same size, have very good sound quality (an occasional slight delay is the only clue you’re not using a land line), efficient voice mail, and speedy connections. In the months I’ve been tested both units, I haven’t had a moment of down time (unless my cable service was interrupted, of course).

There are, naturally, some differences between the two products.

NetTALK offers low-cost international flat rates to 60 counties (a $10/month add-on rather than MagicJack’s per-minute charges subtracted from a prepaid balance) though for most countries you cannot use the plan to call mobile phones. For $5.85 per month you can place netTALK calls to Puerto Rican land-line and mobile devices and land lines in Mexico.

Both services provide a free conference-call service (you dial into the service to receive a phone number (not toll-free) and access code, which you share with the other people you want to talk to). However, only NetTALK offers true three-way calling (press the Flash button on your phone, connect to another number, and dial *46# to merge all parties together). With both services you can use the Flash button to switch between incoming calls (in a traditional call-waiting situation).

If you’ve unplugged the device from your Ethernet connection or power source or your Internet service is interrupted, NetTALK rings the phone once service is reestablished, a nice touch. Both products take less than 90 seconds to re-establish a connection to their respective services.

Of the two products, MagicJack’s set up is slightly easier, in part because you don’t have to hassle with WiFi connectivity (selecting the device, entering a password, etc.) but no one reading this article is likely to have a problem with installation

For business users, MagicJack PLUS has one potentially big drawback: calling to a conference service (such as GoToMeeting) requires a prepaid account from which per-minute additional charges are deducted. When I placed a call to GoToMeeting, MagicJack PLUS stopped the call and a recording told me I had to use prepaid minutes. If you use conference dial-in numbers as much as I do, this can be costly. NetTalk had no such restriction; it connected me to GoToMeeting without incident.

With so many similar features, and little perceptible difference in sound quality, making the choice comes down your individual needs and some of the “little features” you might want or need. If you want more flexibility in where you can physically position your phone, netTALK DUO WiFi is a better choice. (If your phone sits atop your desk along with your computer, then it really doesn’t matter.) If you use conference services, again, netTALK is a better option. If you want a vanity telephone number or you’re giving phone service as a gift to a less-technically savvy user, MagicJack PLUS is a better choice.

Either way, if you’re tired of cable or phone company charges atop what you thought might be a decent phone plan, both MagicJack PLUS and netTALK Duo WiFi offer smart alternatives.

-- James E. Powell
Editorial Director, ESJ

Posted on 07/05/2012 at 11:53 AM2 comments

Your Network Could Be Obsolete within 5 Years

Dimension Data's Network Barometer Report 2012 looks at how prepared enterprise networks are to support ongoing operations given current tech trends. The results, released yesterday, aren’t pretty.

The report says that several trends -- such as bring your own device (BYOD), video, and virtualization -- are “rapidly consuming network capacity and capabilities, and that 45 percent of the enterprise networks assessed during 2011 will be obsolete within five years.” That’s 38 percent “worse” than the survey’s 2010 results.

The survey is based on almost 300 technology life-cycle management (TLM) assessments the company performed at enterprise organizations worldwide last year.

The speed of technology advances is accelerating. Here’s just one sign: of the organizations “considering desktop virtualization and pervasive video” most had better “refresh their routing and switching infrastructure” because only one-fifth (18 percent) of the access switches examined could properly support the move.

Another problem: existing equipment is not without security problems. “Two-thirds of all devices assessed in 2011 had at least one known security vulnerability,” the report points out. Three out of the 10 vulnerabilities found were rated as “high severity,” and one of the 10 was rated as “critical.”

“The introduction of new technologies into the enterprise environment has accelerated to the point where many corporate networks predate current megatrends such as mobility, virtualization, BYOD, and pervasive video,” warned Grant Sainsbury, vice president of advanced solutions at Dimension Data.

Dimension Data expects that 802.11n access-point penetration will exceed 50 percent next year, so the company advises organizations to “carefully consider the underlying network infrastructure responsible for the distribution and delivery of their communication services.”

Aging equipment is also problematic. “The total number of devices that were past end-of-sale jumped from 38 percent to 45 percent, highlighting the fact that organizations must not forget the network as they consider deploying new communication services.”

The full report is available here; no registration is required.

-- James E. Powell
Editorial Director, ESJ

Posted on 06/26/2012 at 11:53 AM1 comments

CIOs Optimistic but Cautious about the Cloud

An independent survey of nearly 350 CIOs’ and IT executives’ attitudes about cloud adoption, trends, value, and challenges reveals strong optimism about current and future benefits of cloud computing.

Survey participants believe the “adoption of cloud technologies is good for business” (92 percent), though IT executives are more enthusiastic than are IT managers. Participants believe the technologies help IT deliver better systems for less money (the familiar “value” proposition -- at 67 percent), and “SaaS applications give business stakeholders more ownership of key applications” (62 percent)

Despite that optimism, rollout of cloud technologies is still somewhat slow, Host Analytics, the survey’s sponsor, points out. “Only 31 percent described their systems as primarily cloud-based at this time,” while 69 percent say their company “still work[s] primarily with on-premise applications.” For those enterprises where cloud is deployed, the majority (88 percent) reported some IT adoption challenges; 12 percent said they faced no challenges (lucky them). I found it interesting that 96 percent of IT managers -- those managing the actual cloud work -- reported challenges.

The top complaint: integrating application data (67 percent), followed by concerns about knowing “where our data is” (39 percent) and difficulty developing workflows across applications (34 percent).

IT is the biggest user of cloud-based applications (67 percent of enterprises report having a cloud-based application in their IT department); the sales department comes next at 36 percent, followed closely by customer support at 35 percent.

One benefit of the cloud shines bright for more than half (54 percent) of respondents: SaaS business intelligence would provide “easier access to data currently in application silos;” 46 percent believe SaaS BI would increase visibility. Faster deployment was expected from 42 percent of survey participants.

In one troublesome trend, 37 percent of IT executives report being asked to assume ownership for solutions purchased without their input. Sound familiar? If you think data integration is tough without IT input and examination, imagine the headache of integrating data from applications dumped in your lap. (True, it’s similar to the problems of integrating data as a result of mergers and acquisitions -- where data resides in applications over which you had no input -- but in this case, the situation is preventable.)

The survey was conducted in May by Dimensional Research, which asked “an independent group of CIOs, IT executives, and other IT professionals to participate in a Web survey on the topic of cloud adoption and trends.” Most respondents (86 percent) were located in U.S. and Canada, the remainder in the EMEA and APAC regions. Results can be downloaded here, though a short registration is required.

-- James E. Powell
Editorial Director, ESJ

Posted on 06/25/2012 at 11:53 AM0 comments